Disable OIDC Keep-Alive and instantiate client once

This should reduce file-descriptor leaks.
owncloud · May 29, 2020 · eaa27ca · eaa27ca
1 parent f33b678
commit eaa27ca
Showing 1 changed file with 12 additions and 11 deletions.
diff --git a/pkg/middleware/openidconnect.go b/pkg/middleware/openidconnect.go
@@ -48,6 +48,15 @@ func OpenIDConnect(opts ...ocisoidc.Option) func(next http.Handler) http.Handler
 		opt.SigningAlgs = []string{"RS256", "PS256"}
 	}
 
+	var oidcHTTPClient = &http.Client{
+		Transport: &http.Transport{
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: opt.Insecure,
+			},
+			DisableKeepAlives: true,
+		},
+		Timeout: time.Second * 10,
+	}
 	var oidcProvider *oidc.Provider
 
 	return func(next http.Handler) http.Handler {
@@ -62,17 +71,7 @@ func OpenIDConnect(opts ...ocisoidc.Option) func(next http.Handler) http.Handler
 				return
 			}
 
-			token := header[7:]
-			customHTTPClient := &http.Client{
-				Transport: &http.Transport{
-					TLSClientConfig: &tls.Config{
-						InsecureSkipVerify: opt.Insecure,
-					},
-				},
-				Timeout: time.Second * 10,
-			}
-
-			customCtx := context.WithValue(r.Context(), oauth2.HTTPClient, customHTTPClient)
+			customCtx := context.WithValue(r.Context(), oauth2.HTTPClient, oidcHTTPClient)
 
 			// use cached provider
 			if oidcProvider == nil {
@@ -92,6 +91,8 @@ func OpenIDConnect(opts ...ocisoidc.Option) func(next http.Handler) http.Handler
 			// The claims we want to have
 			var claims ocisoidc.StandardClaims
 
+			token := header[7:]
+
 			// TODO cache userinfo for access token if we can determine the expiry (which works in case it is a jwt based access token)
 			oauth2Token := &oauth2.Token{
 				AccessToken: token,