Add Async pattern for TokenValidation #468
Comments
brentschmaltz
added
P1
|
@Zoltu I agree with you that off-box validation is a real scenario. We should have an async pattern up and down the call graph to realize this pattern. |
|
We will need to add an new return type: ValidationResult so the 'out' param is not needed. |
|
Include this issue with this fix. |
brentschmaltz
changed the title
|
Modified title to reflect that this is general in nature across all token types. Perhaps in SecurityTokenHandler |
|
Do we have an ETA on this? |
|
@shagenhokie not yet |
|
@brentschmaltz the method that handles jwt authentication is async so I think it shouldn't be that difficult to add? https://github.com/aspnet/Security/blob/beaa2b443d46ef8adaf5c2a89eb475e1893037c2/src/Microsoft.AspNetCore.Authentication.JwtBearer/JwtBearerHandler.cs#L107-L128 It's a limitation if you want to implement token invalidation and call redis or any other db asynchronously inside the handler: Because public async Task<(ClaimsPrincipal, SecurityToken)> ValidateTokenAsync(string token,
TokenValidationParameters validationParameters)
{
var claimsPrincipal = base.ValidateToken(token, validationParameters, out var validatedToken);
return (claimsPrincipal, validatedToken);
}
public override ClaimsPrincipal ValidateToken(string token, TokenValidationParameters validationParameters,
out SecurityToken validatedToken)
{
var tuple = ValidateTokenAsync(token, validationParameters).Result;
validatedToken = tuple.Item2;
return tuple.Item1;
} |
|
@fragilethoughts I agree we need async, particularly with delegation to validation services, such as KeyVault and Google. Not only do we need ValidateTokenAsync, we need async on our Crypto such as SignatureProviders and KeyWrapProviders. This is a feature we are thinking about for 5.3.1, but realistically it may be later. The other issue is we want to remove references to any libraries other than those shipped by Microsoft, such as JSON.net. With many JwtSecurityToken and JwtSecurityTokenHandler API's using JSON.net, we created a new assembly M.IM.JsonWebTokens (free from JSON.net) where ValidateToken returns a structure TokenValidationResult and can have easily have an async version. We are free to invent here. |
|
Sounds good |
|
Is the plan to create an async version of JwtSecurityTokenHandler, so it would be possible to call WriteToken asynchronously? It would help a lot, being able to go all async using IdentityServer4 for signing access tokens. |
|
Any status on this? We have this issue as well where we need to do an http request to an HSM to sign access tokens. Our solution right now is to use WebClient.cs instead of the recommended way of doing http requests using HttpClient.cs. HttpClient does not support synchronous requests. |
|
@mcthuesen We haven't moved forward much on this, but it is important for a number of reasons. We are not sure if this fits into our 5.x release or will need to wait for 6.0. |
|
Speaking on behalf of Azure DevOps, we'd love to have an async variant of the |
|
Pro tip: please don't close issues without linking to the commit/demo/documentation This is still an issue without a proper message of what is done |
|
I think this is missing info: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/IdentityModel-7x#sync-over-async "ValidateToken was a sync method calling an async method, which can lead to threadpool starvation when on the hot path, this method has been deprecated, please use ValidateTokenAsync instead. See issue #2253 for details." Also note this issue when upgrading the nugets: https://stackoverflow.com/a/77121911 |
|
I'm sorry but I don't see how this issue is actually solved? |
|
@ownerer All of the async improvements appear to have gone into |
|
Thanks for that info @kroymann , but the |
|
@ownerer we are aware of the issue with the sync delegates. |
|
@brentschmaltz , aha ok. |
|
@ownerer we are fully booked until the new year, but new async delegates that return a typeof ValidationResult to avoid logging or throwing when multiple identity providers are in play and the second one succeeds, is important work that we are planning early next year. |
|
>... This is done as part of IdentityModel 7x, please try with latest version and reopen if necessary. ... @jennyf19 , @brentschmaltz , please re-open the issue given, as outlined in the few above comments, it is not really fixed. Alternatively, if it is tracked by another tracking work item on GitHub - please share the link. |
|
@Pikhulya reopened |
|
Are there any examples I can use in order to change my code to use |
|
@HarelM marked this a .net9 as we are going to be modifying our Delegates to make them async and return a ValidationResult rather than throwing. |
brentschmaltz
added
IdentityModel8x
|
Yeah, I'm not going to wait for .net 9 just to find out the documentation is poor again and that I can't figure out how to properly migrate my current code. |
|
@HarelM we will aim to get this into our current workstream. by referring to .NET 9, we do not mean Nov 2024. Please follow this issue for updates. Appreciate the feedback and we will do better with documentation moving forward. |
jennyf19
added
P2
|
related issue: #2711 |
|
So are we going to get this until 2077? 😂 😂 😂 😂 😂 😂 😂 Maybe in .NET 20. Sorry won't make it for .NET 10 |
and others
There are a number of places where
JWTSecurityTokenHandlercalls into user provided methods that may be doing some IO (e.g., database or remote calls) but they do so in a synchronous way.One example of such a place is with JWT signature validation. The user can provide their own
SignatureValidatororIssuerSigningKeyResolver. The act of validating a signature or resolving signing keys may require an interaction with an external server.For a real-world example, Google rotates its signing keys regularly (rumor is daily) and you can get the latest public key in JWK format here. Unfortunately, it is not possible to know when they are going to roll their keys so an application that is attempting to validate Google issued JWTs will need to hit that endpoint to retrieve the latest signing key. The application could be optimized to cache the signing keys but that is still an async operation and it is entirely up to Google as to how often they rotate their keys (they could start rotating them for every request if they wanted).
Another real-world example once again with Google's authentication, Google supports sending the token to here for validation rather rather than doing the validation locally. If one wants to use this mechanism then every token validation would be a remote call.
Unfortunately, I recognize that the current API is very async un-friendly and the interfaces it implements are also not async-friendly but I wanted to get this filed anyway in hopes that at some point things can be improved to support modern asynchronous use cases.
The text was updated successfully, but these errors were encountered: