Skip to content

Commit 922aa12

Browse files
ksroda-saclaude
andcommitted
docs(dotnet/token-refresh): flag discovery-caching gap in production notes
Code review caught that RefreshTokensAsync fetches the discovery document on every refresh call. For a teaching sample that's fine, but readers copying the pattern to prod would eat an extra round-trip per refresh. README production-notes now says so. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent 0d8e2dd commit 922aa12

1 file changed

Lines changed: 1 addition & 0 deletions

File tree

samples/dotnet/token-refresh/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,3 +44,4 @@ Six tests covering `/` unauth, `/` authenticated, `/login` challenge, `/refresh`
4444
- **CSRF protection:** `POST /refresh` is not CSRF-protected. For production, enable ASP.NET Core antiforgery middleware, switch cookies to `SameSite=Strict`, or use a double-submit cookie pattern.
4545
- **Concurrent refreshes:** two requests may race on the refresh token with rotation-enforcing IdPs. Production apps should serialize refresh per session (e.g. via `SemaphoreSlim` keyed by session id).
4646
- **Auto-refresh scope:** `OnValidatePrincipal` fires for every authenticated request including static assets and health checks. In production, consider wrapping the refresh logic so it only runs for routes that actually use the access token.
47+
- **Discovery caching:** for readability, `RefreshTokensAsync` fetches the OpenID discovery document on every call. Each refreshed access token costs an extra network round-trip. Production apps should cache discovery for the lifetime of the process (or reuse the `ConfigurationManager<OpenIdConnectConfiguration>` that the OIDC middleware already maintains).

0 commit comments

Comments
 (0)