Introspection cache not working for me

[harikant-lftt]

Hi

I was trying to validate introspection cache, I have Kong OIDC plugin with Keycloak.

To test this scenario I have authenticated a user and made some api call, after that I stoped my Keycloak server for sometime and Kong started giving me 401 response. It look like plugin is calling introspection endpoint each time and not storing Authenticated token in cache.

Is there any special configuration option? which may be I missed to enabled it.

Thanks in advance for your help.

[gustoliv]

Hi @harikant-lftt, in my case to make introspection cache working I had to set the lua_shared_dict directive inside Kong Gateway.

There is a series of lua dicts used to make cache working, they are:

• discovery (cache OpenID configuration)
• jwks (cache JWKS)
• introspection (cache introspection responses)
• jwt_verification (cache JWT verification statuses)

This can be done via an environment variable named KONG_NGINX_HTTP_LUA_SHARED_DICT but this variable only allow to specify one dict at a time.

There is a hacky workaround to pass more than one dict placing lua_shared_dict directive before each dict delimited by a semicolon:

KONG_NGINX_HTTP_LUA_SHARED_DICT=discovery 1m; lua_shared_dict jwks 1m; lua_shared_dict introspection 10m; lua_shared_dict jwt_verification 1m

Pay attention to the last parameter passed, which CANNOT be ended with a semicolon, otherwise Kong will fail to start.