Consider a caching strategy

[evan2645]

SPIRE Agent may not always be available, for any number of reasons (bug, upgrade, bad config push, etc). This is particularly important for JWT-SVID because its use is usually tightly coupled with the request path. I briefly reviewed the handler and spire code and didn't see anything along these lines, so thought I'd make the suggestion.

Ingress Mode

Can cache the whole token, or a hash of the token, and the authz response. Deciding how long to hold onto the response can be tricky - you want it long enough to survive some sort of agent outage, but short enough to not seriously affect your ability to redact.

Egress Mode

Token can be cached as a function of audience, and its lifetime in the cache can be a function of the token's TTL.

[joewilliams]

Thanks @evan2645! This all makes sense to me.

For ingress mode we would need to still validate the request but could just make sure the token looks right and that the last time it auth'd (within a window) it was successful rather than make the request down to spire.

For egress it's a bit easier since we can just keep a map of audience and tokens that expire instead of making the round trip to spire.