Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Add Async pattern for TokenValidation
See original GitHub issueThere are a number of places where JWTSecurityTokenHandler calls into user provided methods that may be doing some IO (e.g., database or remote calls) but they do so in a synchronous way.
One example of such a place is with JWT signature validation. The user can provide their own SignatureValidator or IssuerSigningKeyResolver. The act of validating a signature or resolving signing keys may require an interaction with an external server.
For a real-world example, Google rotates its signing keys regularly (rumor is daily) and you can get the latest public key in JWK format here. Unfortunately, it is not possible to know when they are going to roll their keys so an application that is attempting to validate Google issued JWTs will need to hit that endpoint to retrieve the latest signing key. The application could be optimized to cache the signing keys but that is still an async operation and it is entirely up to Google as to how often they rotate their keys (they could start rotating them for every request if they wanted).
Another real-world example once again with Google’s authentication, Google supports sending the token to here for validation rather rather than doing the validation locally. If one wants to use this mechanism then every token validation would be a remote call.
Unfortunately, I recognize that the current API is very async un-friendly and the interfaces it implements are also not async-friendly but I wanted to get this filed anyway in hopes that at some point things can be improved to support modern asynchronous use cases.
Issue Analytics
- State:
- Created 7 years ago
- Reactions:27
- Comments:53 (17 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Hello, what’s happened to this issue? It seems there’s been no activity for a year.
@rmandvikar i know it has been on the list for a while and we finally inched towards this gap.
We have a couple of items before we can think about getting this into a release. This is mainly about having Asp.Net 7.0 using 6.x as the default and use JsonWebTokenHandler / JsonWebToken
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1726 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1654 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1426 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1197 https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1160
Using System.Text.Json, that does away with all our splitting and translating from string -> bytes -> string as in: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/issues/1805