Sorry took a while to revisit this. I did a bit profiling by enabling spring security debug level logging in my application.properties file:
Seems the “slow” part is around the OIDC provider’s authentication logic:
17:55:42.683 [http-nio-8080-exec-5] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider [ requestId= ]
17:55:45.912 [http-nio-8080-exec-5] DEBUG o.s.s.w.a.s.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@89017e5 [ requestId= ]
So in this example it’s taking about 3.2 second which is definitely noticeable by an enduser, and it sometimes could be 5+ second. A closer look the code path contains another two external HTTP requests:
So yeah, it’s not surprising for a flow that contains this many HTTP round trips to take 3+ seconds. Any advice how to optimize the speed of this auth flow?