[KEYCLOAK-7952] Decision Cache Created: 27/Jul/18 Updated: 16/Oct/18
|Status:||Pull Request Sent|
|Reporter:||Pedro Igor||Assignee:||Michal Hajas|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Epic Link:||Supported Authorization Services|
|Sprint:||Keycloak Sprint 10, Keycloak Sprint 13, Keycloak Sprint 14|
|Docs QE Status:||NEW|
To provide better performance, we could support different layers of cache in order to quickly map past decisions with new authorization requests arriving at the server.
I can think of two main cache strategies:
Permission Cache is a cache that is able to map previously granted permissions to new authorization requests as follows:
This caching layer in certain cases could completely bypass the evaluation and just resolve permissions from the cache.
The Policy Decision Cache is a cache in front of each policy provider. Each provider should be able to map previous decisions to new evaluations. For instance, a cache in front of resource permissions could use the token representing the identity to remember decisions, similar to Permission Cache.