A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.
The rationale behind this update is that we see an ever increasing memory usage on our Oathkeeper instances, until they OOM and we start a new one.
From some pprof analysis in our prod environment, seems to indicate that it's in MutatorIDToken.Mutate that the issue lies.
More specifically when signing the token string.
in MutatorIDToken.Mutate => signed, err := a.r.CredentialsSigner().Sign(r.Context(), jwks, claims)
in Sign => signed, err := token.SignedString(key.Key)
in SignedString => return strings.Join([]string{sstr, sig}, "."), nil
I'm entirely sure to understand why string joining could cause this issue, perhaps some reference that Oathkeeper is keeping and therefore leads to this memory leak 🤷
But in any case, we believe it's a good thing to keep dependencies up-to-date and use the latest version.
[ ] I confirm that this pull request does not address a security
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
[ ] I have added tests that prove my fix is effective or that my feature
works.
The rationale behind this update is that we see an ever increasing memory usage on our Oathkeeper instances, until they OOM and we start a new one.
From some pprof analysis in our prod environment, seems to indicate that it's in
MutatorIDToken.Mutate
that the issue lies. More specifically when signing the token string.MutatorIDToken.Mutate
=>signed, err := a.r.CredentialsSigner().Sign(r.Context(), jwks, claims)
Sign
=>signed, err := token.SignedString(key.Key)
SignedString
=>return strings.Join([]string{sstr, sig}, "."), nil
In golang-jwt v5, this method does not use
strings.Join
anymore. See https://github.com/golang-jwt/jwt/pull/115I'm entirely sure to understand why string joining could cause this issue, perhaps some reference that Oathkeeper is keeping and therefore leads to this memory leak 🤷 But in any case, we believe it's a good thing to keep dependencies up-to-date and use the latest version.
Let me know what you think :)
Checklist
Further Comments