auth0.net icon indicating copy to clipboard operation
auth0.net copied to clipboard
verified publisher icon auth0

IdTokenValidator cant use a Httpclient configured from something like options.Backchannel

Open kriebb opened this issue 3 years ago • 3 comments

When using the RS256 signing protocol, the jwt keys needs to be fetced. It starts from

  • IdTokenValidator.Assert
  • return this.AssertRS256IdTokenValid(idToken, requirements.Issuer, this.maxJwksKeySetValidFor);
  • return new AsymmetricSignedDecoder((await this.jsonWebKeyCache.Get(issuer, maxAge).ConfigureAwait(false)).Keys).DecodeSignedToken(idToken);
  • private readonly AsyncAgedCache<string, JsonWebKeySet> cache = new AsyncAgedCache<string, JsonWebKeySet>(new Func<string, Task<JsonWebKeySet>>(JsonWebKeys.GetForIssuer));
  • JsonWebKeys.GetForIssuer(string issuer) =
  • JsonWebKeys.GetOpenIdConfiguration

Where the constructor is used: public ConfigurationManager(string metadataAddress, IConfigurationRetriever<T> configRetriever)

and it uses a default httpClient. It would be great if you could supply one that you configure as a backchannel using the options when configuring the package.

My problem with the current package is that I need to supply a HttpClient with a proxy, like in other libraries. But without the possibility of configuring this, I get a statuscode 407 when I want to use the RS256 signing option.

Wanted Fix:

  • add a options.Backchannel that returns a Httpclient

[Edited] Made the request more clearly

kriebb avatar Jun 22 '22 10:06 kriebb

Thanks, that sounds like a fair change to make. We might need to consider if this should be opt-in, to ensure we don't, unexpectedly, change the behavior for anyone else.

frederikprijck avatar Jul 06 '22 07:07 frederikprijck

Hey @kriebb ,

Looking into this, I am curious to understand what you mean with options.Backchannel? I believe options.Backchannel isn't something that exists in this SDK, it exists in another SDK but that has nothing to do with this one.

Can u verify the issue you are talking about is about the Auth0.NET SDK and not any of our OIDC SDKs for WPF, Winforms, UWP, or Xamarin?

That doesn't invalidate the issue in this SDK tho, as I can see how you would still need to be able to control the proxy here. But I am curious to try and understand your situation better.

frederikprijck avatar Jul 26 '22 08:07 frederikprijck

Hi,

Yes I confirm I'm talking about this SDK. But my explanation isn't what it should be. I just meant (wishful thinking) , it would be great if you add something like an options.Backchannel ( so it is somewhat conform to other libraries out there )

Hopes this clarifies it a bit?

kriebb avatar Jul 28 '22 06:07 kriebb

I looked into this and believe this might need some rework. Our SDK is build in such a way that you can replace HttpClient with any other Http Library, so we will need the same pattern in this case as well.

Will look into how we can implement this in the same way.

frederikprijck avatar Sep 30 '22 13:09 frederikprijck

👋 I created a PR for this, can you please take a look if it would work for your use-case as well?

https://github.com/auth0/auth0.net/pull/596

frederikprijck avatar Oct 06 '22 12:10 frederikprijck