synackd
commented
5 months ago Right now, this is mitigated by introducing a hydra-gen-jwks container that runs curl to cause the JWKS to be generated once. Containers that depend on the JWKS being generated (BSS and SMD), depend on hydra-gen-jwks completing successfully before starting and the race condition is thus avoided. Introduced in #25.
Ideally, hydra would address this but this works until they do.
With the above, I think we can close this since tests pass both using Docker on the test cluster and Docker Desktop.
Describe the bug When running the deployment recipes, both SMD and BSS will try to fetch a JWKS from the authorization server (Hydra) to verify incoming JWTs are valid. Hydra will generate a new key pair when the request is made if the pair does not already exist. If both micro-services try to fetch the JWKS roughly at the same time, Hydra will try to generate the pair twice. This will cause all authorization request to return a 401 from both micro-services.
To Reproduce Steps to reproduce the behavior:
*_JWKSenvironment variables are set to make SMD and BSS fetch a JWKStoken is unauthorizedExpected behavior Any normal output expected from the micro-service that isn't
token is unauthorizedDesktop (please complete the following information):
Additional context This problem only occurs sometimes, so you will have to run multiple times if it doesn't happen the first time.