Jans Lock Pub Sub Client Design
OPA is a CNCF project that provides a compact Policy Decision Point ("PDP") that runs as a sidecar locally. It is very performant because all data and policies are in memory. To be useful, you have to figure out how to keep the data and policies updated in real time. Jans Lock is proposed as a new component that uses a Pub/Sub fanout topology to push updates from Auth Server to distributed Lock clients, which call the OPA bundles API to make real time data available for policy decisions in OPA.
It looks like we can use websockets in Auth Server Weld to handle the Pub/Sub requirement. For example:
import javax.inject.Inject;
import javax.websocket.*;
import javax.websocket.server.ServerEndpoint;
@ServerEndpoint(value = "/blabla")
public class WebsocketService {
@Inject
private DatabaseProvider dbProvider;
@OnOpen
public void onOpen(Session session) throws IOException {
//do something
}
@OnMessage
public void onMessage(Session session, String socketPacket) throws IOException {
//do something else
}
...
}
The main thing we want to make available to OPA are tokens--both access tokens and transaction tokens. To minimize the load on Auth Server, we should send reference ids to the Lock clients, not the token values. Each Lock client should then retreive the token values directly from the Database or Cache Service. Lock should also download and push the latest OP signing public keys and OPA Policies (from Git).
It's important that the size of the Lock client is small--maybe Quarkus v. Weld? We need an HTTPS /health endpoint for the Jans Lock Client, so it has to be some kind of web application.