Comments (4)
@brockallen Can we do something that will check the existing keys' expiration or creation date before creating a new one?
from identityserver.
@brockallen Can we do something that will check the existing keys' expiration or creation date before creating a new one?
What makes that hard is that there could be multiple load balanced instances of identity server all simultaneously attempting to create keys. Since our store interface is very much abstracted from the underlying data store and identityserver as a framework doesn't know anything about the architecture/deployment/scaling, we've avoided attempts to create some kind of distributed lock in the past. Instead, we have some heuristics that have given us good results: we always use the oldest applicable key for signing, and we update the cache more frequently when we're initializing keys. In practice, this tends to give usable results, but we think cleaning up the keys that won't ever be used will make operations easier, because there won't be these spurious keys hanging around.
from identityserver.
@brockallen @josephdecock Do you have any update on this topic? This indeed leads to a race condition. We are currently checking whether we can switch to the provided automated key management, but noticed this exact behavior. When multiple instance try to a create a new key for rotation purposes, the instances end up with different states and also announce different sets of keys via openid-configuration/jwks
.
What would be your suggestion how to handle this in the short term? My current approach is to provide a custom IConcurrencyLock<KeyManager>
. That however also feels not ideal, since the Unlock
is not async, while the Lock
is, and because it is in the Internal
namespace.
from identityserver.
This conversation continued over a different support channel, but in case anyone is interested in this thread, in brief:
We think that it is usually fine to have some eventual consistency in the nodes and their jwks output, since new keys aren't used until after the propagation delay if two weeks. Two weeks is enough time for the nodes to get to a consistent state and for Clients and APIs to update their cached jwks.
from identityserver.
Related Issues (20)
- Consider allowing multiple IEventSink registrations HOT 2
- Investigate support for X509 Certs and EC Keys HOT 1
- Add logging when DistributedCacheStateDataFormatter returns null HOT 8
- Let EF migrations create default table names
- GetIdentityServerRelativeUrl should take into account when IdentityServer is running at a subpath HOT 1
- Infinite loop when max_age=0
- Claim Issuer not persisted when using Server Side Sessions HOT 3
- IdentityServer Error LogLevel HOT 1
- Add server side session support for the external cookie scheme HOT 2
- Cookie Expiration with Serverside sessions doesn't revoke tokens
- Consider lowering the ClockSkew in TokenValidator
- Consider letting redirect url respect response_mode after receiving invalid request on authorization endpoint
- Consider extensibility point for sub/sid validation during endsession HOT 1
- Identity Server Login and Logout Localization Limitations HOT 7
- Consider adding strict license check for features in dev/test
- PromptMode Login with Pushed Authorization Requests Get Stuck in Login Loop HOT 3
- Investigate EF Core 8 performance issues
- Consider adding more validation to processed max_age and prompt
- Expiry time when `UseX509Certificate` is set to `true`
- Consider deleting retired keys even if they can't be unprotected HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identityserver.