Skip to content

fix: use context to fetch key set in userinfo #441

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: v3
Choose a base branch
from
Open

fix: use context to fetch key set in userinfo #441

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e03c87b
fix: use context to fetch key set in userinfo
zepatrik Nov 25, 2024
6fc1c39
chore: refactor to pass down client instead of context
zepatrik Nov 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
25 changes: 14 additions & 11 deletions oidc/oidc.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,26 +105,29 @@ type Provider struct {
// Raw claims returned by the server.
rawClaims []byte

// Guards all of the following fields.
mu sync.Mutex
// HTTP client specified from the initial NewProvider request. This is used
// when creating the common key set.
client *http.Client

// Guards all of the following fields.
mu sync.RWMutex
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using an RWMutex instead, because we only do reads after the initial write. This should eliminate any lock contention.

// A key set that uses context.Background() and is shared between all code paths
// that don't have a convinent way of supplying a unique context.
commonRemoteKeySet KeySet
}

func (p *Provider) remoteKeySet() KeySet {
func (p *Provider) remoteKeySet(c *http.Client) KeySet {
p.mu.RLock()
if p.commonRemoteKeySet != nil {
defer p.mu.RUnlock()
return p.commonRemoteKeySet
}
p.mu.RUnlock()

p.mu.Lock()
defer p.mu.Unlock()
if p.commonRemoteKeySet == nil {
ctx := context.Background()
if p.client != nil {
ctx = ClientContext(ctx, p.client)
}
p.commonRemoteKeySet = NewRemoteKeySet(ctx, p.jwksURL)
}

p.commonRemoteKeySet = NewRemoteKeySet(ClientContext(context.Background(), c), p.jwksURL)
return p.commonRemoteKeySet
}

Expand Down Expand Up @@ -350,7 +353,7 @@ func (p *Provider) UserInfo(ctx context.Context, tokenSource oauth2.TokenSource)
ct := resp.Header.Get("Content-Type")
mediaType, _, parseErr := mime.ParseMediaType(ct)
if parseErr == nil && mediaType == "application/jwt" {
payload, err := p.remoteKeySet().VerifySignature(ctx, string(body))
payload, err := p.remoteKeySet(getClient(ctx)).VerifySignature(ctx, string(body))
if err != nil {
return nil, fmt.Errorf("oidc: invalid userinfo jwt signature %v", err)
}
Expand Down
2 changes: 1 addition & 1 deletion oidc/verify.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ func (p *Provider) VerifierContext(ctx context.Context, config *Config) *IDToken
// The returned verifier uses a background context for all requests to the upstream
// JWKs endpoint. To control that context, use VerifierContext instead.
func (p *Provider) Verifier(config *Config) *IDTokenVerifier {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this function would be eventually removed, there would also not be any need for the Provider.client anymore.

return p.newVerifier(p.remoteKeySet(), config)
return p.newVerifier(p.remoteKeySet(p.client), config)
}

func (p *Provider) newVerifier(keySet KeySet, config *Config) *IDTokenVerifier {
Expand Down