Skip to content

New OpenIdMetadata signing keys will not be picked up for up to 5 days #2442

New issue
New issue
Closed
#2466
Closed
New OpenIdMetadata signing keys will not be picked up for up to 5 days#2442
#2466
Assignees
EricDahlvang
Labels
Bot ServicesRequired for internal Azure reporting. Do not delete. Do not change color.P0Must Fix. Release-blockerR10Release 10 - August 17th, 2020bugIndicates an unexpected problem or an unintended behavior.customer-replied-toIndicates that the team has replied to the issue reported by the customer. Do not delete.customer-reportedIssue is created by anyone that is not a collaborator in the repository.
@alopix

Description

@alopix
alopix
opened on Jun 29, 2020

Versions

What package version of the SDK are you using.
4.9

(the rest is irrelevant)

Describe the bug

If MSFT adds a new signing key to the OpenIdMetadata it will not be picket up for 5 days and fail Directline Speech connections.

The issue seems to be in OpenIdMetadata:

botbuilder-js/libraries/botframework-connector/src/auth/openIdMetadata.ts

Line 26 in 60ff913

public async getKey(keyId: string): Promise<IOpenIdMetadataKey | null> {

On incoming requests, JwtTokenExtractor will validate the JWT token using the cached public keys loaded via OpenIdMetadata.

MSFT adding (and using!) a new signing key will not be picked up for up to 5 days, which means that if a new signing key is being used, L42/43 will not find it in the cached keys and return undefined, which in turn fails OpenIdMetadata L98 (

botbuilder-js/libraries/botframework-connector/src/auth/jwtTokenExtractor.ts

Line 98 in 60ff913

if (!metadata) {
).

To Reproduce

Steps to reproduce the behavior:
Currently not reproducible as there's no new signing key. But the description should explain how it works.

Expected behavior

My suggestion would be to always check if the signing key actually exists in the cache and refresh the tokens if it doesn't. Only then can you be sure that the signing key is completely invalid.

Screenshots

Additional context

We saw this issue on Saturday for a few hours and restarting our service fixed the issue as it refreshed the memory cache.

[bug]

Metadata

Metadata

Assignees

Labels

Bot ServicesRequired for internal Azure reporting. Do not delete. Do not change color.P0Must Fix. Release-blockerR10Release 10 - August 17th, 2020bugIndicates an unexpected problem or an unintended behavior.customer-replied-toIndicates that the team has replied to the issue reported by the customer. Do not delete.customer-reportedIssue is created by anyone that is not a collaborator in the repository.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions