MessageHandler doesn't throw when a Shared Access Key changes

[SeanFeldman]

Actual Behavior

1. Message handler is registered running with a connection string that is using the original shared access key.
2. MessageHandlerOptions is registered with ExceptionReceivedEventsArgs callback.
3. Shared access key is re-generated
4. Message handler doesn't throw an exception and endpoint appears to be working as usual.

Expected Behavior

When shared access key used with connection string is changed, exception should be raised as endpoint is not able to receive anything and looks like "stack" with a connection that is a zombie.

Versions

Windows, ASB client v2.0.0

[SeanFeldman]

Exhibits same behavior as the old client

[clemensv]

The access check is performed when the link to the entity is established. If the token is validly signed at the instant the check is performed, access is granted for the token validity period and for as long as the link is maintained.

If you're obtaining an identity token from an identity provider (AAD, etc) using some identity and credential, and then obtain an access token based on some token trade rule, the access token also remains valid for the issued period, even if your credential in AAD gets revoked or the account gets deleted altogether.

The mitigation is to make tokens shorter lived. The service does observe token expiration.