Reducing no. of Requests to Kratos

[abhinav-ameyo]

How can we reduce the no. of API requests made to the Kratos.
Suppose we are using Kratos and oathkeeper, as per my understanding oathkeeper performs four steps https://www.ory.sh/oathkeeper/docs/#decision-engine which are - Access Rule Matching > Authentication > Authorization > Mutation.

In case of Kratos we'll have a session Cookie/Token. Any API either from the client or one microservice calling another, how api requests can be authenticated?

I looked at https://www.ory.sh/oathkeeper/docs/pipeline/authn , where in the Authentication step oathkeeper will make a request to the session store, i.e., oathkeeper will need to validate the session to "check_session_url" (in case of ORY Kratos it will be /whoami endpoint). If success then the mutator will do transformation and create a JWT and append it to request to our server. At our server (microservice) will validate the JWT using the public key.

• Therefore every request is going from the Authentication step resulting in more network requests.
• Can we bypass the Authentication step? if yes, then if the user is logged out or the user session is revoked in Kratos, how the oathkeeper will invalidate the session.

Ultimate goal Is to reduce API requests, as there will be many microservices that will be communicating with each other.

Refer similar case where using Mutators were suggested #1479

[aeneasr]

Hello, primarily you can reduce the number of requests through caching. By setting the TTL to a period acceptable to you (e.g. 1 minute), the tokens and sessions will also be invalidated after a minute!

Alternatively, you can consider using Ory Network where we take case of latency & resilience as well as developing edge functions to reduce the amount of calls :)