From 2d16779652c6e853c7a570f1545a814a7a68b5bc Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Fri, 16 Sep 2022 11:20:40 +0200 Subject: [PATCH] fix the oidc provider cache --- changelog/unreleased/fix-oidc-provider-cache.md | 6 ++++++ services/proxy/pkg/middleware/oidc_auth.go | 12 ++++++------ 2 files changed, 12 insertions(+), 6 deletions(-) create mode 100644 changelog/unreleased/fix-oidc-provider-cache.md diff --git a/changelog/unreleased/fix-oidc-provider-cache.md b/changelog/unreleased/fix-oidc-provider-cache.md new file mode 100644 index 0000000000..bfc4e22289 --- /dev/null +++ b/changelog/unreleased/fix-oidc-provider-cache.md @@ -0,0 +1,6 @@ +Bugfix: Fix the OIDC provider cache + +We've fixed the OIDC provider cache. It never had a cache hit before this fix. +Under some circumstances it could cause a painfully slow OCIS if the IDP wellknown endpoint takes some time to respond. + +https://github.com/owncloud/ocis/pull/4600 diff --git a/services/proxy/pkg/middleware/oidc_auth.go b/services/proxy/pkg/middleware/oidc_auth.go index c89f83d5cc..f0dabbd752 100644 --- a/services/proxy/pkg/middleware/oidc_auth.go +++ b/services/proxy/pkg/middleware/oidc_auth.go @@ -32,9 +32,9 @@ type OIDCProvider interface { // NewOIDCAuthenticator returns a ready to use authenticator which can handle OIDC authentication. func NewOIDCAuthenticator(logger log.Logger, tokenCacheTTL int, oidcHTTPClient *http.Client, oidcIss string, providerFunc func() (OIDCProvider, error), - jwksOptions config.JWKS, accessTokenVerifyMethod string) OIDCAuthenticator { + jwksOptions config.JWKS, accessTokenVerifyMethod string) *OIDCAuthenticator { tokenCache := osync.NewCache(tokenCacheTTL) - return OIDCAuthenticator{ + return &OIDCAuthenticator{ Logger: logger, tokenCache: &tokenCache, TokenCacheTTL: time.Duration(tokenCacheTTL), @@ -66,7 +66,7 @@ type OIDCAuthenticator struct { JWKS *keyfunc.JWKS } -func (m OIDCAuthenticator) getClaims(token string, req *http.Request) (map[string]interface{}, error) { +func (m *OIDCAuthenticator) getClaims(token string, req *http.Request) (map[string]interface{}, error) { var claims map[string]interface{} hit := m.tokenCache.Load(token) if hit == nil { @@ -168,7 +168,7 @@ type jwksJSON struct { JWKSURL string `json:"jwks_uri"` } -func (m OIDCAuthenticator) getKeyfunc() *keyfunc.JWKS { +func (m *OIDCAuthenticator) getKeyfunc() *keyfunc.JWKS { m.jwksLock.Lock() defer m.jwksLock.Unlock() if m.JWKS == nil { @@ -219,7 +219,7 @@ func (m OIDCAuthenticator) getKeyfunc() *keyfunc.JWKS { return m.JWKS } -func (m OIDCAuthenticator) getProvider() OIDCProvider { +func (m *OIDCAuthenticator) getProvider() OIDCProvider { m.providerLock.Lock() defer m.providerLock.Unlock() if m.provider == nil { @@ -240,7 +240,7 @@ func (m OIDCAuthenticator) getProvider() OIDCProvider { } // Authenticate implements the authenticator interface to authenticate requests via oidc auth. -func (m OIDCAuthenticator) Authenticate(r *http.Request) (*http.Request, bool) { +func (m *OIDCAuthenticator) Authenticate(r *http.Request) (*http.Request, bool) { // there is no bearer token on the request, if !m.shouldServe(r) || isPublicPath(r.URL.Path) { // The authentication of public path requests is handled by another authenticator.