Fix performance issue with external identity provider lookup [OIDC]

[strehle]

What version of UAA are you running?

Develop, latest UAA

What output do you see from curl <YOUR_UAA>/info -H'Accept: application/json'?

How are you deploying the UAA?

I am deploying the UAA

• locally only using gradlew
• using a bosh release I downloaded from bosh.io
• using cf-release
• using cf-deployment

What did you do?

1. Add many external SAML or OIDC to an identity zone ( > 10.000)
2. Perform a SAML / OIDC login
3. Check login times / DB metrics

What did you expect to see? What goal are you trying to achieve with the UAA?

Login < 1s , without memory and/or DB issues

What did you see instead?

With SAML there are memory issues, with OIDC mainly DB issues.
Why:

• SAML delegates the lookup from entiyID (external key or the SAML assertion) to spring-security-saml and in UAA there is a cache but if there are many entries there is a memory problem, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/saml/LoginSamlAuthenticationProvider.java#L129 reads all saml providers from DB and resolves then the needed one from SAML message (entityID)

• OIDC similar readAll and filter in code, e.g. https://github.com/cloudfoundry/uaa/blob/develop/server/src/main/java/org/cloudfoundry/identity/uaa/provider/oauth/ExternalOAuthProviderConfigurator.java#L153-L158

This readALL pattern should be prevented and identy_provider DB should have a field like external_key (type string) with an index on it. This should solve the lookup from external token to UAA IdP.
External_key should contain entityID in case of SAML and issuer in case of OIDC/OAUTH

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/187412158

The labels on this github issue will be updated when the story is started.