Speakers
Description
INDIGO IAM is a central Identity and Access Management service for distributed research infrastructures, supporting authentication and authorization at scale. As the number of relying services and users continues to grow, improving the performance and efficiency of IAM operations has become a key objective. One of the most significant performance bottlenecks identified in the current architecture is the persistence of OAuth2 access tokens in the database.
The storage of access tokens - originally introduced for auditing, revocation support, and compatibility with the underlying MITREid Connect library - adds notable overhead to authentication workflows. Each token issuance, refresh or validation requires multiple database operations, which increases latency under load and limits horizontal scalability. In large federated environments, these effects are amplified, particularly during peak authentication periods or when short-lived tokens are used.
To address this issue, INDIGO IAM is transitioning to a token model that no longer requires access tokens to be stored in the database. In the new architecture, access tokens are self-contained and stateless, and their validity is checked by verifying their signature upon each use. Only revoked tokens are persisted in the database, significantly reducing write operations. Additionally, access-token validation results are cached to avoid repeated signature checks for tokens already verified, further reducing computational overhead.
This contribution presents a performance comparison between database-backed and stateless access tokens, using benchmark results collected via load tests and through integration with OpenTelemetry, highlighting the impact on latency and throughput.
The contribution will also discuss the implications for security, revocation and future optimizations in token handling within INDIGO IAM.