Scalable OAuth 2.0 clients
Deployments that have a high number of OAuth 2.0 clients can typically lead to out-of-memory issues. To register and manage clients in a scalable way and reduce the impact on system performance, configure AM to support scalable clients and use the /realm-config/agents/OAuth2Client endpoint to filter query results.
|
Enable scalable clients
Before you create a high number of clients, configure AM for scalable clients:
-
Add the advanced server property
org.forgerock.am.scalableAgents.enabledand set totrue.How do I configure advanced server properties?
-
In the AM admin UI:
-
To configure properties for all instances of the AM environment, go to Configure > Server Defaults > Advanced.
-
To configure properties for a particular instance, go to Deployment > Servers > Server Name > Advanced.
-
-
Configure the properties:
-
To add a property, scroll to the end of the page and enter a property name and value in the text fields. Click add ().
-
To edit an existing property, find the property and click the pencil () button. When you are finished, click the tick () button.
-
-
Save your changes.
-
-
Save your changes. There is no need to restart AM.
Optimise searching
To optimise filtered queries that are performed directly in DS, apply the following indexes to prevent unindexed searches:
-
For queries that filter on ID, add an equality index and a substring index for the
ouattribute. For example:dsconfig delete-backend-index \ --backend-name cfgStore \ --index-name ou \ --hostname localhost \ --port 4444 \ --bindDn uid=admin \ --bindPassword password \ --trustAll \ --no-prompt; dsconfig create-backend-index \ --backend-name cfgStore \ --index-name ou \ --set index-type:equality \ --set index-type:substring \ --hostname localhost \ --port 4444 \ --bindDn uid=admin \ --bindPassword password \ --trustAll \ --no-prompt; -
For queries that filter on client attributes, add an equality index and a substring index for the
sunKeyValueattribute. For example:dsconfig create-backend-index \ --backend-name cfgStore \ --index-name sunKeyValue \ --set index-type:equality \ --set index-type:substring \ --hostname localhost \ --port 4444 \ --bindDn uid=admin \ --bindPassword: password \ --trustAll \ --no-prompt; -
For queries that filter on client type, add a big equality index for the
sunserviceIDattribute. For example:dsconfig create-backend-index \ --backend-name cfgStore \ --index-name sunserviceID \ --set index-type:big-equality \ --hostname localhost \ --port 4444 \ --bindDn uid=admin \ --bindPassword password \ --trustAll \ --no-prompt; -
After you have applied the indexes, rebuild the indexes. For example:
rebuild-index \ --rebuildAll \ --baseDN ou=am-config \ --hostname localhost \ --port 4444 \ --bindDn uid=admin \ --bindPassword password \ --trustAll \ --no-prompt;
Filter and page client searches
When you have enabled scalable clients, you can use this endpoint to query clients and return filtered and paged results.
To filter searches, use the _queryFilter parameter with a JSON pointer to narrow results.
For example, to return all clients with an ID that contains 5256:
$ curl \
--request GET \
--header "Accept-API-Version: resource=2.0" \
--header "iplanetDirectoryPro: AQIC5wM…3MTYxOA..*" \
"https://openam.example.com:8443/openam/json/realms/root/realm-config/agents/OAuth2Client?_queryFilter=_id+co+5256&_pageSize=10"|
To update a particular client in the AM admin UI:
|
|
Learn more about filtering query requests in the REST API. |
Querying large numbers of clients returns the first 1000 results. To return all results, specify the _pagedResultsCookie parameter to use a cookie to page through the results:
-
Perform an initial query with
_pageSize=10to retrieve the cookie (pagedResultsCookie).The resource version must be set as
2.0in the header.For example:
$ curl \ --request GET \ --header "Accept-API-Version: resource=2.0" \ --header "iplanetDirectoryPro: AQIC5wM…3MTYxOA..*" \ "https://openam.example.com:8443/openam/json/realms/root/realm-config/agents/OAuth2Client?_queryFilter=true&_pageSize=10" { "result": [ … ], "resultCount": 10, "pagedResultsCookie": "eyAiZGVmY…QiIHB", "totalPagedResultsPolicy": "ESTIMATE", "totalPagedResults": "500000", "remainingPagedResults": -1 }The results include an estimated number of results.
-
Now you can specify the cookie as a parameter to page through the results:
$ curl \ --request GET \ --header "Accept-API-Version: resource=2.0" \ --header "iplanetDirectoryPro: AQIC5wM…3MTYxOA..*" \ "https://openam.example.com:8443/openam/json/realms/root/realm-config/agents/OAuth2Client?_pagedResultsCookie=eyAiZGVmY…QiIHB_queryFilter=true&_pageSize=10" { "result": [ … ], "resultCount": 10, "pagedResultsCookie": "eyAiZGVmY…QiIHB", "totalPagedResultsPolicy": "ESTIMATE", "totalPagedResults": "500000", "remainingPagedResults": -1 } -
Continue paging through results until
pagedResultsCookieis null, indicating the end of the response.
Advanced settings
The following table describes advanced properties for scalable clients. Only update these settings if you are advised to fine-tune performance.
| Advanced server property | Description | Default value |
|---|---|---|
|
Limit the number of results returned when searching for clients using the REST API (UI). |
|
|
Sets a timeout for long-running searches. |
|
|
Limits the number of cached clients. Clients are cached when created or subsequently read. |
|
|
Sets the amount of time to keep clients in the cache. |
|