Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Performance of /oauth/token endpoint

See original GitHub issue

Hi UAA team 😃

What version of UAA are you running?

version: 4.20.0

How are you deploying the UAA?

locally only using gradlew (osx, 2,6 GHz Intel Core i7)


Because I wanted to check what is UAA’s limit of token generation, I ran small performance tests, simple wrk call on /oauth/token - nothing fancy. Result was not splendid so I checked for what UAA spend its CPU time, I attached async-profiler and this is the output

screen shot 2019-01-02 at 20 35 24

UAA, is spending more than 50% of time in

I made small experiment and I added simple “cache” to that class (just ConcurrentHashMap) that holds result of

ClientDetails details;
try {
    details = jdbcTemplate.queryForObject(selectClientDetailsSql, new ClientDetailsRowMapper(), clientId, zoneId);
} catch (EmptyResultDataAccessException e) {
    throw new NoSuchClientException("No client with requested id: " + clientId);

and with that piece of code included, UAA behaves a bit better on that path screen shot 2019-01-02 at 20 42 30 only key signing (here 2048bits) and some fasterxml stuff.

here, I uploaded original SVG files (github don’t allow for uploading svg files in issue) before: after:


Is it possible to add some caching on MultitenantJdbcClientDetailsService layer ? Does it makes sense from security point of view (or just any point of view 😄 ) to cache ClientDetails in memory (it can be cached on each instance without any sharing, like Redis or Memcached) ?

thanks !

Issue Analytics

  • State:closed
  • Created 5 years ago
  • Comments:8 (6 by maintainers)

github_iconTop GitHub Comments

mwdbcommented, May 23, 2020

@shamus This is an issue in UAA that deserves to be fixed. Instead of two DB requests, UAA is at 14. This considerably costs performance and limits scaling.

Requesting to reopen it.

mwdbcommented, Jan 2, 2019

We have been looking into the topic of caching also. Our observations are:

  • Issuing a client credential token requires 14 calls to the data base, touching the identity_zone and oauth_client_details tables. Details are: 4 calls for identity_zone by id 2 calls for identity_zone by subdomain 8 calls to oauth_client_details by client_id and identity_zone_id

The simplest cache would be to have a request level cache, which avoids redundant calls for the same data. This would already take it from 14 calls to the database to 3.

  • For user based tokens like the password grant token numbers are worse: roughly 54 calls. Details are: 20 calls to group_membership 10 calls to oauth_client_details 9 calls to users 15 calls to identity_zone

Similar, with a request level cache this could be reduced to ~ 6 calls.

Caching can be implemented using the Spring cache mechanisms. Concerning the cache implementations, I see the following requirements:

  • The cache returns a copy of the cached object to avoid modifications of cached objects
  • Within processing a single request, changes to persistent data can be ignored
Read more comments on GitHub >

github_iconTop Results From Across the Web

Rate limit in oauth/token endpoint - Auth0 Community
It shows 30 requests/second for the token endpoint for free and non-prod tenants, so you should be fine with 1000/15 minutes.
Read more >
Performance Testing of OAuth 2.0 Secured APIs using JMeter
1. Create HTTP Request corresponding to the API that is responsible to generate the OAuth Token · 2. Create another HTTP Request which...
Read more >
Are performance metrics for Azure AD OAuth endpoints ...
I have a requirement to measure the performance of this call (as in how long it took to return a response) - are...
Read more >
Access Tokens - OAuth 2.0 Simplified
The token endpoint is where apps make a request to get an access token for a user. This section describes how to verify...
Read more >
Oauth token - Reuse active token — oracle-tech
Can the ORDS /oauth/token endpoint to re-use the same token IF the ... Is there a problem resource or performance or security wise...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found