Skip to content

Commit c35b40a

Browse files
bodewigbodewig
committed
provide some documentation about caches
see #407 Signed-off-by: Stefan Bodewig <[email protected]>
1 parent 2680c96 commit c35b40a

File tree

1 file changed

+33
-0
lines changed

1 file changed

+33
-0
lines changed

README.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -299,6 +299,39 @@ local res, err, target, session = require("resty.openidc").authenticate(opts)
299299
session:close()
300300
```
301301

302+
## Caching
303+
304+
lua-resty-openidc can use [shared memory
305+
caches](https://github.com/openresty/lua-nginx-module/#lua_shared_dict)
306+
for several things. If you want it to use the caches, you must use
307+
`lua_shared_dict` in your `nginx.conf` file.
308+
309+
Currently up to four caches are used
310+
311+
* the cache named `discovery` stores the OpenID Connect Disovery
312+
metadata of your OpenID Connect Provider. Cache items expire after
313+
24 hours unless overriden by `opts.discovery_expires_in` (a value
314+
given in seconds) . This cache will store one item per issuer URI
315+
and you can look up the discovery document yourself to get an
316+
estimate for the size required - usually a few kB per OpenID Connect
317+
Provider.
318+
* the cache named `jwks` stores the key material of your OpenID
319+
Connect Provider if it is provided via the JWKS endpoint. Cache
320+
items expire after 24 hours unless overriden by
321+
`opts.jwks_expires_in`. This cache will store one item per JWKS URI
322+
and you can look up the jwks yourself to get an estimate for the
323+
size required - usually a few kB per OpenID Connect Provider.
324+
* the cache named `introspection` stores the result of OAuth2 token
325+
introspection. Cache items expire when the corresponding token
326+
expires. Tokens with unknown expiry are not cached at all. This
327+
cache will contain one entry per introspected access token - usually
328+
this will be a few kB per token.
329+
* the cache named `jwt_verification` stores the result of JWT
330+
verification. Cache items expire when the corresponding token
331+
expires. Tokens with unknown expiry are not cached for two
332+
minutes. This cache will contain one entry per verified JWT -
333+
usually this will be a few kB per token.
334+
302335
## Caching of Introspection and JWT Verification Results
303336

304337
Note the `jwt_verification` and `introspection` caches are shared

0 commit comments

Comments
 (0)