Replies: 2 comments
-
One thing Chat GPT recommends me to do
But I am not sure if there are better methods out there |
Beta Was this translation helpful? Give feedback.
0 replies
-
Something that might be of interest to your use of refresh tokens: https://docs.duendesoftware.com/identityserver/v7/bff/tokens/#reuse-of-refresh-tokens |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We have a BFF setup where we use Cookie Authentication together with OpenId Connect.
The Cookie Authentication is configured with a Redis Cache as
ITicketStore
.We use
Duende.AccessTokenManagement.OpenIdConnect
which uses theAuthenticationProperties
to store access tokens and refresh tokens.This all works great as long as we only have one BFF instance. As soon as we have multiple BFF instances, we face some concurrency issues when refreshing the access tokens.
The root cause of this is that our IDP invalidates the refresh token once used.
So if two requests come in, each routed to a different instance of the BFF, and both try to refresh the access token, only one succeeds and the other fails.
We tried to work around this by putting a distributed lock before the refreshing mechanism.
But the issue remains because the second request which had to wait for the lock of the first request already loaded its
AuthenticationProperties
earlier in the request pipeline. The second request then tries to refresh its access token with an outdated refresh token.So my question is, what are we missing? :D
Is there a way to force reload the
AuthenticationProperties
from the Redis Cache (same as if it would be a brand-new request)?We tried to use
.HttpContext.AuthenticateAsync(parameters.SignInScheme)
but this seems to do nothing but return the already loaded stuff from earlier.What I am looking for is a way to tell the cookie auth handler that he probably has outdated data and needs to reload from the
ITicketStore
.Also, I am open to any other suggestion to solve this correctly.
It's totally possible that there are better ways to solve this kind of issue :)
Beta Was this translation helpful? Give feedback.
All reactions