feat(authn): make oauth2_intsropsection configurable timeout (#370)

ory · Mar 5, 2020 · 0a39511 · 0a39511
1 parent 874b7a9
commit 0a39511
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 16 deletions.
diff --git a/.schemas/config.schema.json b/.schemas/config.schema.json
@@ -4,6 +4,22 @@
   "title": "ORY Oathkeeper Configuration",
   "type": "object",
   "definitions": {
+    "retry": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "give_up_after": {
+          "type": "string",
+          "default": "1s",
+          "pattern": "^[0-9]+(ns|us|ms|s|m|h)$"
+        },
+        "max_delay": {
+          "type": "string",
+          "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
+          "default": "100ms"
+        }
+      }
+    },
     "tlsxSource": {
       "type": "object",
       "additionalProperties": false,
@@ -678,6 +694,9 @@
               }
             }
           ]
+        },
+        "retry": {
+          "$ref": "#/definitions/retry"
         }
       },
       "required": [
@@ -792,20 +811,7 @@
               }
             },
             "retry": {
-              "type": "object",
-              "additionalProperties": false,
-              "properties": {
-                "give_up_after": {
-                  "type": "string",
-                  "default": "1s",
-                  "pattern": "^[0-9]+(ns|us|ms|s|m|h)$"
-                },
-                "max_delay": {
-                  "type": "string",
-                  "pattern": "^[0-9]+(ns|us|ms|s|m|h)$",
-                  "default": "100ms"
-                }
-              }
+              "$ref": "#/definitions/retry"
             }
           }
         }

diff --git a/driver/configuration/provider_viper_public_test.go b/driver/configuration/provider_viper_public_test.go
@@ -48,7 +48,7 @@ func TestPipelineConfig(t *testing.T) {
 		require.NoError(t, os.Setenv("AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_INTROSPECTION_URL", "https://override/path"))
 
 		require.NoError(t, p.PipelineConfig("authenticators", "oauth2_introspection", nil, &res))
-		assert.JSONEq(t, `{"introspection_request_headers":{},"introspection_url":"https://override/path","pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"required_scope":[],"scope_strategy":"exact","target_audience":[],"trusted_issuers":[]}`, string(res), "%s", res)
+		assert.JSONEq(t, `{"introspection_request_headers":{},"introspection_url":"https://override/path","pre_authorization":{"client_id":"some_id","client_secret":"some_secret","enabled":true,"scope":["foo","bar"],"token_url":"https://my-website.com/oauth2/token"},"required_scope":[],"retry":{"max_delay":"100ms", "give_up_after":"1s"},"scope_strategy":"exact","target_audience":[],"trusted_issuers":[]}`, string(res), "%s", res)
 
 		// Cleanup
 		require.NoError(t, os.Setenv("AUTHENTICATORS_OAUTH2_INTROSPECTION_CONFIG_INTROSPECTION_URL", ""))

diff --git a/pipeline/authn/authenticator_oauth2_introspection.go b/pipeline/authn/authenticator_oauth2_introspection.go
@@ -7,6 +7,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"time"
 
 	"github.com/pkg/errors"
 	"golang.org/x/oauth2/clientcredentials"
@@ -28,6 +29,7 @@ type AuthenticatorOAuth2IntrospectionConfiguration struct {
 	IntrospectionURL            string                                                `json:"introspection_url"`
 	BearerTokenLocation         *helper.BearerTokenLocation                           `json:"token_from"`
 	IntrospectionRequestHeaders map[string]string                                     `json:"introspection_request_headers"`
+	Retry                       *AuthenticatorOAuth2IntrospectionRetryConfiguration   `json:"retry"`
 }
 
 type AuthenticatorOAuth2IntrospectionPreAuthConfiguration struct {
@@ -38,6 +40,11 @@ type AuthenticatorOAuth2IntrospectionPreAuthConfiguration struct {
 	TokenURL     string   `json:"token_url"`
 }
 
+type AuthenticatorOAuth2IntrospectionRetryConfiguration struct {
+	Timeout string `json:"max_delay"`
+	MaxWait string `json:"give_up_after"`
+}
+
 type AuthenticatorOAuth2Introspection struct {
 	c configuration.Provider
 
@@ -46,6 +53,7 @@ type AuthenticatorOAuth2Introspection struct {
 
 func NewAuthenticatorOAuth2Introspection(c configuration.Provider) *AuthenticatorOAuth2Introspection {
 	var rt http.RoundTripper
+
 	return &AuthenticatorOAuth2Introspection{c: c, client: httpx.NewResilientClientLatencyToleranceSmall(rt)}
 }
 
@@ -159,7 +167,28 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth
 	}
 
 	if c.PreAuth != nil && c.PreAuth.Enabled {
-		a.client = httpx.NewResilientClientLatencyToleranceSmall(
+		if c.Retry == nil {
+			c.Retry = &AuthenticatorOAuth2IntrospectionRetryConfiguration{Timeout: "500ms", MaxWait: "1s"}
+		} else {
+			if c.Retry.Timeout == "" {
+				c.Retry.Timeout = "500ms"
+			}
+			if c.Retry.MaxWait == "" {
+				c.Retry.MaxWait = "1s"
+			}
+		}
+		duration, err := time.ParseDuration(c.Retry.Timeout)
+		if err != nil {
+			return nil, err
+		}
+		timeout := time.Millisecond * duration
+
+		maxWait, err := time.ParseDuration(c.Retry.MaxWait)
+		if err != nil {
+			return nil, err
+		}
+
+		a.client = httpx.NewResilientClientLatencyToleranceConfigurable(
 			(&clientcredentials.Config{
 				ClientID:     c.PreAuth.ClientID,
 				ClientSecret: c.PreAuth.ClientSecret,
@@ -168,6 +197,8 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth
 			}).
 				Client(context.Background()).
 				Transport,
+			timeout,
+			maxWait,
 		)
 	}