fix: set cost 1 when caching tokens with configurable max cost

.schema/config.schema.json

@@ -852,6 +852,12 @@
               "examples": [
                 "5s"
               ]
+            },
+            "max_cost": {
+              "type": "integer",
+              "default": 1000,
+              "title": "Max Cost",
+              "description": "Max number of tokens to cache."
             }
           }
         }

driver/configuration/provider_viper_public_test.go

@@ -52,7 +52,7 @@ func TestPipelineConfig(t *testing.T) {
 		p := setup(t)
 
 		require.NoError(t, p.PipelineConfig("authenticators", "oauth2_introspection", nil, &res))
-		assert.JSONEq(t, `{"cache":{"enabled":false},"introspection_url":"https://override/path","pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"retry":{"max_delay":"100ms", "give_up_after":"1s"},"scope_strategy":"exact"}`, string(res), "%s", res)
+		assert.JSONEq(t, `{"cache":{"enabled":false, "max_cost":1000},"introspection_url":"https://override/path","pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"retry":{"max_delay":"100ms", "give_up_after":"1s"},"scope_strategy":"exact"}`, string(res), "%s", res)
 
 		// Cleanup
 		require.NoError(t, os.Setenv("AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_INTROSPECTION_URL", ""))

pipeline/authn/authenticator_oauth2_introspection.go

@@ -19,10 +19,12 @@ import (
 
 	"github.com/ory/go-convenience/stringslice"
 	"github.com/ory/x/httpx"
+	"github.com/ory/x/logrusx"
 
 	"github.com/ory/oathkeeper/driver/configuration"
 	"github.com/ory/oathkeeper/helper"
 	"github.com/ory/oathkeeper/pipeline"
+	"github.com/ory/oathkeeper/x"
 )
 
 type AuthenticatorOAuth2IntrospectionConfiguration struct {
@@ -54,6 +56,7 @@ type AuthenticatorOAuth2IntrospectionRetryConfiguration struct {
 type cacheConfig struct {
 	Enabled bool   `json:"enabled"`
 	TTL     string `json:"ttl"`
+	MaxCost int    `json:"max_cost"`
 }
 
 type AuthenticatorOAuth2Introspection struct {
@@ -63,19 +66,12 @@ type AuthenticatorOAuth2Introspection struct {
 
 	tokenCache *ristretto.Cache
 	cacheTTL   *time.Duration
+	logger     *logrusx.Logger
 }
 
 func NewAuthenticatorOAuth2Introspection(c configuration.Provider) *AuthenticatorOAuth2Introspection {
 	var rt http.RoundTripper
-	cache, _ := ristretto.NewCache(&ristretto.Config{
-		// This will hold about 1000 unique mutation responses.
-		NumCounters: 10000,
-		// Allocate a max of 32MB
-		MaxCost: 1 << 25,
-		// This is a best-practice value.
-		BufferItems: 64,
-	})
-	return &AuthenticatorOAuth2Introspection{c: c, client: httpx.NewResilientClientLatencyToleranceSmall(rt), tokenCache: cache}
+	return &AuthenticatorOAuth2Introspection{c: c, client: httpx.NewResilientClientLatencyToleranceSmall(rt), logger: logrusx.New("ORY Oathkeeper", x.Version)}
 }
 
 func (a *AuthenticatorOAuth2Introspection) GetID() string {
@@ -122,9 +118,9 @@ func (a *AuthenticatorOAuth2Introspection) tokenToCache(config *AuthenticatorOAu
 	}
 
 	if a.cacheTTL != nil {
-		a.tokenCache.SetWithTTL(token, i, 0, *a.cacheTTL)
+		a.tokenCache.SetWithTTL(token, i, 1, *a.cacheTTL)
 	} else {
-		a.tokenCache.Set(token, i, 0)
+		a.tokenCache.Set(token, i, 1)
 	}
 }
 
@@ -304,5 +300,19 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth
 		a.cacheTTL = &cacheTTL
 	}
 
+	if a.tokenCache == nil {
+		a.logger.Debugf("Creating cache with max cost: %d", c.Cache.MaxCost)
+		cache, _ := ristretto.NewCache(&ristretto.Config{
+			// This will hold about 1000 unique mutation responses.
+			NumCounters: 10000,
+			// Allocate a max
+			MaxCost: int64(c.Cache.MaxCost),
+			// This is a best-practice value.
+			BufferItems: 64,
+		})
+
+		a.tokenCache = cache
+	}
+
 	return &c, nil
 }