Reputation: 5224
Validating access_token when identityserver goes offline
I have setup IdentityServer4. As I understand it, my webapi that needs protection, gets the public key from IdentityServer4 and uses this key to validate the signature key of the JWT. I can't seem to find any documentation that describes how often the public key is requested. Is it requested on every validation? Is it cached on the web api that needs validation?
Can I apply some kind of caching of the for the public key, or does the this happen automatically?
For the web api I use standard .NET Core identity to setup validation for the Bearer:
services.AddAuthentication("JWT")
.AddJwtBearer("JWT", options =>
{
options.Authority = "https://identityserver4.tld";
options.RequireHttpsMetadata = false;
options.Audience = "webapi";
});
It seems like I can use some of this code, from here: https://devblogs.microsoft.com/aspnet/jwt-validation-and-authorization-in-asp-net-core/:
var tokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidateIssuer = true,
ValidIssuer = "http://localhost:5000/",
IssuerSigningKey = new X509SecurityKey(new X509Certificate2(certLocation)),
};
app.UseJwtBearerAuthentication(new JwtBearerOptions()
{
Audience = "http://localhost:5001/",
AutomaticAuthenticate = true,
TokenValidationParameters = tokenValidationParameters
});
This will give me the public key locally, but still: how often is the public key fetched when not using the above tokenValidationParameters?
Upvotes: 1
Views: 1346
Answers (1)
Reputation: 4802
The default authentication middleware in ASP.Net Core will call the discovery endpoint on your options.Authority uri and will cache the public key (as well as other configuration info) that the identity provider specifies. The caching currently happens when authentication occurs for the first time. Last time I checked, in memory cache was being used to store the identity provider configuration (such as public key).
Looks like this currently happens in the PostConfigure(...) function here.
Apparently, you could theoretically plug in your own management of the identity provider configuration by providing an implementation of the below interface in your JwtBearerOptions according to the source code.
/// <summary>
/// Responsible for retrieving, caching, and refreshing the configuration from metadata.
/// If not provided, then one will be created using the MetadataAddress and Backchannel properties.
/// </summary>
public IConfigurationManager<OpenIdConnectConfiguration> ConfigurationManager { get; set; }
The default implementation uses OpenIdConnectConfigurationRetriever for which you can find the source code here.
Upvotes: 2
Related Questions
- Can I request IdentityServer4 tokens from client if server was rebooted?
- Validate token using different server?
- Identity server 4 handling Expired or revoked refresh tokens
- Identity Server 4 Signout - Token Lifetime
- How do I validate Access Tokens in IdentityServer4
- Provide token with identity server 4 only if the user fulfills certain conditions
- Identity Server 4- Setting the Access Token lifetime
- Saving access tokens (Identityserver4)
- IdentityServer4 access token after server reboot
- Validate an Access Token at the Resource Server and Respond Accordingly