OpenID Provider Configuration Timeout (#315)

- adding the ability to control the timeout on the openid configuration pull
louketo · Feb 23, 2018 · 55b21c1 · 55b21c1
1 parent 5b623ec
commit 55b21c1
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 
 FEATURES:
 * Updated the docker base image alpine 3.7 [#PR313](https://github.com/gambol99/keycloak-proxy/pull/313)
+* Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration [#PR314](https://github.com/gambol99/keycloak-proxy/pull/314)
 
 #### **2.1.1**
 

diff --git a/config.go b/config.go
@@ -36,6 +36,7 @@ func newDefaultConfig() *Config {
 		Headers:                     make(map[string]string),
 		LetsEncryptCacheDir:         "./cache/",
 		MatchClaims:                 make(map[string]string),
+		OpenIDProviderTimeout:       30 * time.Second,
 		SecureCookie:                true,
 		ServerIdleTimeout:           120 * time.Second,
 		ServerReadTimeout:           5 * time.Second,

diff --git a/doc.go b/doc.go
@@ -126,6 +126,8 @@ type Config struct {
 	SkipOpenIDProviderTLSVerify bool `json:"skip-openid-provider-tls-verify" yaml:"skip-openid-provider-tls-verify" usage:"skip the verification of any TLS communication with the openid provider"`
 	// OpenIDProviderProxy proxy for openid provider communication
 	OpenIDProviderProxy string `json:"openid-provider-proxy" yaml:"openid-provider-proxy" usage:"proxy for communication with the openid provider"`
+	// OpenIDProviderTimeout is the timeout used to pulling the openid configuration from the provider
+	OpenIDProviderTimeout time.Duration `json:"openid-provider-timeout" yaml:"openid-provider-timeout" usage:"timeout for openid configuration on .well-known/openid-configuration"`
 	// Scopes is a list of scope we should request
 	Scopes []string `json:"scopes" yaml:"scopes" usage:"list of scopes requested when authenticating the user"`
 	// Upstream is the upstream endpoint i.e whom were proxying to

diff --git a/server.go b/server.go
@@ -627,7 +627,9 @@ func (r *oauthProxy) newOpenIDClient() (*oidc.Client, oidc.ProviderConfig, *http
 	completeCh := make(chan bool)
 	go func() {
 		for {
-			r.log.Info("attempting to retrieve configuration discovery url", zap.String("url", r.config.DiscoveryURL))
+			r.log.Info("attempting to retrieve configuration discovery url",
+				zap.String("url", r.config.DiscoveryURL),
+				zap.String("timeout", r.config.OpenIDProviderTimeout.String()))
 			if config, err = oidc.FetchProviderConfig(hc, r.config.DiscoveryURL); err == nil {
 				break // break and complete
 			}
@@ -638,7 +640,7 @@ func (r *oauthProxy) newOpenIDClient() (*oidc.Client, oidc.ProviderConfig, *http
 	}()
 	// wait for timeout or successful retrieval
 	select {
-	case <-time.After(30 * time.Second):
+	case <-time.After(r.config.OpenIDProviderTimeout):
 		return nil, config, nil, errors.New("failed to retrieve the provider configuration from discovery url")
 	case <-completeCh:
 		r.log.Info("successfully retrieved openid configuration from the discovery")

diff --git a/server_test.go b/server_test.go
@@ -404,6 +404,7 @@ func newFakeKeycloakConfig() *Config {
 		CookieRefreshName:          "kc-state",
 		DisableAllLogging:          true,
 		DiscoveryURL:               "127.0.0.1:0",
+		OpenIDProviderTimeout:      time.Second * 5,
 		EnableAuthorizationHeader:  true,
 		EnableAuthorizationCookies: true,
 		EnableLogging:              false,