0
votes

We are running a web-app that aggregates data from a lot of providers (Graph, SharePoint, O365 and many other consented aad-based apis.

We route the calls to the respective upstream in our APIMs (Get OBO token and forward the request to upstream).

Our expectation was that the AAD token exchange will be very fast (~200 ms). But we are seeing that it takes around 900 ms on an average.

Since the requests are going from APIM (which doesn't have ADAL Cache), multiple requests from one user to one upstream (say Graph API) gets exchange token (OBO token) several times (for each api hit).

We are thinking of adding a Redis cache to the APIM to cache the tokens.

Before we do that, would like to hear from the experts here,

  1. What is the best way to optimize fetches of multiple OBO tokens. (Eg: Is there a way to fetch more than one OBO token - SharePoint Token, Graph token etc, in a single request to AAD ?

  2. In APIM, what are the token caching best practices. If we add external cache to APIM, what other security measures to be deployed.

  3. Is there any best practices to get the OBO token within 200 ms ?

Thanks in advance

1
I would not consider it best practice, but we just put the received token (when not in cache before) in APIM cache with a lifetime of the tokens expiration time minus a few secs.Kai Walter

1 Answers

1
votes

From APIM side I can answer only #2.

  1. You don't necessary need to add external cache, APIM comes with built in cache, just use cache-store-value and cache-lookup-value policies to store and retrieve value. You can investigate received token (parse it using .AsJwt() function) and set cache expiration to a value lower than tokens lifespan. External cache in APIm is useful in case you need more space for cache, or you want to be able to clear it proactively. If external cache is used APIM will use provided connection string to connect to external Redis instance using HTTPS.