Uploaded image for project: 'Drivers'
  1. Drivers
  2. DRIVERS-2821

Optimizations OIDC in FaaS environments

    • Type: Icon: Improvement Improvement
    • Resolution: Unresolved
    • Priority: Icon: Unknown Unknown
    • None
    • Component/s: Authentication, FaaS
    • None
    • Needed

      Summary

      The current MONGODB-OIDC authentication mechanism (DRIVERS-2672) can be improved to work better in FaaS environments.

      Always Use Speculative Authentication (for Machine Auth)

      The current MONGODB-OIDC auth mechanism only uses speculative authentication when the Client has a cached access token. That design decision was made to simplify the implementation of the MONGODB-OIDC auth mechanism. For steady-state applications, that adds an extra round-trip to the first connection authenticated, but we expect to have a cached access token for almost all subsequent connections. However, in FaaS environments the "cold start" case may be more common, which currently requires 1 extra round trip to authenticate a new connection (because there is no cached access token), slowing "cold start" time.

      Access Token Cache Expiry

      The current MONGODB-OIDC auth mechanism provides the ability to collect access token expiry durations using the built-in provider integrations or the callback system. However, we intentionally ignore the cache expiry information right now to simplify implementing the connection reauthentication mechanism in drivers. For steady-state applications, detecting access token timeout client-side has little benefit because the server will tell the driver when the access token is expired, requiring about 1 extra round-trip per access token lifetime (typically order of hours). But in FaaS environments, there may be a higher probability that the application is paused for long periods of time and wakes up with an expired cached access token and no active connections. In that case, the auth failure fallback process may add 2 extra round trips to authenticate a new connection, significantly slowing wakeup time.

      Motivation

      Who is the affected end user?

      Users who use the MONGODB-OIDC auth mechanism in a FaaS environment.

      How does this affect the end user?

      It may take a long time to complete the first operation in the "cold start" or initial wake-up cases when MONGODB-OIDC auth is used (2x-3x longer than with password auth).

      Their FaaS application may have performance issues under some circumstances.

      How likely is it that this problem or use case will occur?

      It will occur with FaaS applications that "cold start" application instances frequently or have applications instances that are paused for long periods of time (1 hour or more).

      If the problem does occur, what are the consequences and how severe are they?

      Customer applications deployed in FaaS environments could have poor or erratic performance, which could cause a bad experience for their customers.

      Is this issue urgent?

      No.

      Is this ticket required by a downstream team?

      No.

      Is this ticket only for tests?

      No.

      Acceptance Criteria

      Investigations:

      • The performance issues described in this ticket are theoretical and have not been directly observed. Before making the proposed optimizations, we should first try to reproduce the "cold start" and long-pause cases and measure the impact of using MONGODB-OIDC vs password auth.

      Optimizations:

      • Always use speculative authentication for machine-to-machine OIDC auth.
      • Remove access tokens from the OIDC token caches when they are expired.
      • For built-in OIDC provider integrations that do not directly provide expiry durations (e.g. AWS built-in), set a default expiry duration that is less than the documented token expiry.

            Assignee:
            Unassigned Unassigned
            Reporter:
            matt.dale@mongodb.com Matt Dale
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: