Call limit on openid configuration

AnthonyDaSilva · December 6, 2023, 1:54pm

For legacy reasons, we have to check the token validity/signature etc at each call.
In some cases, the call to /.well-known/openid-configuration is rejecting due to several calls at the same time.

I made something like this to reduce the number of calls:

                if (KeyResolver == null)
                {
                    KeyResolver = new OpenIdConnectSigningKeyResolver(domain);
                }

                var tokenParams = new Microsoft.IdentityModel.Tokens.TokenValidationParameters()
                {
                    ValidAudience = ApplicationConfig.Audience,
                    ValidateIssuer = true,
                    ValidateIssuerSigningKey = true,
                    ValidateLifetime = true,
                    ValidateAudience = true,
                    ValidIssuer = domain,
                    RequireSignedTokens = true,
                    IssuerSigningKeyResolver = (token, securityToken, kid, parameters) => KeyResolver.GetSigningKey(kid)
                };

Is it the proper way to do it? Should I keep the key only for a certain amount of time before retrieving it again?

Thanks

tyf · December 7, 2023, 12:50am

Hey there @AnthonyDaSilva !

Is there any way you can cache the information retrieved from /.well-known/openid-configuration and only make a call to the endpoint when needed?

AnthonyDaSilva · December 7, 2023, 5:46am

Hey tyf,

That’s more or less what I implemented above but I was wondering if I need to put a validity date on the data retrieved from /.well-known/openid-configuration or will it always be the same ?

tyf · December 8, 2023, 11:36pm

The data retrieved is certainly subject to change, but it shouldn’t be often at all - It really just depends on if you are making changes to your tenant that will affect this information. I would say fetching once a day or less should be sufficient. You could also look into configuring some logic to request when your app experiences a failure that could be related to this configuration.

AnthonyDaSilva · December 11, 2023, 7:53am

Hey @tyf,

Thanks for your answer, it seems to work for now.

Kind Regards,

Anthony

AnthonyDaSilva · December 11, 2023, 8:24am

Hi @tyf,

For this part:

You could also look into configuring some logic to request when your app experiences a failure that could be related to this configuration.

How do you reckon I should proceed?

Regards

tyf · December 11, 2023, 10:39pm

Hey @AnthonyDaSilva !

This isn’t an exhaustive list but I might look out for token validation errors, authentication request issues, token refresh errors, userinfo endpoint access, response/grant type errors, etc. Basically anything that might fail as a result of changes made to the discovery endpoint. If your app begins experiencing unexpected issues, it might be due to the need to refresh discovery data you’ve cached. That being said, I’d expect changes to be infrequent under normal circumstances.

system · December 25, 2023, 10:39pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Socket errors when sending requests to /.well-known/openid-configuration from .Net 7 application Help apis , application	1	976	August 7, 2023
Managing Tokens in .NET MAUI Blog Discussions	22	2613	September 2, 2024
Validating an access token - Too Many Requests Help access-token , validation , token-validation	2	7341	March 2, 2018
Auth0 access token getting 500 response Help management-api , users	4	977	October 18, 2023
IDX10803: Unable to create to obtain configuration from: '[mydomain].well-known/openid-configuration' Help jwt	7	5532	May 27, 2021

Call limit on openid configuration

Related topics