Prefix authz codes to allow dispatching to specific servers
Basics
Logistics
Basics
Logistics
Description
SAML artifacts have a feature allowing an index to be built in that directs the RP to use a specific endpoint to dereference it. In theory that was meant to allow more directed load balancing or support testing by forcing traffic to a specific endpoint. It never got used much since artifacts never did either.
I think we should revive that feature and allow prefixing of the code values we issue for the code flow so that a layer 7 LB could introspect the form POST and dispatch the token code request to a specific authorization server endpoint.
I suppose we could/should do this for tokens too for the same reason (i.e., direct requests with an access token) since OIDC seems to use a "make a bunch of separate backchannel calls to do one thing" model at times.
The basic idea is just configuring an optional prefix to apply, and then strip it off on the way back in before processing things the same way as we do now.
SAML artifacts have a feature allowing an index to be built in that directs the RP to use a specific endpoint to dereference it. In theory that was meant to allow more directed load balancing or support testing by forcing traffic to a specific endpoint. It never got used much since artifacts never did either.
I think we should revive that feature and allow prefixing of the code values we issue for the code flow so that a layer 7 LB could introspect the form POST and dispatch the token code request to a specific authorization server endpoint.
I suppose we could/should do this for tokens too for the same reason (i.e., direct requests with an access token) since OIDC seems to use a "make a bunch of separate backchannel calls to do one thing" model at times.
The basic idea is just configuring an optional prefix to apply, and then strip it off on the way back in before processing things the same way as we do now.