Kong Community Edition OAuth2.0 Plugin Expired Credentials Findings

Seems to me that Kong(0.11.2) currently does not manage created OAuth2 expired credential tokens as seen in my db:

*****@cqlsh:******> select * from oauth2_tokens;

 id                                   | access_token                     | api_id | authenticated_userid | created_at                      | credential_id                        | expires_i
n | refresh_token | scope | token_type
--------------------------------------+----------------------------------+--------+----------------------+---------------------------------+--------------------------------------+----------
--+---------------+-------+------------
 5868967f-2d55-49b6-8c4f-c3ae2fd87c4c | fo6ATiM1H08jvWX1k4piWvOAvTjCUnh3 |   null |                 null | 2018-01-03 20:37:02.178000+0000 | 4ccc3d1f-2c35-44e6-a6d5-4cebc6745ffc |       360
0 |          null |       |     bearer
 4ff53291-73e8-4004-8639-6f7cfa34251d | Rp2zSM651msoHIXAjbwT7PH85UxOkE5K |   null |                 null | 2018-01-03 20:40:37.086000+0000 | 4ccc3d1f-2c35-44e6-a6d5-4cebc6745ffc |       360
0 |          null |       |     bearer
 a9b8158b-e7ab-4a65-8b84-111a2da9a1a7 | prKTAPuFEsF7LbHlGjyu3wOBWlCNwTsz |   null |                 null | 2018-01-05 22:06:58.689000+0000 | e72fbe91-0c2d-40eb-ab60-f30696831f12 |       360
0 |          null |       |     bearer
 644207eb-b1b8-4063-a9a8-cd43443e99e9 | WZhUjJPSSa9aFxFeFtEpTqshLtpZXbEg |   null |                 null | 2018-01-03 23:38:08.449000+0000 | e72fbe91-0c2d-40eb-ab60-f30696831f12 |       360
0 |          null |       |     bearer
 66255710-d5c4-4b6b-b27e-4670fe708531 | u8CANJUA09Vm8GQw1Vyy4MqjeSD6YQg8 |   null |                 null | 2018-01-03 23:40:55.255000+0000 | e72fbe91-0c2d-40eb-ab60-f30696831f12 |       360
0 |          null |       |     bearer
 9944682d-3ba4-4814-8103-8972efbbe0bf | DG9Ho9TlmzpHraWKQew5SiASOQSRVFxc |   null |                 null | 2018-01-03 20:41:34.496000+0000 | 4ccc3d1f-2c35-44e6-a6d5-4cebc6745ffc |       360
0 |          null |       |     bearer
 f3321fed-fc5a-4d27-bc9b-68443ac315c6 | YtflyahpTIVSTYM7Hc6VAQ7PygNAv0An |   null |                 null | 2018-01-03 20:37:37.097000+0000 | 4ccc3d1f-2c35-44e6-a6d5-4cebc6745ffc |       360
0 |          null |       |     bearer
 d02edc35-43a7-4f36-9e4d-8c4e62fed2ec | M1FR92Y7qm6JvTmNd6JGWcxX6rl2GcgD |   null |                 null | 2018-01-05 17:52:25.954000+0000 | 6fdd91da-8d62-4cd2-b6f3-5eb468e6887b |       360
0 |          null |       |     bearer
 915a60cd-dd86-4768-8011-6df210d2c6c4 | ZGgcrEJ0DHJPkbBRN9BZ3rM1X3VT33iK |   null |                 null | 2018-01-05 06:55:55.753000+0000 | ca6e60df-a247-4189-a467-4fc9db72d652 |       360
0 |          null |       |     bearer
 23659b06-4b1e-4323-89c7-9c65a45aa422 | vVpknBPoyb2TGjicrvK5Y6pUVUOOeoq9 |   null |                 null | 2018-01-05 07:02:21.033000+0000 | ca6e60df-a247-4189-a467-4fc9db72d652 |       360
0 |          null |       |     bearer

(10 rows)
***@cqlsh:****>

If I get some time I will investigate further, as I see this being a problem when a large number of consumers are generating tokens every hour. 100 consumers on a 1 hr token expiry policy, you are talking 2,400 db rows of extra expired tokens every day chilling in the db for no reason.

I brought this up in the chat but thought it good for better documentation here so others are aware of it as well.

Temporary measures Kong community users can take would be an hourly/daily cron to run a delete on all rows with the null api_id && authenticated_userid until something gets put in place to improve the plugin.

1 Like

Some identity providers never remove any tokens as the tokens should be unique, so they can be always checked that this token has not generated before or make a difference between “expired” token and “hacked” one, and I guess it is a simple index lookup in many cases. 2,400 rows doesn’t seem much. That would be around 10 million rows in 10 years, which still doesn’t sound much. At some point, I think plugins should be made possible to register recurring tasks (similar to cron) where this could be implemented. I think using cron is good enough, although not as user friendly.

1 Like

Right the default I gave was a small example though. Now if we have 1000 consumers and they have poor token management(mismanagement) I would say and are generating it every 10 minutes that is a total of 144000 expired creds a day, and I have not browsed all the code yet but if Kong is doing some select *'s on this table it will get time intensive as weeks progress. I think we are going to elect to make a daily cron run and clear out all the expired tokens daily. We will just post the query here for others to use too.