Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature Request] Add new api RequestRefreshAsync(). #3040

Open
brentschmaltz opened this issue Nov 26, 2024 · 2 comments
Open

[Feature Request] Add new api RequestRefreshAsync(). #3040

brentschmaltz opened this issue Nov 26, 2024 · 2 comments
Labels
Enhancement The issue is a new feature

Comments

@brentschmaltz
Copy link
Member

RequestRefresh was originally implemented as sync method where the method simply reset the 'syncafter' variable so that the next GetConfigurationAsync would get new Configuration.

GetConfigurationAsync was originally blocking and guarded with a lock. The lock was removed, and configuration is obtained on a background task. This seemed reasonable as in the normal flow, new configuration is obtained periodically controlled by AutomaticRefreshInterval and is not the result of an error condition.

RequestRefresh is different, this is called when token validation fails for reasons that indicate a Configuration refresh could result in a token being successfully validated.

Last-Known-Good (LKG) logic uses a set of Configuration that successfully validated a token associated with a particular identity provider. This reduces the failure rate when an identity provider accidentally posts metadata that is invalid.

LKG logic first calls RequestRefresh (which previously reset 'syncafter'), then GetConfigurationAsync (which was blocking) to obtain new metadata before using historical Configuration.

see:

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.cs

Line 514 in ae57a3c

validationParameters.ConfigurationManager.RequestRefresh();

RequestRefreshAsync would result in the same logic as the above two calls and provide a deterministic way to obtain new metadata.
@brentschmaltz brentschmaltz mentioned this issue Nov 26, 2024
Open
@jennyf19 jennyf19 added Enhancement The issue is a new feature and removed needs attention untriaged labels Nov 26, 2024
@jennyf19
Copy link
Collaborator

related - #3025

@armandRobled
Copy link

RequestRefresh se implementó originalmente como un método de sincronización donde el método simplemente restablecía la variable 'syncafter' para que el próximo GetConfigurationAsync obtuviera la nueva configuración.

GetConfigurationAsync originalmente estaba bloqueado y protegido con un bloqueo. El bloqueo se eliminó y la configuración se obtiene en una tarea en segundo plano. Esto parecía razonable ya que en el flujo normal, la nueva configuración se obtiene periódicamente controlada por AutomaticRefreshInterval y no es el resultado de una condición de error.

RequestRefresh es diferente, esto se llama cuando la validación del token falla por razones que indican que una actualización de la configuración podría resultar en la validación exitosa de un token.

La lógica de último valor conocido (LKG) utiliza un conjunto de configuraciones que validaron correctamente un token asociado con un proveedor de identidad en particular. Esto reduce la tasa de errores cuando un proveedor de identidad publica metadatos no válidos por accidente.

La lógica LKG primero llama a RequestRefresh (que anteriormente restablecía 'syncafter'), luego a GetConfigurationAsync (que estaba bloqueando) para obtener nuevos metadatos antes de usar la configuración histórica.

ver:

azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.JsonWebTokens/JsonWebTokenHandler.ValidateToken.cs

Line 514 in ae57a3c

validationParameters.ConfigurationManager.RequestRefresh();

RequestRefreshAsync tendría como resultado la misma lógica que las dos llamadas anteriores y proporcionaría una forma determinista de obtener nuevos metadatos.

[email protected]•Home

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Enhancement The issue is a new feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brentschmaltz @jennyf19 @armandRobled