Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: oauth intsropsection configurable timeout #370

Merged
merged 4 commits into from
Mar 5, 2020
Merged

feat: oauth intsropsection configurable timeout #370

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8dcf8b7
http timeout configurable in oauth2 introspection cauthenticator
pike1212 Jan 3, 2020
a2df38b
Merge branch 'master' into configurableTimeout
pike1212 Mar 3, 2020
2c310f9
move timeouts into retry object
pike1212 Mar 3, 2020
519dc8d
move retry to definition to be consistent
pike1212 Mar 4, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 20 additions & 14 deletions .schemas/config.schema.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,22 @@
"title": "ORY Oathkeeper Configuration",
"type": "object",
"definitions": {
"retry": {
"type": "object",
"additionalProperties": false,
"properties": {
"give_up_after": {
"type": "string",
"default": "1s",
"pattern": "^[0-9]+(ns|us|ms|s|m|h)$"
},
"max_delay": {
"type": "string",
"pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
"default": "100ms"
}
}
},
"tlsxSource": {
"type": "object",
"additionalProperties": false,
Expand Down Expand Up @@ -678,6 +694,9 @@
}
}
]
},
"retry": {
pike1212 marked this conversation as resolved.
Show resolved Hide resolved
"$ref": "#/definitions/retry"
}
},
"required": [
Expand Down Expand Up @@ -792,20 +811,7 @@
}
},
"retry": {
"type": "object",
"additionalProperties": false,
"properties": {
"give_up_after": {
"type": "string",
"default": "1s",
"pattern": "^[0-9]+(ns|us|ms|s|m|h)$"
},
"max_delay": {
"type": "string",
"pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
"default": "100ms"
}
}
"$ref": "#/definitions/retry"
}
}
}
Expand Down
2 changes: 1 addition & 1 deletion driver/configuration/provider_viper_public_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ func TestPipelineConfig(t *testing.T) {
require.NoError(t, os.Setenv("AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_INTROSPECTION_URL", "https://override/path"))

require.NoError(t, p.PipelineConfig("authenticators", "oauth2_introspection", nil, &res))
assert.JSONEq(t, `{"introspection_request_headers":{},"introspection_url":"https://override/path","pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"required_scope":[],"scope_strategy":"exact","target_audience":[],"trusted_issuers":[]}`, string(res), "%s", res)
assert.JSONEq(t, `{"introspection_request_headers":{},"introspection_url":"https://override/path","pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"required_scope":[],"retry":{"max_delay":"100ms", "give_up_after":"1s"},"scope_strategy":"exact","target_audience":[],"trusted_issuers":[]}`, string(res), "%s", res)

// Cleanup
require.NoError(t, os.Setenv("AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_INTROSPECTION_URL", ""))
Expand Down
33 changes: 32 additions & 1 deletion pipeline/authn/authenticator_oauth2_introspection.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"net/http"
"net/url"
"strings"
"time"

"github.com/pkg/errors"
"golang.org/x/oauth2/clientcredentials"
Expand All @@ -28,6 +29,7 @@ type AuthenticatorOAuth2IntrospectionConfiguration struct {
IntrospectionURL string `json:"introspection_url"`
BearerTokenLocation *helper.BearerTokenLocation `json:"token_from"`
IntrospectionRequestHeaders map[string]string `json:"introspection_request_headers"`
Retry *AuthenticatorOAuth2IntrospectionRetryConfiguration `json:"retry"`
}

type AuthenticatorOAuth2IntrospectionPreAuthConfiguration struct {
Expand All @@ -38,6 +40,11 @@ type AuthenticatorOAuth2IntrospectionPreAuthConfiguration struct {
TokenURL string `json:"token_url"`
}

type AuthenticatorOAuth2IntrospectionRetryConfiguration struct {
Timeout string `json:"max_delay"`
MaxWait string `json:"give_up_after"`
}

type AuthenticatorOAuth2Introspection struct {
c configuration.Provider

Expand All @@ -46,6 +53,7 @@ type AuthenticatorOAuth2Introspection struct {

func NewAuthenticatorOAuth2Introspection(c configuration.Provider) *AuthenticatorOAuth2Introspection {
var rt http.RoundTripper

return &AuthenticatorOAuth2Introspection{c: c, client: httpx.NewResilientClientLatencyToleranceSmall(rt)}
}

Expand Down Expand Up @@ -159,7 +167,28 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth
}

if c.PreAuth != nil && c.PreAuth.Enabled {
a.client = httpx.NewResilientClientLatencyToleranceSmall(
if c.Retry == nil {
c.Retry = &AuthenticatorOAuth2IntrospectionRetryConfiguration{Timeout: "500ms", MaxWait: "1s"}
} else {
if c.Retry.Timeout == "" {
c.Retry.Timeout = "500ms"
}
if c.Retry.MaxWait == "" {
c.Retry.MaxWait = "1s"
}
}
duration, err := time.ParseDuration(c.Retry.Timeout)
if err != nil {
return nil, err
}
timeout := time.Millisecond * duration

maxWait, err := time.ParseDuration(c.Retry.MaxWait)
if err != nil {
return nil, err
}

a.client = httpx.NewResilientClientLatencyToleranceConfigurable(
(&clientcredentials.Config{
ClientID: c.PreAuth.ClientID,
ClientSecret: c.PreAuth.ClientSecret,
Expand All @@ -168,6 +197,8 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth
}).
Client(context.Background()).
Transport,
timeout,
maxWait,
)
}

Expand Down