Skip to content

[P1] Reduce Apple login provider round trips#327

Merged
jjoonleo merged 2 commits into
mainfrom
feature/apple-login-latency-evidence-323
Jun 30, 2026
Merged

[P1] Reduce Apple login provider round trips#327
jjoonleo merged 2 commits into
mainfrom
feature/apple-login-latency-evidence-323

Conversation

@jjoonleo

Copy link
Copy Markdown
Contributor

Summary

Fixes #323 by removing repeated Apple provider round trips from the returning Apple User login path and recording before/after benchmark evidence.

Root cause

Returning Apple Users still paid for two blocking Apple provider calls on every login request:

  • Apple JWKS fetch during identity credential verification
  • Apple auth/token exchange before the backend checked whether the Apple User already existed locally

That made the returning-user path depend on provider latency even when the local identity and existing User were enough to issue OnTime login tokens.

Changes

  • Cache Apple JWKS for 24 hours and refresh once when a credential references an unknown kid.
  • Check for the existing Apple User before exchanging the Apple authorization code.
  • Skip Apple auth/token exchange for returning Apple Users.
  • Keep Apple credential exchange for new Apple User registration.
  • Add Apple login stage timing logs without logging sensitive values or sensitive key names.
  • Update the Apple login benchmark harness so c10/c20 use one seeded returning Apple User per VU instead of racing the same User's active session.
  • Fill docs/performance/apple-login-323.md with quick and bounded full before/after results.

Performance evidence

Full bounded run (RUNS=3 WARMUP_DURATION=30s MEASUREMENT_DURATION=60s):

scenario before p95 after p95 JWKS calls/request token exchange calls/request
c1 returning warm-cache 435.8 ms 46.5 ms 1.0 -> 0.0 1.0 -> 0.0
c10 returning warm-cache 429.1 ms 58.5 ms 1.0 -> 0.0 1.0 -> 0.0
c20 returning warm-cache 506.9 ms 60.4 ms 1.0 -> 0.0 1.0 -> 0.0

Quick and full summary CSVs are included under scripts/benchmarks/apple-login/results/*/summary.csv.

Validation

  • ./gradlew test --tests devkor.ontime_back.global.oauth.apple.AppleLoginServiceTest --tests devkor.ontime_back.global.oauth.OAuthLoginFilterValidationTest
  • ./gradlew check
  • git diff --check
  • git diff --cached --check
  • scripts/benchmarks/apple-login/run.sh before quick
  • scripts/benchmarks/apple-login/run.sh after quick
  • RUNS=3 WARMUP_DURATION=30s MEASUREMENT_DURATION=60s scripts/benchmarks/apple-login/run.sh before full
  • RUNS=3 WARMUP_DURATION=30s MEASUREMENT_DURATION=60s scripts/benchmarks/apple-login/run.sh after full

@jjoonleo jjoonleo marked this pull request as ready for review June 30, 2026 10:43
@jjoonleo jjoonleo merged commit 4946e95 into main Jun 30, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[P1] Reduce Apple login latency from repeated Apple provider round trips

1 participant