search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.64k stars 1.5k forks source link

fix: jwk generation incorrectly being skipped #3876

Closed aeneasr closed 2 weeks ago

aeneasr commented 2 weeks ago

Unfortunately, ory/hydra#3870 introduced a regression in the JWK generation logic.

Reverts ory/hydra#3870

terev commented 2 weeks ago

Oh that's too bad. Under what condition was jwk generation being skipped?

aeneasr commented 2 weeks ago

It's basically like a cache for calling the same function twice, which is a side effect in a multi-threaded app. It just behaves not like expected under certain circumstances and returns the wrong keys.

terev commented 2 weeks ago

Yeah but only when there's another inflight call for the same result. Kid was intentionally left out of the key because all callers didn't rely on the kid anyways, it is just a random uuid.

Does this have to do with multi tenancy? I can imagine the network id would be important there. Maybe that should be included in the flight key?

terev commented 2 weeks ago

@aeneasr Do we need a new/reopened issue to fix this? Seems fairly important.

aeneasr commented 2 weeks ago

Just reopen the other one. We're not observing these issues on our prod system, if the fix is easy we're happy to do it, but we're not heavily incentivized to fix it due to lack of commercial demand and already having spent a good portion of time on it.