Title: 401 response during Web API Cold Start (issue in JwtOptionsBuilder.cs)

[delayed-byte]

Describe the bug?

During Cold Start, the JwtOptionsBuilder.cs file encounters a bug where the signingKeyCachingProvider.SigningKeys property is null, leading to a 401 "Authorization has been denied for this request" response. The root cause of this issue is that the signingKeyCachingProvider attempts to use the SigningKeys property before the background thread responsible for retrieving the keys completes its execution.
To mitigate this bug, a solution is needed that ensures the availability of signing keys before they are utilized. One approach is to use the following code snippet to wait until the SigningKeys property of the SigningKeyCachingProvider class is not null before proceeding with execution:

// Wait for background thread to populate SigningKeys
TimeSpan timeout = TimeSpan.FromSeconds(8);
DateTime startTime = DateTime.UtcNow;

while (signingKeyCachingProvider.SigningKeys == null && (DateTime.UtcNow - startTime) < timeout) {
    /*wait*/
}

Another approach involves using a SemaphoreSlim object with an initial count of 0 to coordinate the retrieval of signing keys. When the metadata is refreshed, the background thread can acquire the semaphore, retrieve the signing keys, and release the semaphore. Meanwhile, the main thread can wait on the semaphore until it is signaled by the background thread, indicating that the signing keys are available.

Implementing either of these approaches will ensure that the signing keys are available before they are used, preventing any null reference exceptions or related errors that may occur when the keys are not yet available.

What is expected to happen?

GET call to Web API after cold start should return 200

What is the actual behavior?

Get call to Web API after cold start returns 401 "Authorization has been denied for this request"

Reproduction Steps?

Rebuild and redeploy Web API to IIS.
Call GET method to Web API.

Additional Information?

This is related to
Cache signing keys and update them periodically in order to avoid deadlocks #129

.NET Version

Web API
.NET 4.8

SDK Version

Okta. AspNet 3.2.2

OS version

No response

[laura-rodriguez]

Hi @delayed-byte,

Thanks for reporting this issue. I'll file an internal ticket to be reviewed and prioritized by the team.
Would you mind sharing any minimal sample project or a Fiddler log?
Also, PRs are welcome; If you feel confident with your proposed solution, feel free to file a PR, and we'll review it.

Thanks!

Internal Ref: OKTA-628591