config: add idp qps config

2025-05-30 01:17:21 +02:00 · 2020-08-13 14:54:34 +07:00 · 2020-08-13 14:54:34 +07:00 · f356ff5581
commit f356ff5581
parent 045c10edc6
3 changed files with 22 additions and 1 deletions
--- a/config/options.go
+++ b/config/options.go
@ -139,6 +139,7 @@ type Options struct {
 	// Identity provider refresh directory interval/timeout settings.
 	RefreshDirectoryTimeout  time.Duration `mapstructure:"idp_refresh_directory_timeout" yaml:"idp_refresh_directory_timeout,omitempty"`
 	RefreshDirectoryInterval time.Duration `mapstructure:"idp_refresh_directory_interval" yaml:"idp_refresh_directory_interval,omitempty"`
+	QPS                      float64       `mapstructure:"idp_qps" yaml:"idp_qps"`

 	// RequestParams are custom request params added to the signin request as
 	// part of an Oauth2 code flow.
@ -299,6 +300,7 @@ var defaultOptions = Options{
 	TracingSampleRate:               0.0001,
 	RefreshDirectoryInterval:        10 * time.Minute,
 	RefreshDirectoryTimeout:         1 * time.Minute,
+	QPS:                             1.0,

 	AutocertOptions: AutocertOptions{
 		Folder: dataDir(),
@ -667,6 +669,9 @@ func (o *Options) Validate() error {
 	default:
 	}

+	if o.QPS < 1.0 {
+		o.QPS = 1.0
+	}
 	return nil
 }

--- a/config/options_test.go
+++ b/config/options_test.go
@ -242,6 +242,7 @@ func TestOptionsFromViper(t *testing.T) {
 				},
 				RefreshDirectoryTimeout:  1 * time.Minute,
 				RefreshDirectoryInterval: 10 * time.Minute,
+				QPS:                      1.0,
 				DataBrokerStorageType:    "memory",
 			},
 			false},
@ -259,6 +260,7 @@ func TestOptionsFromViper(t *testing.T) {
 				Headers:                         map[string]string{},
 				RefreshDirectoryTimeout:         1 * time.Minute,
 				RefreshDirectoryInterval:        10 * time.Minute,
+				QPS:                             1.0,
 				DataBrokerStorageType:           "memory",
 			},
 			false},
--- a/docs/reference/readme.md
+++ b/docs/reference/readme.md
@ -699,10 +699,23 @@ Refresh directory interval is the time that pomerium will sync your IDP diretory

 :::warning

-Use it at your ownn risk, if you set a too low value, you may reach IDP API rate limit.
+Use it at your own risk, if you set a too low value, you may reach IDP API rate limit.

 :::

+### Identity Provider API Query Per Second
+
+- Environmental Variables: `IDP_QPS`
+- Config File Key: `idp_qps`
+- Type: `float64`
+- Example: `IDP_QPS=1.8`
+- Defaults: `IDP_QPS=1.0`
+
+Limit number of API requests per second to identity provider server. The lowest value is `1.0`, any value less than `1.0`
+has no effect.
+
+Currently, only applying for [okta].
+
 ## Proxy Service

 ### Authenticate Service URL
@ -1258,6 +1271,7 @@ If no certificate is specified, one will be generated and the base64'd public ke
 [base64 encoded]: https://en.wikipedia.org/wiki/Base64
 [environmental variables]: https://en.wikipedia.org/wiki/Environment_variable
 [identity provider]: ../docs/identity-providers/
+[okta]: ../docs/identity-providers/okta.md
 [json]: https://en.wikipedia.org/wiki/JSON
 [letsencrypt]: https://letsencrypt.org/
 [oidc rfc]: https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest