fixes #97 update openapi-security.yml to add jwtCacheFullSize (#98)

stevehu · web-flow · commit d6e9e8abae94 · 2022-12-08T11:21:09.000-05:00
diff --git a/graphql-security/src/main/resources/config/graphql-security.yml b/graphql-security/src/main/resources/config/graphql-security.yml
@@ -41,9 +41,20 @@ logJwtToken: ${graphql-security.logJwtToken:true}
 logClientUserScope: ${graphql-security.logClientUserScope:false}
 
 # Enable JWT token cache to speed up verification. This will only verify expired time
-# and skip the signature verification as it takes more CPU power and long time.
+# and skip the signature verification as it takes more CPU power and a long time. If
+# each request has a different jwt token, like authorization code flow, this indicator
+# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes
+# and the cache can grow bigger if the number of requests is very high. This will cause
+# memory kill in a Kubernetes pod if the memory setting is limited.
 enableJwtCache: ${graphql-security.enableJwtCache:true}
 
+# If enableJwtCache is true, then an error message will be shown up in the log if the
+# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect
+# cache problem if many distinct tokens flood the cache in a short period of time. If
+# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache
+# or increase the cache full size to a bigger number from the default 100.
+jwtCacheFullSize: ${graphql-security.jwtCacheFullSize:100}
+
 # If you are using light-oauth2, then you don't need to have oauth subfolder for public
 # key certificate to verify JWT token, the key will be retrieved from key endpoint once
 # the first token is arrived. Default to false for dev environment without oauth2 server
diff --git a/graphql-security/src/test/resources/config/graphql-security.yml b/graphql-security/src/test/resources/config/graphql-security.yml
@@ -41,9 +41,20 @@ logJwtToken: ${graphql-security.logJwtToken:true}
 logClientUserScope: ${graphql-security.logClientUserScope:false}
 
 # Enable JWT token cache to speed up verification. This will only verify expired time
-# and skip the signature verification as it takes more CPU power and long time.
+# and skip the signature verification as it takes more CPU power and a long time. If
+# each request has a different jwt token, like authorization code flow, this indicator
+# should be turned off. Otherwise, the cached jwt will only be removed after 15 minutes
+# and the cache can grow bigger if the number of requests is very high. This will cause
+# memory kill in a Kubernetes pod if the memory setting is limited.
 enableJwtCache: ${graphql-security.enableJwtCache:true}
 
+# If enableJwtCache is true, then an error message will be shown up in the log if the
+# cache size is bigger than the jwtCacheFullSize. This helps the developers to detect
+# cache problem if many distinct tokens flood the cache in a short period of time. If
+# you see JWT cache exceeds the size limit in logs, you need to turn off the enableJwtCache
+# or increase the cache full size to a bigger number from the default 100.
+jwtCacheFullSize: ${graphql-security.jwtCacheFullSize:100}
+
 # If you are using light-oauth2, then you don't need to have oauth subfolder for public
 # key certificate to verify JWT token, the key will be retrieved from key endpoint once
 # the first token is arrived. Default to false for dev environment without oauth2 server
