API does not store keys from IdentityServer to validate tokens
I have two machines, one identity server and second REST API
A user through the API logs in, goes post to IS, in response IS returns JWT
The user authenticates himself to the API with each data request.
And everything was working fine, but today I noticed that there is an unusually high load on my IS
It turns out that every time the user queries the API for data, the API sends a request to IS.
But the API should itself check if the token is correct.
API is on
API sends out as many as two requests to IS for each user request:
1.
IS response ->
2.
IS response ->
And this is happening after the user has already successfully logged in.
IS setup:
API setup:
I've get 2x more load to IS than to API, when there should be a few dozen requests per day, not tens of thousands
A user through the API logs in, goes post to IS, in response IS returns JWT
The user authenticates himself to the API with each data request.
And everything was working fine, but today I noticed that there is an unusually high load on my IS
It turns out that every time the user queries the API for data, the API sends a request to IS.
But the API should itself check if the token is correct.
API is on
.NET 6.NET Core 2.1API sends out as many as two requests to IS for each user request:
1.
GET /.well-known/openid-configuration/jwks HTTP/1.1IS response ->
HTTP: HTTP/1.1 200 OK2.
POST /connect/token HTTP/1.1IS response ->
HTTP/1.1 400 Bad RequestAnd this is happening after the user has already successfully logged in.
IS setup:
new Client
{
ClientId = "native_clien
AllowedGrantTypes = new[] {"password", "client_credentials", "external" },
AccessTokenType = AccessTokenType.Jwt,
AccessTokenLifetime = 600, //86400,
IdentityTokenLifetime = 600, //86400,
UpdateAccessTokenClaimsOnRefresh = true,
AbsoluteRefreshTokenLifetime = 2592000,
AllowOfflineAccess = true,
RefreshTokenExpiration = TokenExpiration.Absolute,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AlwaysSendClientClaims = true,
Enabled = true,
RequireClientSecret = true,
ClientSecrets = new List<Secret>{
new Secret(configuration.GetConnectionString("NativeClientApiKey").Sha256()),
},
AllowedScopes = new List<string>{
"api_default",
"offline_access",
}
},API setup:
services.AddAuthentication(o =>
{
o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.Authority = configuration.GetSection("IsHost").Value;
o.RequireHttpsMetadata = true;
o.Audience = "api_default";
});I've get 2x more load to IS than to API, when there should be a few dozen requests per day, not tens of thousands
