Potential issue with unawaited UpdateClientAssertion event #160
Assignees
Comments
|
My understanding is that ASP.NET Core has no synchronization context - so Would you agree? |
|
Correct, was just wondering why it was used in some awaits and not all :) |
|
I guess because it is ultimately an old code base.. |
|
@brockallen could you have a look when time permits. @ovska do you want to propose a PR? |
|
Here's more or less the minimal fix I could come up with: #164 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
https://github.com/IdentityModel/IdentityModel.AspNetCore.OAuth2Introspection/blob/main/src/OAuth2IntrospectionHandler.cs#L211
The
OnUpdateClientAssertionevent is invoked without anawait, probably because it is inside alock. This can potentially cause hard to diagnose bugs if the event is assigned to something that requires awaiting. For example the current HttpContext is one of the properties, and using it after the request is ended can throw object disposed exceptions.My suggestion is to replace the lock with a
SemaphoreSlimwhich works fine in async context as well, and the lifetime ofOAuth2IntrospectionOptionsshouldn't be a problem as SemaphoreSlim wouldn't need to be disposed in this case.Tangentially,
ConfigureAwait(false)is missing from some all awaits on events. Is this intentional or an oversight?The text was updated successfully, but these errors were encountered: