Description

Currently the number of OIDC tenants is unlimited. A global, static map of "tenant ID" to TenantConfigContext is held in i.q.oidc.runtime.OidcRecorder (propagated to i.q.oidc.runtime.TenantConfigBean).

Some scenarios may create new OIDC tenant configs at runtime. Either by having some functionality to change the configuration (and generate a new tenant-ID) or by adding new OIDC tenant configs. Both use cases lead to new TenantConfigContexts being created, but never cleaned up.

Proposal:

• Add a configuration option to limit the number of dynamic OIDC tenants
• Replace the static CHM in OidcRecorder with a bounded Caffeine cache
• Use the Caffeine cache to limit the number of active OIDC tenant contexts and automatically close old ones
• The Caffeine cache could also be used to automatically close inactive OIDC tenant contexts after some period of time to safe resources (at the cost of a somewhat higher latency when inactive contexts are used again).

New Configuration properties

int quarkus.oidc.dynamic-tenants.limit (default to Integer.MAX_VALUE to retain the current behavior)
Optional<Duration> quarkus.oidc.dynamic-tenants.close-inactive-after (empty = don't close inactive tenant contexts, other value = configure via Caffeine's expireAfterAccess)

Implementation ideas

No response