oathkeeper
oathkeeper copied to clipboard
ory
Oathkeeper returns a 401 "Access credentials are invalid" when exceeding Ory Network's rate limiting on /sessions/whoami endpoint
Preflight checklist
- [X] I could not find a solution in the existing issues, docs, nor discussions.
- [X] I agree to follow this project's Code of Conduct.
- [X] I have read and am following this repository's Contribution Guidelines.
- [X] I have joined the Ory Community Slack.
- [X] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
We're using Ory Network as our authentication provider, and Oathkeeper to protect our APIs.
Oathkeeper is configured with a cookie_session authenticator and uses the /sessions/whoami endpoint to check the cookie.
When a user makes a lot of calls to our API at the same time, Oathkeeper can sometimes return a 401 - Access credentials are invalid response, even when the cookie is valid.
I did a bit of digging with our OpenTelemetry instrumentation, and figured out that the /sessions/whoami endpoint is in fact returning a 429 status, because we're exceeding rate limiting.
I see two potential improvements:
- Change the response status
Instead of returning a misleading 401 status, Oathkeeper should return another status code, like 429, so it can help the end-user understand what is happening.
-
Add cache to the
check_session_urlcall
When a user performs a lot of calls in a small timeframe, it's not necessary to call the /sessions/whoami for all calls because the session cookie hasn't changed.
I suggest to add an optional caching mechanism to the cookie_session authenticator, it would solve this issue even with a low TTL (~1s)
This caching mechanism could be similar to the one found in the oauth2_client_credentials authenticator.
Reproducing the bug
- Run Oathkeeper with a
cookie_sessionauthenticator linked to an Ory Network project. - Log-in and retrieve the session cookie
- Write and run a script that sends 100 requests in parallel to the running Oathkeeper, with the session cookie
- You should see a 401 at some point, even though the cookie is valid
Relevant log output
No response
Relevant configuration
authenticators:
cookie_session:
enabled: true
config:
check_session_url: https://my-project-slug.projects.oryapis.com/sessions/whoami
preserve_path: true
extra_from: '@this'
subject_from: 'identity.id'
Version
latest
On which operating system are you observing this issue?
macOS
In which environment are you deploying?
Kubernetes
Additional Context
No response
