product-is
product-is copied to clipboard
wso2
IDN_OIDC_JTI Table is Growing
We have an issue related to IDN_OIDC_JIT table is not getting cleared.
So as per our current implementation for private key JWT client auth, client has to send the JWT assertion to IS and IS stores the JIT of this token in the IDN_OIDC_JIT table [1] [2]. This contains the JWT_ID, EXP_TIME, DATE_CREATED and the JWT_ID is the primary key.
And since the JWT_ID is unique, this table is growing each and every time [3]. And in this specific scenario the table has grown almost to 5GB.
| TableName | SchemaName | rows | TotalSpaceKB | TotalSpaceMB | UsedSpaceKB | UsedSpaceMB |
| IDN_OIDC_JTI | dbo | 48521973 | 4965968 | 4849.58 | 4963912 | 4847.57 |
| IDN_OAUTH2_ACCESS_TOKEN | dbo | 2825 | 150608 | 147.08 | 53464 | 52.21 |
| IDN_OAUTH2_AUTHORIZATION_CODE | dbo | 2232 | 35808 | 34.97 | 22864 | 22.33 |
And if we use this configuration
[event_listener.properties]
preventTokenReuse= true
If preventTokenReuse is set to true, the same jti cannot be reused regardless of the jwt expiry time. But if this config is set to false, the same jti can be reused once the jwt is expired [4].
So, I checked in our clean-up scripts and there is no mention of this table. Since it’s growing I believe we need to clear up this table once the JWTs expire by considering the preventTokenReuse condition.
[1] https://github.com/wso2-extensions/identity-oauth-addons/blob/master/component/client-handler/src/main/java/org/wso2/carbon/identity/oauth2/token/handler/clientauth/jwt/dao/JWTStorageManager.java#L124 [2] https://docs.wso2.com/display/IS560/Private+Key+JWT+Client+Authentication+for+OIDC [3] https://github.com/wso2/product-is/issues/7608 [4] https://github.com/wso2-extensions/identity-oauth-addons/blob/master/component/client-handler/src/main/java/org/wso2/carbon/identity/oauth2/token/handler/clientauth/jwt/validator/JWTValidator.java#L264_L284
