Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The rationale behind this update is that we see an ever increasing memory usage on our Oathkeeper instances, until they OOM and we start a new one.
From some pprof analysis in our prod environment, seems to indicate that it's in
MutatorIDToken.Mutate
that the issue lies.More specifically when signing the token string.
MutatorIDToken.Mutate
=>signed, err := a.r.CredentialsSigner().Sign(r.Context(), jwks, claims)
Sign
=>signed, err := token.SignedString(key.Key)
SignedString
=>return strings.Join([]string{sstr, sig}, "."), nil
In golang-jwt v5, this method does not use
strings.Join
anymore.See golang-jwt/jwt#115
I'm entirely sure to understand why string joining could cause this issue, perhaps some reference that Oathkeeper is keeping and therefore leads to this memory leak 🤷
But in any case, we believe it's a good thing to keep dependencies up-to-date and use the latest version.
Let me know what you think :)
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
[email protected]) from the maintainers to push
the changes.
works.
Further Comments