Identity Gateway 2024.3

Caches

Session cache

When a user authenticates with AM, this cache stores information about the session. IG can reuse the information without asking AM to verify the session token (SSO token or CDSSO token) for each request.

If WebSocket notifications are enabled, the cache evicts entries based on session notifications from AM, making the cached content more accurate and reliable.

By default, session information isn’t cached. To increase performance, consider enabling and configuring the cache. Find out more from sessionCache in AmService.

Policy cache

When the PolicyEnforcementFilter requests and receives a policy decision from AM, it stores the decision in the policy cache.

When a request matches a cached policy decision, IG can reuse the decision without asking AM for a new decision. When caching is disabled, IG must ask AM to make a decision for each request.

Maximize the cache hit ratio by using RequestResourceUriProvider or ScriptableResourceUriProvider in conjunction with AM policies. The PolicyEnforcementFilter identifies cached policy decisions by the resource URL returned by these URI providers.

Find more information from the resourceUriProvider property of PolicyEnforcementFilter.

If WebSocket notifications are enabled, the cache evicts entries based on policy notifications from AM, making the cached content more accurate and reliable.

By default, policy decisions aren’t cached.

User profile cache

When the UserProfileFilter retrieves user information, it caches it. IG can reuse the cached data without repeatedly querying AM to retrieve it.

By default, profile attributes aren’t cached.

Access token cache

When a user presents an access token to the OAuth2ResourceServerFilter, the access token cache stores the token. IG can reuse the token information without asking the Authorization Server to verify the access token for each request.

By default, access tokens aren’t cached. To increase performance by caching access tokens, consider configuring a cache in one of the following ways:

Open ID Connect user information cache

When a downstream filter or handler needs user information from an OpenID Connect provider, IG fetches it lazily. By default, IG caches the information for 10 minutes to prevent repeated calls over a short time.

Find out more from cacheExpiration in AuthorizationCodeOAuth2ClientFilter.

Cache metrics at the Prometheus Scrape Endpoint

The Prometheus Scrape Endpoint exposes the following meters and metrics:

ig_cache_gets_total

A counter monitoring type, incremented when a cache request hits or misses an entry.

Label Possible values

content

session,
policy_decision,
user_profile,
access_token

result

hit, miss

Example:

ig_cache_gets_total{content="session",...result="hit",...} 13.0
ig_cache_gets_total{content="session",...,result="miss"...} 1.0
ig_cache_gets_total{content="policy_decision",...,result="hit",...} 5.0
ig_cache_gets_total{content="policy_decision",...,result="miss",...} 2.0

ig_cache_loads

This meter exposes the following metrics:

ig_cache_loads_seconds

A timer monitoring type, measuring the time in seconds spent successfully or unsuccessfully loading entries in the cache.

Label Possible values

content

session,
policy_decision,
user_profile,
access_token

result

success,failure

quantile

0.5, 0.75, 0.95, 0.98, 0.99, 0.999

Example:

ig_cache_loads_seconds{content="session",...result="success",...quantile="0.5",} 0.057710516
ig_cache_loads_seconds{content="session",...result="success",...quantile="0.75",} 0.057710516
ig_cache_loads_seconds{content="session",...result="success",...quantile="0.95",} 0.057710516
ig_cache_loads_seconds{content="session",...result="success",...quantile="0.98",} 0.057710516
ig_cache_loads_seconds{content="session",...result="success",...quantile="0.99",} 0.057710516
ig_cache_loads_seconds{content="session",...result="success",...quantile="0.999",} 0.057710516
ig_cache_loads_seconds_total

A timer monitoring type, measuring the cumulated time in seconds spent successfully or unsuccessfully loading entries in the cache.

Label Possible values

content

session,
policy_decision,
user_profile,
access_token

result

success,failure

Example:

ig_cache_loads_seconds_total{content="session",...result="failure",...} 0.0
ig_cache_loads_seconds_total{content="session",...result="success",...} 0.057710516
ig_cache_loads_seconds_total{content="policy_decision",...,result="failure",...} 0.0
ig_cache_loads_seconds_total{content="policy_decision",...,result="success",...} 0.144314803
ig_cache_loads_count

A counter monitoring type, incremented when a cache request is successfully or unsuccessfully loaded in the cache.

Label Possible values

content

session,
policy_decision,
user_profile,
access_token

result

success,failure

Example:

ig_cache_loads_count{content="session",...result="failure",...} 0.0
ig_cache_loads_count{content="session",...result="success",...} 1.0
ig_cache_loads_count{content="policy_decision",...,result="failure",...} 0.0
ig_cache_loads_count{content="policy_decision",...,result="success",...} 2.0

ig_cache_evictions

This meter exposes the following metrics:

ig_cache_evictions_count

A counter monitoring type, incremented when an entry is evicted from the cache.

Label Possible values

content

session,
policy_decision,
user_profile,
access_token

cause

COLLECTED,
EXPIRED,
EXPLICIT,
REPLACED,
SIZE

Example

ig_cache_evictions_count{cause="COLLECTED",content="session",...} 0.0
ig_cache_evictions_total{cause="EXPIRED",content="session",...} 0.0
ig_cache_evictions_count{cause="EXPIRED",content="session",...} 0.0
ig_cache_evictions_total{cause="EXPLICIT",content="session",...} 0.0
ig_cache_evictions_count{cause="EXPLICIT",content="session",...} 0.0
ig_cache_evictions_total{cause="REPLACED",content="session",...} 0.0
ig_cache_evictions_count{cause="REPLACED",content="session",...} 0.0
ig_cache_evictions_total{cause="SIZE",content="session",...} 0.0
ig_cache_evictions_count{cause="SIZE",content="session",...} 0.0
ig_cache_evictions_total{cause="COLLECTED",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="COLLECTED",content="policy_decision",...} 0.0
ig_cache_evictions_total{cause="EXPIRED",content="policy_decision",...} 1.0
ig_cache_evictions_count{cause="EXPIRED",content="policy_decision",...} 1.0
ig_cache_evictions_total{cause="EXPLICIT",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="EXPLICIT",content="policy_decision",...} 0.0
ig_cache_evictions_total{cause="REPLACED",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="REPLACED",content="policy_decision",...} 0.0
ig_cache_evictions_total{cause="SIZE",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="SIZE",content="policy_decision",...} 0.0
ig_cache_evictions_total

A counter monitoring type, incremented when an entry is evicted from the cache. Each evicted entry has the weight 1, so this metric is equal to ig_cache_evictions_count.

Label Possible values

content

session,
policy_decision,
user_profile,
access_token

cause

COLLECTED,
EXPIRED,
EXPLICIT,
REPLACED,
SIZE

Example

ig_cache_evictions_total{cause="COLLECTED",content="session",...} 0.0
ig_cache_evictions_count{cause="COLLECTED",content="session",...} 0.0
ig_cache_evictions_total{cause="EXPIRED",content="session",...} 0.0
ig_cache_evictions_count{cause="EXPIRED",content="session",...} 0.0
ig_cache_evictions_total{cause="EXPLICIT",content="session",...} 0.0
ig_cache_evictions_count{cause="EXPLICIT",content="session",...} 0.0
ig_cache_evictions_total{cause="REPLACED",content="session",...} 0.0
ig_cache_evictions_count{cause="REPLACED",content="session",...} 0.0
ig_cache_evictions_total{cause="SIZE",content="session",...} 0.0
ig_cache_evictions_count{cause="SIZE",content="session",...} 0.0
ig_cache_evictions_total{cause="COLLECTED",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="COLLECTED",content="policy_decision",...} 0.0
ig_cache_evictions_total{cause="EXPIRED",content="policy_decision",...} 1.0
ig_cache_evictions_count{cause="EXPIRED",content="policy_decision",...} 1.0
ig_cache_evictions_total{cause="EXPLICIT",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="EXPLICIT",content="policy_decision",...} 0.0
ig_cache_evictions_total{cause="REPLACED",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="REPLACED",content="policy_decision",...} 0.0
ig_cache_evictions_total{cause="SIZE",content="policy_decision",...} 0.0
ig_cache_evictions_count{cause="SIZE",content="policy_decision",...} 0.0
Copyright © 2010-2024 ForgeRock, all rights reserved.