Using redis instead of DB to verify access token

[lethunder]

The idea here is to create the access token inside the DB and Redis at the same time. If the token is revoked then we update also attribute in redis. Since we are searching for this on every query, it would be faster to do this from redis instead on DB. The workflow would be:

• We check if it exists in redis
  • It does not exist
    • we check the Postgresq DB
      - It does not exist
      TOKEN DOES NOT EXIST
      - It exists and not revoked
      - We create entry in Redis DB
  • It exists
    • We check if token is valid (not revoked)

[kmayer]

Postgres has a pretty descent query cache, so adding a redis or memcache layer to doorkeeper probably won't buy much of a performance win.

on the other hand, we have an architecture where the OAuth service is separate from the Resource, and the DBs are isolated, so we're making over-the-wire API calls to the doorkeeper server to validate tokens. We built a very small client library, and that caches the response for a very big performance win.

[nickfun]

@lethunder did you find a good way to do a fallback lookup if the token doesn't exist in your database?

@kmayer any tips on how you implemented your cache system?

I'm trying to do something similar to @lethunder , and lookup a token at an alternative source if the default one shows up not found, as we want a fallback auth for some circumstances.