Jans Lock Pub Sub Client Design
OPA is a CNCF project that provides a compact Policy Decision Point ("PDP") that runs as a sidecar locally. It is very performant because all data and policies are in memory. To be useful, you have to figure out how to keep the data and policies updated in real time. Jans Lock is proposed as a new component that uses a Pub/Sub fanout topology to push updates from Auth Server to distributed Lock clients, which call the OPA bundles API to make real time data available for policy decisions in OPA. Lock should also download and push the latest OP signing public keys and OPA Policies (from Git).
We can look at any performant Pub/Sub solution for Auth Server. Lately, there is a trend to use Websockets for pub/sub topologies. However, we could also take advantage of established tools like ZeroMQ, which has a Java embeddable distribution.
The main thing we want to make available to OPA are tokens--both access tokens and transaction tokens. To minimize the load on Auth Server, we should send reference ids to the Lock clients, not the token values. Each Lock client should then retreive the token values directly from the Database.
It's important that the size of the Lock client is small--maybe Quarkus v. Weld?