fix: init introspect http client once

pipeline/authn/authenticator_oauth2_introspection.go

@@ -70,8 +70,7 @@ type AuthenticatorOAuth2Introspection struct {
 }
 
 func NewAuthenticatorOAuth2Introspection(c configuration.Provider, logger *logrusx.Logger) *AuthenticatorOAuth2Introspection {
-	var rt http.RoundTripper
-	return &AuthenticatorOAuth2Introspection{c: c, client: httpx.NewResilientClientLatencyToleranceSmall(rt), logger: logger}
+	return &AuthenticatorOAuth2Introspection{c: c, logger: logger}
 }
 
 func (a *AuthenticatorOAuth2Introspection) GetID() string {
@@ -262,46 +261,48 @@ func (a *AuthenticatorOAuth2Introspection) Config(config json.RawMessage) (*Auth
 		return nil, NewErrAuthenticatorMisconfigured(a, err)
 	}
 
-	var rt http.RoundTripper
+	if a.client == nil {
+		a.logger.Debug("Initializing http client")
+		var rt http.RoundTripper
+		if c.PreAuth != nil && c.PreAuth.Enabled {
+			var ep url.Values
 
-	if c.PreAuth != nil && c.PreAuth.Enabled {
-		var ep url.Values
+			if c.PreAuth.Audience != "" {
+				ep = url.Values{"audience": {c.PreAuth.Audience}}
+			}
 
-		if c.PreAuth.Audience != "" {
-			ep = url.Values{"audience": {c.PreAuth.Audience}}
+			rt = (&clientcredentials.Config{
+				ClientID:       c.PreAuth.ClientID,
+				ClientSecret:   c.PreAuth.ClientSecret,
+				Scopes:         c.PreAuth.Scope,
+				EndpointParams: ep,
+				TokenURL:       c.PreAuth.TokenURL,
+			}).Client(context.Background()).Transport
 		}
 
-		rt = (&clientcredentials.Config{
-			ClientID:       c.PreAuth.ClientID,
-			ClientSecret:   c.PreAuth.ClientSecret,
-			Scopes:         c.PreAuth.Scope,
-			EndpointParams: ep,
-			TokenURL:       c.PreAuth.TokenURL,
-		}).Client(context.Background()).Transport
-	}
-
-	if c.Retry == nil {
-		c.Retry = &AuthenticatorOAuth2IntrospectionRetryConfiguration{Timeout: "500ms", MaxWait: "1s"}
-	} else {
-		if c.Retry.Timeout == "" {
-			c.Retry.Timeout = "500ms"
+		if c.Retry == nil {
+			c.Retry = &AuthenticatorOAuth2IntrospectionRetryConfiguration{Timeout: "500ms", MaxWait: "1s"}
+		} else {
+			if c.Retry.Timeout == "" {
+				c.Retry.Timeout = "500ms"
+			}
+			if c.Retry.MaxWait == "" {
+				c.Retry.MaxWait = "1s"
+			}
 		}
-		if c.Retry.MaxWait == "" {
-			c.Retry.MaxWait = "1s"
+		duration, err := time.ParseDuration(c.Retry.Timeout)
+		if err != nil {
+			return nil, err
 		}
-	}
-	duration, err := time.ParseDuration(c.Retry.Timeout)
-	if err != nil {
-		return nil, err
-	}
-	timeout := time.Millisecond * duration
+		timeout := time.Millisecond * duration
 
-	maxWait, err := time.ParseDuration(c.Retry.MaxWait)
-	if err != nil {
-		return nil, err
-	}
+		maxWait, err := time.ParseDuration(c.Retry.MaxWait)
+		if err != nil {
+			return nil, err
+		}
 
-	a.client = httpx.NewResilientClientLatencyToleranceConfigurable(rt, timeout, maxWait)
+		a.client = httpx.NewResilientClientLatencyToleranceConfigurable(rt, timeout, maxWait)
+	}
 
 	if c.Cache.TTL != "" {
 		cacheTTL, err := time.ParseDuration(c.Cache.TTL)

pipeline/authn/authenticator_oauth2_introspection_test.go

@@ -555,8 +555,12 @@ func TestAuthenticatorOAuth2Introspection(t *testing.T) {
 				tc.config, _ = sjson.SetBytes(tc.config, "introspection_url", ts.URL+"/oauth2/introspect")
 				tc.config, _ = sjson.SetBytes(tc.config, "pre_authorization.token_url", ts.URL+"/oauth2/token")
 
+				//reinitialize authenticator so client will be reinitialized in authenticator
+				reg := internal.NewRegistry(conf)
+				a, err := reg.PipelineAuthenticator("oauth2_introspection")
+
 				sess := new(AuthenticationSession)
-				err := a.Authenticate(tc.r, sess, tc.config, nil)
+				err = a.Authenticate(tc.r, sess, tc.config, nil)
 				if tc.expectErr {
 					require.Error(t, err)
 					if tc.expectExactErr != nil {