You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TokenValidationParameters has IssuerSigningKeyResolver that provides you a kid of the required key immediately.
Adjusting TokenHandlers in JwtServiceValidationHandler has an issue.
It gets a list of keys to check while the amount of keys to retrieve is unknown. In the perfect world you should validate against any key in the database unless it was explicitly revoked.
Other smaller issue is that it's a bit intrusive. Because what if a user added his own validator there and you just deleted it without telling a user about it.
My easy naive approach would be something like this:
IssuerSigningKeyResolver = (string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) =>
{
using var scope = serviceProvider.CreateScope();
var service = scope.ServiceProvider.GetRequiredService<IJsonWebKeyStore>();
var key = service.Get(kid).Result;
return key != null ? [key.GetSecurityKey()] : [];
},
In this case I'm not sure if GetLastKeys function is needed at all
In this case IJsonWebKeyStore can have a cache on kid directly and doesn't have to cache whole set of keys.
Note in .NET 9 there will be possiblity to make it async
The text was updated successfully, but these errors were encountered:
TokenValidationParameters has IssuerSigningKeyResolver that provides you a kid of the required key immediately.
Adjusting TokenHandlers in JwtServiceValidationHandler has an issue.
It gets a list of keys to check while the amount of keys to retrieve is unknown. In the perfect world you should validate against any key in the database unless it was explicitly revoked.
Other smaller issue is that it's a bit intrusive. Because what if a user added his own validator there and you just deleted it without telling a user about it.
My easy naive approach would be something like this:
In this case I'm not sure if
GetLastKeysfunction is needed at allIn this case IJsonWebKeyStore can have a cache on
kiddirectly and doesn't have to cache whole set of keys.Note in .NET 9 there will be possiblity to make it async
The text was updated successfully, but these errors were encountered: