OIDC flow is slow

I’ve been following the tutorial https://developer.okta.com/blog/2018/09/26/build-a-spring-boot-webapp to integrate my spring boot app with Okta. The end to end flow works, though what we’ve noticed is that when Okta successfully authenticated the user, and redirect to spring app’s authorization-code/callback?code={code}&state={state} endpoint, the request is pretty slow (as bad as 5 second sometimes).

My understanding is this endpoint is abstracted away by com.okta.spring:okta-spring-boot-starter, (we use 1.2.1 version), if so, any advice how we could further troubleshoot the slowness? e.g. enable debug level log?

1 Like

I created a brand new app with Spring Boot v2.2.2 and the Okta Spring Boot starter v1.3.0. I found that after entering my credentials, it took around 2 seconds to display my name. My app has a simple HomeController that displays the user’s name.

package com.example.demo;

import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
class HomeController {
    
    @GetMapping("/")
    public String hello(@AuthenticationPrincipal OidcUser user) {
        return "Hello, " + user.getFullName();
    }
}

The only other code in it is the Okta dependency in pom.xml and the Okta properties in src/main/resources/application.properties.

Sorry took a while to revisit this. I did a bit profiling by enabling spring security debug level logging in my application.properties file:
logging.level.org.springframework.security=DEBUG

Seems the “slow” part is around the OIDC provider’s authentication logic:

 17:55:42.683 [http-nio-8080-exec-5] DEBUG o.s.s.authentication.ProviderManager - Authentication attempt using org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider [ requestId= ] 
17:55:45.912 [http-nio-8080-exec-5] DEBUG o.s.s.w.a.s.CompositeSessionAuthenticationStrategy - Delegating to org.springframework.security.web.authentication.session.ChangeSessionIdAuthenticationStrategy@89017e5 [ requestId= ] 
1

So in this example it’s taking about 3.2 second which is definitely noticeable by an enduser, and it sometimes could be 5+ second. A closer look the code path contains another two external HTTP requests:

DefaultAuthorizationCodeTokenResponseClient.getTokenResponse(): https://{myOktaDomain}.okta.com/oauth2/default/v1/token

and

DefaultOAuth2UserService.loadUser(): https://{myOktaDomain}.okta.com/oauth2/default/v1/userinfo

So yeah, it’s not surprising for a flow that contains this many HTTP round trips to take 3+ seconds. Any advice how to optimize the speed of this auth flow?

1 Like

I’m also seeing my latency in the 3-5s range which is a big bummer in what has otherwise been a smooth transition to Okta.

Some expert advice would be much appreciated @mraible . I’m a bit confused by your post because IMO 2s is a pretty long time. Could you please advise?

Hi @yuming.cao!

Thanks for reaching out to us!

When debugging I’ve seen the OAuth redirect be almost instant, where I need to check the browser network console to verify it happened. So 3+ seconds is not expected.

There are a few things to check for:

  1. Firewalls (or similar appliance, physical or virtual). Are you on a corporate network for VPN? Do you see different results when on your home network?
  2. Virus scanner (similar to above but something running on your computer)
  3. Where are you located? Is your Okta Organization in a similar geographic location? (can you tell me a bit about your topography)

Are only seeing this slowness on the initial login?

Let us know!
-Brian