diff --git a/pipeline/authn/authenticator_oauth2_introspection.go b/pipeline/authn/authenticator_oauth2_introspection.go index 36fbeedf7e..8ef830b43f 100644 --- a/pipeline/authn/authenticator_oauth2_introspection.go +++ b/pipeline/authn/authenticator_oauth2_introspection.go @@ -70,7 +70,8 @@ type AuthenticatorOAuth2Introspection struct { } func NewAuthenticatorOAuth2Introspection(c configuration.Provider, logger *logrusx.Logger) *AuthenticatorOAuth2Introspection { - return &AuthenticatorOAuth2Introspection{c: c, logger: logger} + var rt http.RoundTripper + return &AuthenticatorOAuth2Introspection{c: c, client: httpx.NewResilientClientLatencyToleranceSmall(rt), logger: logger} } func (a *AuthenticatorOAuth2Introspection) GetID() string { @@ -261,49 +262,47 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth return nil, NewErrAuthenticatorMisconfigured(a, err) } - if a.client == nil { - a.logger.Debug("Initializing http client") - var rt http.RoundTripper - if c.PreAuth != nil && c.PreAuth.Enabled { - var ep url.Values + var rt http.RoundTripper - if c.PreAuth.Audience != "" { - ep = url.Values{"audience": {c.PreAuth.Audience}} - } + if c.PreAuth != nil && c.PreAuth.Enabled { + var ep url.Values - rt = (&clientcredentials.Config{ - ClientID: c.PreAuth.ClientID, - ClientSecret: c.PreAuth.ClientSecret, - Scopes: c.PreAuth.Scope, - EndpointParams: ep, - TokenURL: c.PreAuth.TokenURL, - }).Client(context.Background()).Transport + if c.PreAuth.Audience != "" { + ep = url.Values{"audience": {c.PreAuth.Audience}} } - if c.Retry == nil { - c.Retry = &AuthenticatorOAuth2IntrospectionRetryConfiguration{Timeout: "500ms", MaxWait: "1s"} - } else { - if c.Retry.Timeout == "" { - c.Retry.Timeout = "500ms" - } - if c.Retry.MaxWait == "" { - c.Retry.MaxWait = "1s" - } - } - duration, err := time.ParseDuration(c.Retry.Timeout) - if err != nil { - return nil, err - } - timeout := time.Millisecond * duration + rt = (&clientcredentials.Config{ + ClientID: c.PreAuth.ClientID, + ClientSecret: c.PreAuth.ClientSecret, + Scopes: c.PreAuth.Scope, + EndpointParams: ep, + TokenURL: c.PreAuth.TokenURL, + }).Client(context.Background()).Transport + } - maxWait, err := time.ParseDuration(c.Retry.MaxWait) - if err != nil { - return nil, err + if c.Retry == nil { + c.Retry = &AuthenticatorOAuth2IntrospectionRetryConfiguration{Timeout: "500ms", MaxWait: "1s"} + } else { + if c.Retry.Timeout == "" { + c.Retry.Timeout = "500ms" } + if c.Retry.MaxWait == "" { + c.Retry.MaxWait = "1s" + } + } + duration, err := time.ParseDuration(c.Retry.Timeout) + if err != nil { + return nil, err + } + timeout := time.Millisecond * duration - a.client = httpx.NewResilientClientLatencyToleranceConfigurable(rt, timeout, maxWait) + maxWait, err := time.ParseDuration(c.Retry.MaxWait) + if err != nil { + return nil, err } + a.client = httpx.NewResilientClientLatencyToleranceConfigurable(rt, timeout, maxWait) + if c.Cache.TTL != "" { cacheTTL, err := time.ParseDuration(c.Cache.TTL) if err != nil { diff --git a/pipeline/authn/authenticator_oauth2_introspection_test.go b/pipeline/authn/authenticator_oauth2_introspection_test.go index f38ea259a7..6d09c8ad39 100644 --- a/pipeline/authn/authenticator_oauth2_introspection_test.go +++ b/pipeline/authn/authenticator_oauth2_introspection_test.go @@ -555,12 +555,8 @@ func TestAuthenticatorOAuth2Introspection(t *testing.T) { tc.config, _ = sjson.SetBytes(tc.config, "introspection_url", ts.URL+"/oauth2/introspect") tc.config, _ = sjson.SetBytes(tc.config, "pre_authorization.token_url", ts.URL+"/oauth2/token") - //reinitialize authenticator so client will be reinitialized in authenticator - reg := internal.NewRegistry(conf) - a, err := reg.PipelineAuthenticator("oauth2_introspection") - sess := new(AuthenticationSession) - err = a.Authenticate(tc.r, sess, tc.config, nil) + err := a.Authenticate(tc.r, sess, tc.config, nil) if tc.expectErr { require.Error(t, err) if tc.expectExactErr != nil {