You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
During Cold Start, the JwtOptionsBuilder.cs file encounters a bug where the signingKeyCachingProvider.SigningKeys property is null, leading to a 401 "Authorization has been denied for this request" response. The root cause of this issue is that the signingKeyCachingProvider attempts to use the SigningKeys property before the background thread responsible for retrieving the keys completes its execution.
To mitigate this bug, a solution is needed that ensures the availability of signing keys before they are utilized. One approach is to use the following code snippet to wait until the SigningKeys property of the SigningKeyCachingProvider class is not null before proceeding with execution:
// Wait for background thread to populate SigningKeysTimeSpantimeout= TimeSpan.FromSeconds(8);DateTimestartTime= DateTime.UtcNow;while(signingKeyCachingProvider.SigningKeys ==null&&(DateTime.UtcNow -startTime)<timeout){/*wait*/}
Another approach involves using a SemaphoreSlim object with an initial count of 0 to coordinate the retrieval of signing keys. When the metadata is refreshed, the background thread can acquire the semaphore, retrieve the signing keys, and release the semaphore. Meanwhile, the main thread can wait on the semaphore until it is signaled by the background thread, indicating that the signing keys are available.
Implementing either of these approaches will ensure that the signing keys are available before they are used, preventing any null reference exceptions or related errors that may occur when the keys are not yet available.
What is expected to happen?
GET call to Web API after cold start should return 200
What is the actual behavior?
Get call to Web API after cold start returns 401 "Authorization has been denied for this request"
Reproduction Steps?
Rebuild and redeploy Web API to IIS.
Call GET method to Web API.
delayed-byte
changed the title
Title: 401 response during Web API Cold Start in JwtOptionsBuilder.cs
Title: 401 response during Web API Cold Start (issue in JwtOptionsBuilder.cs)
Jul 8, 2023
Thanks for reporting this issue. I'll file an internal ticket to be reviewed and prioritized by the team.
Would you mind sharing any minimal sample project or a Fiddler log?
Also, PRs are welcome; If you feel confident with your proposed solution, feel free to file a PR, and we'll review it.
Call blocking method RetrieveMetadata() in provider constructor, instead of non-blocking caching method RefreshMetadata(). Ensures that construction of the provider causes a fetch of signing keys on the backchannel, eliminates race conditions that lead to 401 Unauthorized responses on cold start. Fixesokta#249 and okta#243
Describe the bug?
During Cold Start, the JwtOptionsBuilder.cs file encounters a bug where the
signingKeyCachingProvider.SigningKeys
property is null, leading to a 401 "Authorization has been denied for this request" response. The root cause of this issue is that thesigningKeyCachingProvider
attempts to use theSigningKeys
property before the background thread responsible for retrieving the keys completes its execution.To mitigate this bug, a solution is needed that ensures the availability of signing keys before they are utilized. One approach is to use the following code snippet to wait until the
SigningKeys
property of theSigningKeyCachingProvider
class is not null before proceeding with execution:Another approach involves using a
SemaphoreSlim
object with an initial count of 0 to coordinate the retrieval of signing keys. When the metadata is refreshed, the background thread can acquire the semaphore, retrieve the signing keys, and release the semaphore. Meanwhile, the main thread can wait on the semaphore until it is signaled by the background thread, indicating that the signing keys are available.Implementing either of these approaches will ensure that the signing keys are available before they are used, preventing any null reference exceptions or related errors that may occur when the keys are not yet available.
What is expected to happen?
GET call to Web API after cold start should return 200
What is the actual behavior?
Get call to Web API after cold start returns 401 "Authorization has been denied for this request"
Reproduction Steps?
Rebuild and redeploy Web API to IIS.
Call GET method to Web API.
Additional Information?
This is related to
Cache signing keys and update them periodically in order to avoid deadlocks #129
.NET Version
Web API
.NET 4.8
SDK Version
Okta. AspNet 3.2.2
OS version
No response
The text was updated successfully, but these errors were encountered: