一次 PostgreSQL 索引膨胀治理复盘:表数据很小但索引巨大,普通 VACUUM 无法缩小 B-tree 文件,最终需要从索引重建、冗余索引治理和写入模型改造三层处理。
PostgreSQL Index Bloat: Why Small Tables Can Have Huge Indexes
A PostgreSQL index bloat remediation note: why tables with little data can still carry huge B-tree indexes, why ordinary VACUUM does not shrink them, and how to combine REINDEX, redundant-index cleanup, and write-model changes.
Per-Client Authorization Isolation at the Gateway: One IAM Platform for Multiple Applications
A gateway-level Per-Client authorization isolation design for protecting multiple applications with one IAM platform, covering X-Expected-Client-Id, access levels, and entitlement policy boundaries.
网关层 Per-Client 鉴权隔离:一个 IAM 平台保护多个业务应用
在统一 IAM 平台保护多个业务应用的场景下,通过网关层 Per-Client 鉴权隔离防止跨应用 Token 滥用,覆盖 X-Expected-Client-Id 机制、访问级别与 entitlement 策略链的设计边界。
HMAC Cookie + Redis SID Dual-Layer Sessions: Browser Session Governance in an OAuth2/JWT System
Managing browser sessions in an OAuth2/JWT system with a dual-layer structure: HMAC-signed cookies plus Redis-backed SIDs, aligning browser login state, token lifecycle, and revocation signals under one governance model.
HMAC Cookie + Redis SID 双层会话:OAuth2/JWT 体系下的浏览器会话治理
在 OAuth2/JWT 体系下,用 HMAC 签名 Cookie + Redis SID 双层结构管理浏览器会话,把浏览器登录态、令牌生命周期和撤销信号放到同一套治理模型里。
为什么企业 IAM 在联合登录之外还需要本地密码认证
探讨企业 IAM 架构中同时保留联合登录与本地密码认证的设计考量,分析容灾场景、安全成本分布与认证路径收敛的工程实践。
Enterprise Unified Identity Governance Architecture with OAuth2/OIDC
Building an enterprise-grade identity relay architecture based on standard OAuth2/OIDC protocols for unified access decisions and identity profile aggregation across systems, covering federated login flow, transparent authentication, SID session management, and instant permission propagation.
基于 OAuth2/OIDC 协议的企业级统一身份治理架构实践
基于标准 OAuth2/OIDC 协议构建企业级身份中继架构,实现跨系统的统一准入决策与身份画像汇聚,覆盖联合登录流程、透明鉴权流、SID 会话管理与权限即时生效机制。
OAuth2/OIDC Session Timeout Boundaries: Frontend Tokens, Refresh Tokens, and SSO Sessions
Clarifying the boundaries between access tokens, refresh tokens, authorization codes, browser sessions, and server-side session revocation in OAuth2/OIDC, with explanations of common timeout phenomena and recommended time configuration strategies.