Skip to content

POC: Add password-reset-at to JWE token for stateless validation#7692

Draft
thabofletcher wants to merge 1 commit intomainfrom
poc/oauth-stateless-token
Draft

POC: Add password-reset-at to JWE token for stateless validation#7692
thabofletcher wants to merge 1 commit intomainfrom
poc/oauth-stateless-token

Conversation

@thabofletcher
Copy link
Contributor

@thabofletcher thabofletcher commented Mar 18, 2026
edited
Loading

Summary

  • Adds password-reset-at field to JWE token payload for stateless token invalidation
  • Enables policy engine sidecars to validate tokens without database lookups
  • Adds offline validation function that checks token issued-at against password reset timestamp

Documentation: See fidesplus POC docs for full results.

POC Results Summary

This PR is part of a larger POC comparing Go, Rust, and Python for policy evaluation. See ethyca/fidesplus#3258 for the full implementation.

Benchmark Results (Averaged across 5 runs)

Metric Go Rust Python Go vs Python
Throughput 15,313 req/sec 13,639 req/sec 1,132 req/sec Go 13.5x faster
Avg Latency 0.62ms 0.72ms 8.83ms Go 14x lower
P50 Latency 0.50ms 0.64ms 8.43ms
P95 Latency 1.36ms 1.18ms 11.90ms
P99 Latency 4.82ms 5.00ms 17.30ms
Memory 12.8 MiB 1.3 MiB (shared)

Python/fidesplus (5 runs)

Run Throughput Avg P50 P95 P99
1 1,024 req/sec 9.70ms 8.60ms 16.40ms 32.30ms
2 1,183 req/sec 8.40ms 8.30ms 9.80ms 11.40ms
3 1,157 req/sec 8.60ms 8.40ms 10.90ms 13.50ms
4 1,164 req/sec 8.60ms 8.40ms 10.50ms 12.00ms
5 761 req/sec 13.10ms 8.40ms 10.50ms 470.50ms
Avg 1,132 req/sec 8.83ms 8.43ms 11.90ms 17.30ms

Key Insights

  • Go/Rust are ~13x faster than Python (15K vs 1K req/sec)
  • Go wins throughput (+12%) and average latency (-14%)
  • Rust wins memory (-90%: 1.3 MiB vs 12.8 MiB) and P95 tail latency

Changes

  • jwt.py: Add JWE_PAYLOAD_PASSWORD_RESET_AT constant
  • client.py: Include password_reset_at in token payload when generating JWE
  • utils.py: Add is_token_invalidated_offline() for payload-only validation
  • test_oauth_util.py: Add tests for offline token invalidation scenarios

Context

This is part of the Policy Engine Sidecar POC exploring Rust vs Go for high-performance PBAC enforcement. The OAuth enhancement allows sidecars to validate tokens without requiring database access.

Related: ethyca/fidesplus#3258 (policy engine sidecars)

Test plan

  • Existing OAuth tests pass
  • New offline invalidation tests pass
  • Token generation includes password_reset_at when user has reset password

🤖 Generated with Claude Code

@thabofletcher @claude
POC: Add password-reset-at to JWE token for stateless validation
2f33795 
Add offline token invalidation checking to support policy engine sidecars
that can validate tokens without database lookups.

Changes:
- Add JWE_PAYLOAD_PASSWORD_RESET_AT constant to jwt.py
- Include password_reset_at in token payload when generating JWE
- Add is_token_invalidated_offline() for payload-only validation
- Update extract_token_and_load_client functions to use offline check first
- Add tests for offline token invalidation

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@vercel
Copy link
Contributor

vercel bot commented Mar 18, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments
Project Deployment Actions Updated (UTC)
fides-plus-nightly Ignored Ignored Mar 18, 2026 6:06pm
fides-privacy-center Ignored Ignored Mar 18, 2026 6:06pm

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thabofletcher