IdentityModel / IdentityModel.AspNetCore.OAuth2Introspection

ASP.NET Core authentication handler for OAuth 2.0 token introspection
Apache License 2.0
147 stars 66 forks source link

Issue with adding Request Cancelation Token to Introspection Request #177

Open bmendonca21 opened 1 year ago

bmendonca21 commented 1 year ago

With the lazy introspection call being shared by potentially multiple client requests, adding the request cancellation token to the introspection request is problematic. In effect, if the request that wins the contest to add its introspection call gets canceled by the client, subsequent requests that are reusing that call will have their introspection call get canceled as well which is not a desired behavior. Please consider removing the request cancellation token on the introspection request or stop sharing introspection requests across multiple client requests.

gao-artur commented 1 year ago

I believe you are talking about this change https://github.com/IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection/pull/173. If so, that may explain all the TaskCanceledException's we observe after upgrading from 6.0.0 to 6.2.0. The part that made me crazy was that HttpContext.RequestAborted.IsCancellationRequested is false most of the time. With your explanation, all that makes sense now.

leastprivilege commented 1 year ago

Hi,

thanks. We will look into it.

rasmus-s commented 1 year ago

We had also seen this issue (where we got (A task was canceled-exceptions) and the HttpContext.RequestAborted.IsCancellationRequested was false).

We include the IdentityModel.AspNetCore.OAuth2Introspection project as source code from tag: 6.2.0 into our solution and only changes we made was to bump the IdentityModel-nuget package from 6.0.0 -> 6.1.0.

Then it all worked as it should and we stop getting the a task was canceled-exceptions from introspection request.
Hope it helps others