Caching Keycloak responses question

[ppapryczka]

Hi! :)
I have problem with caching Keycloak token responses, I use similar code to one presented in following issue: open-policy-agent/opa#4960.

I use the newest OPA version 0.55 and I still have a lot of requests to Keycloak and it seems to now work in my case. I found another issue which may be related to my problem: open-policy-agent/opa#2841

From response I have following headers:

{
   "cache-control":[
      "no-store"
   ],
   "content-length":[
      "3749"
   ],
   "content-type":[
      "application/json"
   ],
   "pragma":[
      "no-cache"
   ],
   "referrer-policy":[
      "no-referrer"
   ],
   "set-cookie":[
      "KEYCLOAK_LOCALE=; Version=1; Comment=Expiring cookie; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=XXX; Secure; HttpOnly",
      "KC_RESTART=; Version=1; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Max-Age=0; Path=XXX; Secure; HttpOnly",
      "SERVERID=YYY; path=/"
   ],
   "strict-transport-security":[
      "max-age=31536000; includeSubDomains"
   ],
   "x-content-type-options":[
      "nosniff"
   ],
   "x-frame-options":[
      "SAMEORIGIN"
   ],
   "x-xss-protection":[
      "1; mode=block"
   ]
}

Is there are still some problems with caching such responses with cach-control: no-store even if force_cache: true is set?

[anderseknert]

Not that I'm aware of. Could you please provide a snippet for the full http.send request?

Are you running OPA as a server or integrating via the Go API?

[ppapryczka]

Yeah, sure - this is snippet:

    response := http.send({
        "url": sprintf("%v/protocol/openid-connect/token", [<ISSUER>]),
        "method": "POST",
        "headers": {
            "Content-Type": "application/x-www-form-urlencoded",
            "Authorization": concat(" ", [
                "Basic",
                base64.encode(sprintf("%v:%v", ["client", <CLIENT_SECRET>]))
            ]),
        },
        "raw_body": sprintf("username=%v&grant_type=password&scope=openid", [urlquery.encode(<USERNAME>)]),
        "force_cache": true,
        "force_cache_duration_seconds": 300,
    })

    response.status_code == 200
    [_, payload, _] := io.jwt.decode(response.body.access_token)

This code make request for Keycloak token of user. I want to create some OPA access rules based on roles etc. in such JWT token. My approach is to get token "inside" OPA and cache it so I don't have to make request to Keycloak each time user make request :)

I'm running OPA server with envoy and REST API as backend.

[anderseknert]

Thanks! Nothing that looks suspect to me. I've never seen it used with the resource owner password flow before, but unless there's anything that changes in the request between invocations, it should be cached. If you're not seeing it cached, I'd first make sure that there aren't any changes between the requests. Next, how do you verify it's not caching? Logs from KeyCloak?

[ppapryczka]

Yes, exactly I look at Keycloak login logs. There is any option to debug cache values? Maybe I'm missing something :)

[anderseknert]

Not really :/ I would perhaps try and rule out as many things as possible, and then gradually get closer to what you actually need. I.e. start calling a static page with as few options as possible to see if it's cached, then move on to use the most simple of client_credentials call to keycloak, etc...

[pawelmarkowski]

@anderseknert - The issue has been identified and related to version 0.55, but it has been effectively resolved via an upgrade to version 0.56 (we are performing the tests). There was missing a date header and our first impression is that it works.

[anderseknert]

Thanks for following up! 👍

[ppapryczka]

After tests we see that Keycloak responses are cached in version 0.56 :)