Skip to content
This repository has been archived by the owner on Dec 14, 2017. It is now read-only.

Performance issues with ValidationMode.Local #154

Open
SingleCopy opened this issue Jul 14, 2017 · 6 comments
Open

Performance issues with ValidationMode.Local #154

SingleCopy opened this issue Jul 14, 2017 · 6 comments

Comments

@SingleCopy
Copy link

SingleCopy commented Jul 14, 2017
edited
Loading

The latest change introduced in v2.15.0 has a huge performance issue when the validation mode is set to local. The change was to remove the time check in the DiscoveryDocumentIssuerSecurityTokenProvider class when the security tokens should be refreshed.

Now the configurationManager.GetConfigurationAsync() is checking the AutomaticRefreshInterval and only returning a new OpenIdConnectConfiguration if it has been refreshed. However the RetrieveMetadata method is called before getting the Issuer, Audience and SecurityTokens. This is blocking other incoming http requests as the ReaderWriterLockSlim is locking for each RetrieveMetadata call.

I have created a new pull request that basically reverts some of the code so that the RetrieveMetadata method will only attempt to recreate the Issuer and SecurityTokens if the AutomaticRefreshInterval has lapsed.

For now, I have downgraded to v2.14.0.
Pull Request: https://github.com/IdentityServer/IdentityServer3.AccessTokenValidation/pull/155
@mclark1129
Copy link

This has also affected a production deployment for one of our APIs, causing timeouts when the API is under heavy load.

@MartinWa
Copy link

We have had intermittent timeouts and slow performance in our API for a while and running the profiler in Azure I found the following for a slow API call:

IdentityServerBearerTokenValidationMiddleware.Invoke | 4100.19 ms |  
OTHER <<AsyncTaskMethodBuilder.Start>> | 4100.19 ms |  
IdentityServerBearerTokenValidationMiddleware+<Invoke>d__8.MoveNext | 4100.19 ms |  
OTHER <<AuthenticationMiddleware`1.Invoke>> | 4096.43 ms |  
DiscoveryDocumentIssuerSecurityTokenProvider.get_SecurityTokens | 2870.17 ms |  
DiscoveryDocumentIssuerSecurityTokenProvider.RetrieveMetadata | 2870.17 ms |  
OTHER <<ReaderWriterLockSlim.TryEnterWriteLock>> | 2338.90 ms |  
BLOCKED_TIME | 2338.59 ms |  
CPU_TIME | 0.31 ms |  

After finding this issue I also downgraded to 2.14 and it seems like it solved the timeout problems we had.

brockallen added a commit that referenced this issue Sep 8, 2017
@brockallen
possible fix for #160 and maybe #154
3834592
@brockallen
Copy link
Member

We did an update that's supposed to deal with the deadlock in Microsoft's config loader. Please test again the myget version and let us know. https://www.myget.org/gallery/identity

Thanks

@kedwardsRenWeb
Copy link

We believe we're seeing this as well.... did anyone test this latest 2.15.1? @brockallen I noticed this wasn't ever published to NuGet...

We went live with IdSrvr at the very end of June... and our first deployment was on 2.15.0.

Would you recommend us downgrading to 2.14 or utilizing 2.15.1?

@morrisnc
Copy link

morrisnc commented Nov 3, 2017

@kedwardsRenWeb That would be a good start! We have not tested 2.15.1 yet as 2.14 has worked without issues and our next planned upgrade will move to .NET Core.

@leastprivilege
Copy link
Member

Well - if no-one gives the bug fix a try, we'll never find out.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@MartinWa @brockallen @leastprivilege @SingleCopy @mclark1129 @kedwardsRenWeb @morrisnc