-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cache user details for basic authentication #5006
Comments
Could you please provide performance and resource statistics that show this.
Likewise please show empirical evidence that this is the case, and where the latency actually is.
We are unlikely to accept any feature that allows this, regardless of opt-in or opt-out nature. All authentication attempts should take the same time. |
The added latency is simply a feature of strong password hashing algorithms. The docs state that you should aim for 500 milliseconds of compute for each password verification. When you protect an API with basic auth, that's 500 ms of added latency for each API request. It absolutely hammers the CPU and, for some algorithms, eats tons of memory. Below is an example demonstrating how slow the basic auth endpoint is.
version: "3.8"
services:
authelia:
image: "authelia/authelia"
ports:
- "9091:9091"
volumes:
- "./config:/config"
healthcheck:
disable: true
jwt_secret: "abcdefghijklmnopqrstuvwxyz0123456789"
authentication_backend:
file:
path: "/config/users_database.yml"
access_control:
default_policy: "deny"
rules:
- domain: "example.com"
policy: "one_factor"
session:
domain: "example.com"
secret: "abcdefghijklmnopqrstuvwxyz0123456789"
storage:
encryption_key: "abcdefghijklmnopqrstuvwxyz0123456789"
local:
path: "/config/db.sqlite3"
notifier:
filesystem:
filename: "/config/notification.txt"
users:
slowuser:
displayname: "Slow User"
# docker run --rm authelia/authelia authelia crypto hash generate argon2 --password "password"
password: "$argon2id$v=19$m=65536,t=3,p=4$p05U+GcQ6HSevteJ0QsqBQ$NvmN1HU5YHbFIPzrYfkoQn13d7byNlxJ1T0aO6lIiG8"
email: "slowuser@example.com"
groups: [ ]
fastuser:
displayname: "Fast User"
# docker run --rm authelia/authelia authelia crypto hash generate pbkdf2 --variant sha256 --iterations 100000 --password "password"
password: "$pbkdf2-sha256$100000$VVnvAgVikboxgwzkJV.smQ$zhILFiAulTCLOGZwjGCk9fcP79fAaMM1uflGsaQSBuQ"
email: "fastuser@example.com"
groups: [ ] Slow user: argon2id
Faster user: pbkdf2, sha256, 100000 iterations
Testing done on a single-CPU compute-optimized VM from Vultr. |
For my use case (a WebDAV server), the latency and resource usage were too high. I wrote a proxy that sits in front of Authelia, queries the The cache key is The proxy is very fast, but it doesn't allow for the granular access control policies that Authelia would if caching were a built-in feature. |
Description
For the
/api/verify?auth=basic
endpoint, caching user details would considerably increase the performance of the endpoint, as Authelia would not have to fetch details from an LDAP server or calculate expensive password hashes for every request.The key could be derived from the user credentials. e.g.
hmac_sha256(username + password, secret_key)
There are a couple security tradeoffs:
The caching feature could be opt-in behind a setting. My one-factor apps use only long, randomly-generated passwords, so I'm comfortable with the tradeoffs.
Use Case
Services like WebDAV still rely on basic auth, but the current implementation can make resource usage and request latencies impractically high.
Details
No response
Documentation
There is a similar proposal for Traefik.
Pre-Submission Checklist
The text was updated successfully, but these errors were encountered: