From d69788fde67e0f8a6208bab1877ba531ea5910af Mon Sep 17 00:00:00 2001 From: Brian Manifold Date: Fri, 20 Sep 2024 16:22:44 -0400 Subject: [PATCH] fix(portal): Throttle reqs/sec and scheduled frequency on Okta sync jobs (#6794) Why: * Our current Okta sync job has no throttle, which has caused an issue with customers that have other applications hitting their Okta API by going over their API rate limits. By throttling the requests per second and by lowering the frequency of how often the job runs we should hopefully aleviate any Okta API rate limiting issues. This will come at the expense of syncs taking longer and not happening as often, however, this tradeoff seems worthwhile to ensure Firezone isn't hindering a customers use of their Okta API. Closes: #6748 --------- Signed-off-by: Brian Manifold Co-authored-by: Jamil --- elixir/apps/domain/lib/domain/auth/adapters/okta/api_client.ex | 3 +++ .../lib/domain/auth/adapters/okta/jobs/sync_directory.ex | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/elixir/apps/domain/lib/domain/auth/adapters/okta/api_client.ex b/elixir/apps/domain/lib/domain/auth/adapters/okta/api_client.ex index f96f93bde..b1b08f78f 100644 --- a/elixir/apps/domain/lib/domain/auth/adapters/okta/api_client.ex +++ b/elixir/apps/domain/lib/domain/auth/adapters/okta/api_client.ex @@ -105,6 +105,9 @@ defmodule Domain.Auth.Adapters.Okta.APIClient do headers = headers ++ [{"Authorization", "Bearer #{api_token}"}] request = Finch.build(:get, uri, headers) + # Crude request throttle, revisit for https://github.com/firezone/firezone/issues/6793 + :timer.sleep(:timer.seconds(1)) + with {:ok, %Finch.Response{headers: headers, body: response, status: status}} when status in 200..299 <- Finch.request(request, @pool_name), {:ok, list} <- Jason.decode(response) do diff --git a/elixir/apps/domain/lib/domain/auth/adapters/okta/jobs/sync_directory.ex b/elixir/apps/domain/lib/domain/auth/adapters/okta/jobs/sync_directory.ex index 4c13e58ee..5693630ca 100644 --- a/elixir/apps/domain/lib/domain/auth/adapters/okta/jobs/sync_directory.ex +++ b/elixir/apps/domain/lib/domain/auth/adapters/okta/jobs/sync_directory.ex @@ -1,7 +1,7 @@ defmodule Domain.Auth.Adapters.Okta.Jobs.SyncDirectory do use Domain.Jobs.Job, otp_app: :domain, - every: :timer.minutes(5), + every: :timer.minutes(20), executor: Domain.Jobs.Executors.Concurrent alias Domain.Auth.Adapter.OpenIDConnect.DirectorySync