Skip to content

Document the authentication cache #293

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
LukasNajman wants to merge 2 commits into
base: documentation
Choose a base branch
from
Open

Document the authentication cache #293

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
7c2ea00
Add authentication caching parameters and documentation
LukasNajman May 6, 2026
b334810
Merge remote-tracking branch 'origin/documentation' into documentation
LukasNajman May 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 22 additions & 0 deletions ...e-key/concept-design/architecture/access-control/externalized-authentication.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,25 @@ Based on the technology being used for externalized authentication, multi-factor
:::info
One of the tested authentication servers is [Keycloak](https://www.keycloak.org/). Keycloak can integrate with the API gateway using OIDC and supports integration to various identity providers including various authentication flows.
:::

## Authentication Cache

The authentication cache improves performance by caching resolved user identities to avoid repeated auth-service lookups. This caching mechanism stores authentication information for users authenticated via certificates or tokens.

### Configuration
Copy link
Copy Markdown
Contributor

@3keyroman 3keyroman May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does not belong here, it is duplicate from Helm chart values


Authentication cache can be configured through Helm chart values:

```yaml
caching:
authentication:
ttlMinutes: 5 # How long a cached identity is considered valid
maxSize: 500 # Maximum number of cached identities
```

For more details on configurable parameters, see [Helm chart configurable parameters](../../../installation-guide/deployment/deployment-helm/configurable-parameters#local-parameters).

### Cache Behavior

- **TTL (Time To Live)**: Determines how long authentication information remains in the cache before it expires
- **Max Size**: Limits the maximum number of cached identities to prevent excessive memory usage
2 changes: 2 additions & 0 deletions ...te-key/installation-guide/deployment/deployment-helm/configurable-parameters.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ The following values may be configured for the CZERTAINLY core service:
| pyAdcsConnector.enabled | `false` | Whether the PyADCS Connector should be enabled |
| hashicorpVaultConnector.enabled | `false` | Whether the HashiCorp Vault Connector should be enabled |
| x509ComplianceProvider.enabled | `false` | Whether the X.509 Compliance Provider should be enabled |
| caching.authentication.ttlMinutes | `5` | Authentication cache TTL in minutes - how long a cached identity is considered valid |
Copy link
Copy Markdown
Contributor

@3keyroman 3keyroman May 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This part is automatically synced from Helm chart docs, should not be manually updated.

| caching.authentication.maxSize | `500` | Authentication cache maximum size - maximum number of cached identities |
| cryptosenseDiscoveryProvider.enabled | `false` | Whether the Cryptosense Discovery Provider should be enabled |
| ctLogsDiscoveryProvider.enabled | `false` | Whether the CT Logs Discovery Provider should be enabled |
| networkDiscoveryProvider.enabled | `false` | Whether the Network Discovery Provider should be enabled |
Expand Down