Page MenuHomePhabricator

Replace token store in MW OAuth WCQS proxy with JWT
Closed, ResolvedPublic3 Estimated Story Points


As a WCQS maintainer I want to simplify MW OAuth Proxy for WCQS so it won't require a cache of tokens so that they aren't invalidated before their expiry.

Currently - all the user tokens (which are returned in cookies) are stored in WM OAuth Proxy memory (on WCQS beta limit is 100), which in high traffic situation will cause a rapid expiry. Additionally - production WCQS will be clustered, so having a session store complicates load balancing (or forces us to implement a distributed cache).To alleviate this, we could use a JWT tokens to be able to validate tokens themselves.


  • MW OAuth Proxy memory footprint is independent of user traffic

Event Timeline

I was not previously familiar with mw-oauth-proxy. Here are some related links for any other subscribers that may have a similar knowledge gap:

I don't pretend to have absorbed all of this, but I did notice this in

private OAuth10aService service;

Are you planning to use OAuth 1 (and not OAuth 2)? Or maybe I am misreading this?

@BPirkle when this code was written, there was a bug (now fixed) that prevented us from using OAuth2. Now we could, but since we consider this a temporary measure (with API gateway being a more solid one in the future, as mentioned here T290300), we probably leave this as it is right now.