GithubHelp home page GithubHelp logo

Comments (4)

PratikPatel-Mtech avatar PratikPatel-Mtech commented on June 13, 2024

@brockallen Can we do something that will check the existing keys' expiration or creation date before creating a new one?

from identityserver.

josephdecock avatar josephdecock commented on June 13, 2024

@brockallen Can we do something that will check the existing keys' expiration or creation date before creating a new one?

What makes that hard is that there could be multiple load balanced instances of identity server all simultaneously attempting to create keys. Since our store interface is very much abstracted from the underlying data store and identityserver as a framework doesn't know anything about the architecture/deployment/scaling, we've avoided attempts to create some kind of distributed lock in the past. Instead, we have some heuristics that have given us good results: we always use the oldest applicable key for signing, and we update the cache more frequently when we're initializing keys. In practice, this tends to give usable results, but we think cleaning up the keys that won't ever be used will make operations easier, because there won't be these spurious keys hanging around.

from identityserver.

aomader avatar aomader commented on June 13, 2024

@brockallen @josephdecock Do you have any update on this topic? This indeed leads to a race condition. We are currently checking whether we can switch to the provided automated key management, but noticed this exact behavior. When multiple instance try to a create a new key for rotation purposes, the instances end up with different states and also announce different sets of keys via openid-configuration/jwks.

What would be your suggestion how to handle this in the short term? My current approach is to provide a custom IConcurrencyLock<KeyManager>. That however also feels not ideal, since the Unlock is not async, while the Lock is, and because it is in the Internal namespace.

from identityserver.

josephdecock avatar josephdecock commented on June 13, 2024

This conversation continued over a different support channel, but in case anyone is interested in this thread, in brief:

We think that it is usually fine to have some eventual consistency in the nodes and their jwks output, since new keys aren't used until after the propagation delay if two weeks. Two weeks is enough time for the nodes to get to a consistent state and for Clients and APIs to update their cached jwks.

from identityserver.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.