fix: memory leak in id_token mutator cache

[David-Wobrock]

Set a TTL on the cached JWTs in the id_token mutator.
It fixes a memory leak in Oathkeeper 🙌

We are running internally a fork of Oathkeeper with this patch applied, and the resulting memory footprint:

Unsure how to properly test it properly in a unit test though, since the getFromCache logic also checks if the cached TTL value is not expired (and not only the new ristretto internal TTL).

Related issue(s)

Split from #1177.

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[aeneasr]

Thank you! This makes sense - one remark though. If you see high memory use the cache is probably misconfigured. Ristretto does evict items when the cache size limit has been reached so theoretically you don’t need TTL (but it makes sense because otherwise the cache might evict tokens that are still valid)

[David-Wobrock]

Thank you! This makes sense - one remark though. If you see high memory use the cache is probably misconfigured. Ristretto does evict items when the cache size limit has been reached so theoretically you don’t need TTL (but it makes sense because otherwise the cache might evict tokens that are still valid)

Agreed 👍
There's an attempt to tackle this here: #1177
Which changes the default cache configuration, but also makes the id_token cache configurable.