Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ClientCredentialsClient IOptions Change Propagation Issue #519

Closed
tleblanc159 opened this issue Feb 2, 2023 · 4 comments
Closed

ClientCredentialsClient IOptions Change Propagation Issue #519

tleblanc159 opened this issue Feb 2, 2023 · 4 comments
Assignees
@brockallen @josephdecock @leastprivilege
Labels
investigating Token Management

Comments

@tleblanc159
Copy link

tleblanc159 commented Feb 2, 2023
edited
Loading

Which version of Duende IdentityServer are you using?
1.0.0

Which version of .NET are you using?
.NET 6

Describe the bug
When configuring the ClientCredentialsClient in ConfigureServices using services.Configure<ClientCredentialsClient>("client-name", _configuration.GetSection("config-section")), changes made in the configuration are not respected by the named ClientCredentialsClient IOptions instance. For instance, after locally updating a value in appsettings.json, I can see the updated value reflected in the IConfiguration instance, but this updated value is not propagated to the IOptions instance.

This IOptions instance is injected into the ClientCredentialsTokenEndpointService using the IOptionsSnapshot interface. The ClientCredentialsTokenEndpointService service has a Transient lifetime (added to the container using services.AddClientCredentialsTokenManagement()). The instance of the IOptionsSnapshot injected should have a Scoped lifetime; meaning that each new request should regenerate a given named IOptions instance, retrieving any updated values from the configuration provider. Regardless, the cached value of the IOptions instance is never updated.

The IOptions instance lifetime is as expected when injecting it using the IOptionsSnapshot interface in an MVC controller, i.e. an new given IOptions named instance is created, pulling config provider values, on every request.

The ClientCredentialsTokenHandler is added to my HttpClient using the AddClientCredentialsTokenHandler extension method, e.g:

services.AddHttpClient<SvcClient>(SvcClient.ConfigureClient)
        .ConfigurePrimaryHttpMessageHandler(GetDefaultSocketsHttpHandler)
        .AddClientCredentialsTokenHandler("client-name");

To Reproduce

public void ConfigureServices(IServiceCollection services)
{
    services.AddClientCredentialsTokenManagement();
    
    services.Configure<ClientCredentialsClient>("client-name", _configuration.GetSection("config:section"));
    
    services.AddHttpClient<SvcClient>(SvcClient.ConfigureClient)
            .ConfigurePrimaryHttpMessageHandler(GetDefaultSocketsHttpHandler)
            .AddClientCredentialsTokenHandler("client-name");
}

private SocketsHttpHandler GetDefaultSocketsHttpHandler()
{
    return new()
    {
        AllowAutoRedirect = true,
        EnableMultipleHttp2Connections = true,
        MaxConnectionsPerServer = int.MaxValue,
        MaxResponseHeadersLength = int.MaxValue,
        PooledConnectionLifetime = TimeSpan.FromMinutes(1)
    };
}

After making a successful HttpClient call (i.e. OAuth token was retrieved successfully), change configuration value that the ClientCredentialsClient IOptions is bound to. This can be achieved by changing appsettings.json values locally.

Expected behavior

IOptionsSnapshot instance receives updated configuration values.

Log output/exception with stacktrace
N/A

Additional context

I fixed this issue simply by changing the IOptions interface injected into ClientCredentialsTokenEndpointService from IOptionsSnapshot to IOptionsMonitor (ref: https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/options?view=aspnetcore-6.0#options-interfaces).

However, IOptionsSnapshot should work as intended here.

Changing:

public ClientCredentialsTokenEndpointService(
        IHttpClientFactory httpClientFactory,
        IOptionsSnapshot<ClientCredentialsClient> options,
        ...

to

public ClientCredentialsTokenEndpointService(
        IHttpClientFactory httpClientFactory,
        IOptionsMonitor<ClientCredentialsClient> options,
        ...
@tleblanc159
Copy link
Author

@damianh @brockallen @josephdecock @leastprivilege

Is this the right place for this issue? I wasn't given an option to report an issue with Duende.AccessTokenManagement, so I went with IdentityServer.

@brockallen brockallen transferred this issue from DuendeSoftware/Support Feb 3, 2023
@leastprivilege
Copy link
Member

Thanks! We will look into it.

@leastprivilege leastprivilege self-assigned this Feb 15, 2023
@leastprivilege leastprivilege transferred this issue from DuendeSoftware/Duende.AccessTokenManagement Feb 16, 2023
@leastprivilege
Copy link
Member

Maybe related to #516

@tleblanc159 tleblanc159 mentioned this issue Feb 16, 2023
Closed
@tleblanc159 tleblanc159 mentioned this issue Feb 16, 2023
Merged
leastprivilege added a commit to DuendeSoftware/Duende.AccessTokenManagement that referenced this issue Feb 20, 2023
@leastprivilege
Merge pull request #19 from tleblanc159/Fix519And516
71abbaf 
Fix DuendeSoftware/Support#519, fix DuendeSoftware/Support#516
@leastprivilege
Copy link
Member

pushing v1.1 right now

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brockallen brockallen

@josephdecock josephdecock

@leastprivilege leastprivilege

Labels
investigating Token Management
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brockallen @josephdecock @leastprivilege @tleblanc159