I have two machines, one identity server and second REST API A user through the API logs in, goes post to IS, in response IS returns JWT The user authenticates himself to the API with each data request. And everything was working fine, but today I noticed that there is an unusually high load on my IS It turns out that every time the user queries the API for data, the API sends a request to IS. But the API should itself check if the token is correct.
API is on .NET 6 and LicenseServer is on .NET Core 2.1
API sends out as many as two requests to IS for each user request:
GET /.well-known/openid-configuration/jwks HTTP/1.1IS response ->HTTP: HTTP/1.1 200 OKPOST /connect/token HTTP/1.1IS response ->HTTP/1.1 400 Bad Request
And this is happening after the user has already successfully logged in.
IS setup:
new Client
{
ClientId = "native_client"
AllowedGrantTypes = new[] {"password", "client_credentials", "external" },
AccessTokenType = AccessTokenType.Jwt,
AccessTokenLifetime = 600, //86400,
IdentityTokenLifetime = 600, //86400,
UpdateAccessTokenClaimsOnRefresh = true,
AbsoluteRefreshTokenLifetime = 2592000,
AllowOfflineAccess = true,
RefreshTokenExpiration = TokenExpiration.Absolute,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AlwaysSendClientClaims = true,
Enabled = true,
RequireClientSecret = true,
ClientSecrets = new List<Secret>{
new Secret(configuration.GetConnectionString("NativeClientApiKey").Sha256()),
},
AllowedScopes = new List<string>{
"api_default",
"offline_access",
}
},
API setup:
services.AddAuthentication(o =>
{
o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddJwtBearer(o =>
{
o.Authority = configuration.GetSection("IsHost").Value;
o.RequireHttpsMetadata = true;
o.Audience = "api_default";
});
I've get 2x more load to IS than to API, when there should be a few dozen requests per day, not tens of thousands