Prefer using IssuerSigningKeyResolver over cleaning TokenHandlers #66
Description
TokenValidationParameters has IssuerSigningKeyResolver that provides you a kid of the required key immediately.
Adjusting TokenHandlers in JwtServiceValidationHandler has an issue.
It gets a list of keys to check while the amount of keys to retrieve is unknown. In the perfect world you should validate against any key in the database unless it was explicitly revoked.
Other smaller issue is that it's a bit intrusive. Because what if a user added his own validator there and you just deleted it without telling a user about it.
My easy naive approach would be something like this:
IssuerSigningKeyResolver = (string token, SecurityToken securityToken, string kid, TokenValidationParameters validationParameters) =>
{
using var scope = serviceProvider.CreateScope();
var service = scope.ServiceProvider.GetRequiredService<IJsonWebKeyStore>();
var key = service.Get(kid).Result;
return key != null ? [key.GetSecurityKey()] : [];
},
In this case I'm not sure if GetLastKeys function is needed at all
In this case IJsonWebKeyStore can have a cache on kid directly and doesn't have to cache whole set of keys.
Note in .NET 9 there will be possiblity to make it async