IdentityModel.AspNetCore.OAuth2Introspection icon indicating copy to clipboard operation
IdentityModel.AspNetCore.OAuth2Introspection copied to clipboard

Published 20 hours ago verified publisher icon IdentityModel

Potential issue with unawaited UpdateClientAssertion event

Open ovska opened this issue 2 years ago • 5 comments

https://github.com/IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection/blob/main/src/OAuth2IntrospectionHandler.cs#L211

The OnUpdateClientAssertion event is invoked without an await, probably because it is inside a lock. This can potentially cause hard to diagnose bugs if the event is assigned to something that requires awaiting. For example the current HttpContext is one of the properties, and using it after the request is ended can throw object disposed exceptions.

My suggestion is to replace the lock with a SemaphoreSlim which works fine in async context as well, and the lifetime of OAuth2IntrospectionOptions shouldn't be a problem as SemaphoreSlim wouldn't need to be disposed in this case.

Tangentially, ConfigureAwait(false) is missing from some all awaits on events. Is this intentional or an oversight?

ovska avatar Jul 15 '22 16:07 ovska

My understanding is that ASP.NET Core has no synchronization context - so ConfigureAwait(false) is not required.

Would you agree?

leastprivilege avatar Jul 22 '22 08:07 leastprivilege

Correct, was just wondering why it was used in some awaits and not all :)

ovska avatar Jul 24 '22 17:07 ovska

I guess because it is ultimately an old code base..

leastprivilege avatar Jul 24 '22 20:07 leastprivilege

@brockallen could you have a look when time permits.

@ovska do you want to propose a PR?

leastprivilege avatar Aug 07 '22 09:08 leastprivilege

Here's more or less the minimal fix I could come up with: #164

ovska avatar Aug 07 '22 20:08 ovska