Both the identity provider and the resource server need to cache things. The identity provider will cache application webids, and the resource server will cache the identity provider keys, for instance.
The solution is to use a file-system cache. Every response (except those that have a cache-control policy of no-store) are stored to a sub-directory of XDG_CACHE_HOME. Each store has a 5% chance of triggering a cleanup of the cache. When a cleanup occurs, each cached response has a 5% chance of being dropped, including responses that are indicated as valid. This way, a malicious cache response that has a maliciously long validity will not stay too long in the cache. A log line will indicate which items are dropped.
The (webid-oidc cache) module exports two functions to deal with the cache.
Drop percents% of the cache right now.
Call f with no arguments, with the default HTTP request method set to a function that tries to use the cache first.o
The cache will be read and written in the ‘web-cache’ subdirectory of the cache home. To check the time window validity, the current-date parameter is used.
The back-end function, http-get, defaults to that of (web client).
This parameters sets the cache directory. By default, it is XDG_CACHE_HOME.