cipher suites for the jwk client restricted

krakend · Jul 30, 2018 · 1e7c616 · 1e7c616
1 parent b06c232
commit 1e7c616
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 5 deletions.
diff --git a/Gopkg.lock b/Gopkg.lock
diff --git a/Gopkg.toml b/Gopkg.toml
@@ -1,6 +1,7 @@
 [[constraint]]
-  branch = "master"
+  branch = "custom_http_client"
   name = "github.com/auth0-community/go-auth0"
+  source = "github.com/kpacha/go-auth0"
 
 [[constraint]]
   name = "github.com/devopsfaith/krakend"

diff --git a/jwk.go b/jwk.go
@@ -1,6 +1,9 @@
 package jose
 
 import (
+	"crypto/tls"
+	"net"
+	"net/http"
 	"sync"
 	"time"
 
@@ -15,7 +18,33 @@ func secretProvider(URI string, cacheEnabled bool, tokenExtractor auth0.RequestT
 	}
 	mu.RUnlock()
 
-	opts := auth0.JWKClientOptions{URI: URI}
+	opts := auth0.JWKClientOptions{
+		URI: URI,
+		Client: &http.Client{
+			Transport: &http.Transport{
+				Proxy: http.ProxyFromEnvironment,
+				DialContext: (&net.Dialer{
+					Timeout:   30 * time.Second,
+					KeepAlive: 30 * time.Second,
+					DualStack: true,
+				}).DialContext,
+				MaxIdleConns:          10,
+				IdleConnTimeout:       90 * time.Second,
+				TLSHandshakeTimeout:   10 * time.Second,
+				ExpectContinueTimeout: 1 * time.Second,
+				TLSClientConfig: &tls.Config{
+					CipherSuites: []uint16{
+						tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+						tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+						tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+						tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+						tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
+						tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,
+					},
+				},
+			},
+		},
+	}
 	if !cacheEnabled {
 		return auth0.NewJWKClient(opts, tokenExtractor)
 	}