-
Notifications
You must be signed in to change notification settings - Fork 219
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduces a lock while loading credentials from Credential Source #2438
Conversation
IdWeb detects when client certificates were rotated because AAD returns an explicit error
On this error, IDWeb calls ResetCredentials, and retrys the call, which triggers reloading the certificate. This happens here: microsoft-identity-web/src/Microsoft.Identity.Web.TokenAcquisition/TokenAcquisition.cs Lines 172 to 178 in cc6fc99
IdWeb does not do anything with decrypt certificate, as the guidance (with IdWeb) is for service owners to provide several decyrpt credentials, and Wilson tries them all. |
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @sruke
I proposed a small tweak.
src/Microsoft.Identity.Web.Certificate/DefaultCredentialsLoader.cs
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
thanks @sruke
I proposed a small tweak
c4545e5
to
a0ec166
Compare
Introduces a lock while loading credentials from Credential Source
Summary of the changes
Ensure multiple requests don't attempt to load the same credentialDescription concurrently.
Description
When a customer configures the source of a token decryption certificate in the inbound policy, SAL attempts to load the certificate from the specified source or retrieves the cached certificate if it has been loaded previously. SAL then creates an X509SecurityKey from the certificate and adds it to InboundPolicy.TokenValidationParameters.TokenDecryptionKeys if the key was not already added. This logic is executed for every incoming token validation request, and SAL utilizes ID.Web's implementation of ICredentialLoader to retrieve the certificate.
Until the certificate is cached by ID.Web (i.e., when credentialDescription.CachedValue is set), multiple parallel requests (potentially exceeding 100 incoming requests, as indicated by Keegan) may attempt to load the same certificate from the source. This raises performance concerns, particularly when fetching the certificate involves making an HTTP request (e.g., fetching from KeyVault).
Open Questions:
Note: Unit tests will be added once the design is approved