This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

WSO2 Identity Server has multiple cache layers that are used to improve performance. The identity.xml file <IS_HOME>/repository/conf/identity file is used to manage and configure the cache layers. Each cacher layer contains the following attributes:

  • name: This is used to build the cache instance and is unique to a JVM. This name is used as the unique identifier when the carbon kernel creates the cache object for a specific cache requirement.
  • enable: This is used to enable the cache usage for a specific cache layer. If this parameter is disabled, it means that the feature will not cache the value and depending on the feature, will either persist it in a database or not store it at all at the server level.
  • timeout: When a cache entry is added to the cache instance, the start time is recorded and the entry is stored until the time exceeds the timeout value. Once the time reaches the timeout, the cache entry is evicted from the cache. Set this value to -1 to store the cache entry indefinitely. 
  • capacity: This is the count of the cache entry. Note that this value is not related to the size of the cache. 
  • isDistributed: This is used to distribute the cache entry over the cluster through Hazelcast. If it is set to false, the cache object is stored only in the local cache. Disabling the distributed cache triggers the cache invalidation notification system, which notifies all other nodes in the cluster to invalide their local caches when one node is updating its local cache.

Let's learn how to configure the cache layers. 

Configuring identity application management cache layer 

WSO2 Identity Server enables configuring the following identity application management layer attributes.

  • AppAuthFrameworkSessionContextCache: The SessionContextCache object contains details about the authenticated user. This must be shared across the nodes in the cluster because this is the unique representation of the authenticated user.
  • AuthenticationContextCache: Until the authentication request is successfully authenticated, all authentication information is stored in the AuthenticationContextCache object, which needs to be shared across all nodes in the cluster. Once the user is authenticated successfully, this object will is removed from the cache and the required information is stored in the SessionContext cache. 
  • AuthenticationRequestCache:  The AuthenticationRequestCache object holds all the required details from the authentication request until the authentication flow is completed by the authentication framework. Note that this is not from the inbound protocol validator level. The Authentication Framework wraps the information to the AuthenticationRequestCache object and stores it in the cache. 
  • AuthenticationResultCache: The AuthenticationResultCache object holds the authentication result that contains the authenticated user details, claim mappings and other authentication specific results, and stores this information in the cache. Once the user gets authenticated through the authentication framework, it stores this object in the cache and reads the response from the inbound protocol handler once the response is built. 
  • AppInfoCache: The AppInfoCache is a complete representation of the OAuth application information in WSO2 Identity Server. It is unique for the client key and is stored in the cache by wrapping the “OAuthAppDO” object. 
  • AuthorizationGrantCache: The AuthorizationGrantCache manages the user information over tokens. This cache object contains the token, code, and user attributes for the authenticated user with some important information that is needed to access different flows such as id-token building. 
  • OAuthCache:  The OAuthCache is a general cache implementation which is not specific to one type of cache. This is used for the following cache entries with its own specific cache key. 
  • OAuthScopeCache: The OAuthScopeCache object holds scope information such as the name and display name for each scope.   
  • OAuthSessionDataCache: Once the request is received by the inbound protocol validator, it keeps the requested data by wrapping it in the  OAuthSessionDataCache  object. This is stored against the sessionDataKey , which is used to manage the browser state. 

The code block below shows an example of one such cache layer. 

       <CacheManager name="IdentityApplicationManagementCacheManager">
              <Cache name="AppAuthFrameworkSessionContextCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="AuthenticationContextCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="AuthenticationRequestCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="AuthenticationResultCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="AppInfoCache" enable="true" timeout="900" capacity="5000" isDistributed="false" />
              <Cache name="AuthorizationGrantCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="OAuthCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="OAuthScopeCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="OAuthSessionDataCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="SAMLSSOParticipantCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="SAMLSSOSessionIndexCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="SAMLSSOSessionDataCache" enable="true" timeout="300" capacity="5000" isDistributed="false" />
              <Cache name="ServiceProviderCache" enable="true" timeout="900" capacity="5000" isDistributed="false" />
              <Cache name="ProvisioningConnectorCache" enable="true" timeout="900" capacity="5000" isDistributed="false" />
              <Cache name="ProvisioningEntityCache" enable="true" timeout="900" capacity="5000" isDistributed="false" />
              <Cache name="ServiceProviderProvisioningConnectorCache" enable="true" timeout="900" capacity="5000" isDistributed="false" />
              <Cache name="IdPCacheByAuthProperty" enable="true" timeout="900" capacity="5000" isDistributed="false" />
              <Cache name="IdPCacheByHRI" enable="true" timeout="900" capacity="5000" isDistributed="false" />
              <Cache name="IdPCacheByName" enable="true" timeout="900" capacity="5000" isDistributed="false" />

Configuring identity claim metadata management cache layer

WSO2 Identity Server enables configuring the following identity claim metadata layer attributes:

  • LocalClaimCache: This enables caching local cache properties such as mapped attributes.
  • ExternalClaimCache: This enables caching external cache properties such as mapped local claim. 
  • ClaimDialectCache: This enables caching the list of claim dialects. 

The code block below shows an example of the identity claim metadata management cache layer. 

<CacheManager name="IdentityClaimMetadataMgtCacheManager">
	<Cache name="LocalClaimCache"   enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
	<Cache name="ExternalClaimCache"  enable="true"  timeout="900" capacity="5000" isDistributed="false"/>
	<Cache name="ClaimDialectCache"  enable="true"  timeout="900" capacity="5000" isDistributed="false"/>    
  • No labels