Hello, I've noticed that when the Authority server's response is not successful it will return a 401 HTTP status, despite of the Authority server's response.
As clients assume that a 401 means get a new token, this can cause an infinite loop, when there's an URL mismatch problem. For example:
Authority server is up and running fine.
ClientA requests a Reference AccessToken and uses it to make an HTTP call to ApiA
ApiA is not configured properly, and is pointing to an invalid Authority URL, so it responds with 401.
ClientA assumes that a 401 means request a new token, so it requests a new token and retries the HTTP call, which will continue to return a 401.
Looking at the ValidationEndpointTokenProvider,I don't see a proper way of overriding this behavior. I thought about creating a BackchannelHttpHandler, and set a flag in the OwinContext when there's an error on an HTTP call, but I don't see a way of getting the OwinContext inside the handler since the handler is instantiated when configuring the middleware.
Hello, I've noticed that when the Authority server's response is not successful it will return a 401 HTTP status, despite of the Authority server's response.
As clients assume that a 401 means get a new token, this can cause an infinite loop, when there's an URL mismatch problem. For example:
Looking at the ValidationEndpointTokenProvider,I don't see a proper way of overriding this behavior. I thought about creating a
BackchannelHttpHandler
, and set a flag in the OwinContext when there's an error on an HTTP call, but I don't see a way of getting the OwinContext inside the handler since the handler is instantiated when configuring the middleware.Can someone shed some light on this?