feat: add resilience layer for Authlete API calls (rate limit best practices)#87
Merged
Merged
Conversation
…actices) Implements caching, conditional retry with exponential backoff and jitter, and per-endpoint circuit breakers with stale-cache fallback, as described in the Rate Limit Best Practices guide. All endpoints obtain the AuthleteApi client through a dynamic proxy wrapper; behavior is tunable via resilience.properties and can be disabled entirely with resilience.enabled=false.
meysam
marked this pull request as draft
June 11, 2026 13:49
CriGoT
reviewed
Jun 15, 2026
added 2 commits
June 15, 2026 20:26
Remove redundant RateLimit-Reset header variant and drop DPoP/message-signature-only params from the introspection cache key.
meysam
marked this pull request as ready for review
July 6, 2026 13:54
added 2 commits
July 7, 2026 18:37
Best-effort local eviction: a successful revocation drops all cached introspection entries for that token via prefix match. Other instances remain bounded by the short TTL. Includes e2e tests through the resilient proxy.
…limit-resilience Co-authored-by: Cursor <cursoragent@cursor.com> # Conflicts: # pom.xml # src/main/java/com/authlete/jaxrs/server/api/AuthorizationDecisionEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/AuthorizationEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/FederationConfigurationEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/FederationRegistrationEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/GrantManagementEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/IntrospectionEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/JwksEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/PushedAuthReqEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/RevocationEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/UserInfoEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/backchannel/BackchannelAuthenticationCallbackEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/backchannel/BackchannelAuthenticationEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/device/DeviceAuthorizationEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/device/DeviceCompleteEndpoint.java # src/main/java/com/authlete/jaxrs/server/api/vci/CredentialOfferEndpoint.java
CriGoT
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements caching, conditional retry with exponential backoff and jitter, and per-endpoint circuit breakers with stale-cache fallback, as described in the Rate Limit Best Practices guide.
All endpoints obtain the AuthleteApi client through a dynamic proxy wrapper; behavior is tunable via resilience.properties and can be disabled entirely with resilience.enabled=false.