diff --git a/docs/certificate-key/concept-design/architecture/access-control/externalized-authentication.md b/docs/certificate-key/concept-design/architecture/access-control/externalized-authentication.md index 0049e7f8b..4c0966403 100644 --- a/docs/certificate-key/concept-design/architecture/access-control/externalized-authentication.md +++ b/docs/certificate-key/concept-design/architecture/access-control/externalized-authentication.md @@ -22,3 +22,25 @@ Based on the technology being used for externalized authentication, multi-factor :::info One of the tested authentication servers is [Keycloak](https://www.keycloak.org/). Keycloak can integrate with the API gateway using OIDC and supports integration to various identity providers including various authentication flows. ::: + +## Authentication Cache + +The authentication cache improves performance by caching resolved user identities to avoid repeated auth-service lookups. This caching mechanism stores authentication information for users authenticated via certificates or tokens. + +### Configuration + +Authentication cache can be configured through Helm chart values: + +```yaml +caching: + authentication: + ttlMinutes: 5 # How long a cached identity is considered valid + maxSize: 500 # Maximum number of cached identities +``` + +For more details on configurable parameters, see [Helm chart configurable parameters](../../../installation-guide/deployment/deployment-helm/configurable-parameters#local-parameters). + +### Cache Behavior + +- **TTL (Time To Live)**: Determines how long authentication information remains in the cache before it expires +- **Max Size**: Limits the maximum number of cached identities to prevent excessive memory usage \ No newline at end of file diff --git a/docs/certificate-key/installation-guide/deployment/deployment-helm/configurable-parameters.md b/docs/certificate-key/installation-guide/deployment/deployment-helm/configurable-parameters.md index 37653e5a0..3ae30df9b 100644 --- a/docs/certificate-key/installation-guide/deployment/deployment-helm/configurable-parameters.md +++ b/docs/certificate-key/installation-guide/deployment/deployment-helm/configurable-parameters.md @@ -115,6 +115,8 @@ The following values may be configured for the CZERTAINLY core service: | pyAdcsConnector.enabled | `false` | Whether the PyADCS Connector should be enabled | | hashicorpVaultConnector.enabled | `false` | Whether the HashiCorp Vault Connector should be enabled | | x509ComplianceProvider.enabled | `false` | Whether the X.509 Compliance Provider should be enabled | +| caching.authentication.ttlMinutes | `5` | Authentication cache TTL in minutes - how long a cached identity is considered valid | +| caching.authentication.maxSize | `500` | Authentication cache maximum size - maximum number of cached identities | | cryptosenseDiscoveryProvider.enabled | `false` | Whether the Cryptosense Discovery Provider should be enabled | | ctLogsDiscoveryProvider.enabled | `false` | Whether the CT Logs Discovery Provider should be enabled | | networkDiscoveryProvider.enabled | `false` | Whether the Network Discovery Provider should be enabled |