Intermittent 401s from Okta SDK with Private Key AuthMode (Token Expired) - Githubissues

okta / okta-sdk-dotnet

A .NET SDK for interacting with the Okta management API, enabling server-side code to manage Okta users, groups, applications, and more.

Other

160 stars 100 forks source link

Intermittent 401s from Okta SDK with Private Key AuthMode (Token Expired) #505

Closed robyn-berkel-talogy closed 3 years ago

robyn-berkel-talogy commented 3 years ago

Current behavior

We have a service set up to use the Private Key authmode via the Okta .Net SDK. After a few calls, we start receiving a 401 intermittently (roughly 50% reproduce rate) without any additional error message. I have confirmed that the IOktaClient configuration doesn't change, and restarting our service resolves the issue. I also don't see any associated failures in the System Log on the Okta admin portal. I submitted a case through Okta support and they eventually redirected me here after seeing an additional message "Token expired" with the 401s.

Expected behavior

No 401s when making the below call using the Okta SDK with the same private key.

Minimal reproduction of the problem with instructions

STEPS TO REPRODUCE

Code using the SDK that generates the 401:

var filter = HttpUtility.UrlEncode($"profile.{attributeName} eq \"{attributeValue}\""); 
var href = $"{Client.Configuration.OktaDomain}api/v1/users?search={filter}"; 
return await Client.GetCollection<IUser>(href).FirstOrDefaultAsync(cancellationToken);

Environment

OS:
Browser:
.Net Framework:
Other:

bryanapellanes-okta commented 3 years ago

@psiservices-rberkel , Thanks for reaching out and bringing this to our attention. We will need to review more closely to implement a solution. We'll update here when there's more.

Thanks for using Okta!

laura-rodriguez commented 3 years ago

@psiservices-rberkel, can you please share what version of the Okta SDK you are using?

bryanapellanes-okta commented 3 years ago

@psiservices-rberkel, can you please share what version of the Okta SDK you are using?

@psiservices-rberkel In addition to the SDK version; can you describe the network topology of your deployment? Specifics about the environment in which your app runs may contribute to, or cause the issue in a non-obvious way.

robyn-berkel-talogy commented 3 years ago

We're using the latest version - 5.1.1, but have also seen these issues on 5.0.0. We have a kubernetes environment and use docker for development and building container images.

bryanapellanes-okta commented 3 years ago

We have a kubernetes environment and use docker for development and building container images.

This is good information to have. Is it possible there's an internal gateway, load balancer or proxy causing requests to take different routes to Okta? Kubernetes and docker can introduce complexities that we may not be considering.

It would be helpful if you could share specific details about the network nodes in your kubernetes cluster and their relationships to one another; I recognize this may not be something you want to do in a public forum. I suggest reaching out to our support team at developers@okta.com - they will be able to work with you directly and discuss details about your configuration in a less public manner.

bryanapellanes-okta commented 3 years ago

@psiservices-rberkel please see latest comment above.

bryanapellanes-okta commented 3 years ago

Support is handling on support case #01181968.