[KEYCLOAK-7952] Decision Cache Created: 27/Jul/18  Updated: 12/Nov/18

Status: Pull Request Sent
Project: Keycloak
Component/s: Authorization Services
Affects Version/s: 4.1.0.Final
Fix Version/s: 5.x

Type: Feature Request Priority: Major
Reporter: Pedro Igor Assignee: Michal Hajas
Resolution: Unresolved Votes: 0
Labels: team-cloud
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Sprint: Keycloak Sprint 10, Keycloak Sprint 13
Story Points: 7
Docs QE Status: NEW
QE Status: NEW


To provide better performance, we could support different layers of cache in order to quickly map past decisions with new authorization requests arriving at the server.

I can think of two main cache strategies:

  • Permission Cache
  • Policy Decision Cache

Permission Cache is a cache that is able to map previously granted permissions to new authorization requests as follows:

  • Authorization requests using the same access token or ID token can be mapped to any permissions previously granted. In Keycloak, tokens have a unique id which can be used to do this mapping
  • Based on the permissions previously granted, resolve any permission in the cache that can be mapped to the resources/scopes being requested.
  • Only perform the evaluation on resources that could not be resolved from the cache

This caching layer in certain cases could completely bypass the evaluation and just resolve permissions from the cache.

The Policy Decision Cache is a cache in front of each policy provider. Each provider should be able to map previous decisions to new evaluations. For instance, a cache in front of resource permissions could use the token representing the identity to remember decisions, similar to Permission Cache.

Comment by Pedro Igor [ 23/Oct/18 ]

Michal Hajas, are you OK to postpone this one to 5.x ?

Comment by Michal Hajas [ 24/Oct/18 ]

Pedro Igor Yeah, it works for me.

Comment by Pedro Igor [ 24/Oct/18 ]

Thanks. The reason behind this decision is that we are lacking the bandwidth to work on this as well changes are quite critical at this moment where we are close to deliver RHSSO 7.3.

Generated at Tue Dec 11 00:51:04 EST 2018 using Jira 7.12.1#712002-sha1:609a50578ba6bc73dbf8b05dddd7c04a04b6807c.