Merge pull request #164 from ovska/fix-nonawaited-task

josephdecock · web-flow · commit a258d1b0a983 · 2025-07-09T13:09:33.000-05:00
Fix unawaited task in UpdateClientAssertion event
diff --git a/src/OAuth2IntrospectionHandler.cs b/src/OAuth2IntrospectionHandler.cs
@@ -178,7 +178,7 @@ private static async Task<TokenIntrospectionResponse> LoadClaimsForToken(
 	        OAuth2IntrospectionOptions options)
         {
             var introspectionClient = await options.IntrospectionClient.Value.ConfigureAwait(false);
-            using var request = CreateTokenIntrospectionRequest(token, context, scheme, events, options);
+            using var request = await CreateTokenIntrospectionRequest(token, context, scheme, events, options);
 
             var requestSendingContext = new SendingRequestContext(context, scheme, options)
             {
@@ -190,7 +190,7 @@ private static async Task<TokenIntrospectionResponse> LoadClaimsForToken(
             return await introspectionClient.IntrospectTokenAsync(request).ConfigureAwait(false);
         }
 
-        private static TokenIntrospectionRequest CreateTokenIntrospectionRequest(
+        private static async ValueTask<TokenIntrospectionRequest> CreateTokenIntrospectionRequest(
 	        string token,
 	        HttpContext context,
 	        AuthenticationScheme scheme,
@@ -199,7 +199,9 @@ private static TokenIntrospectionRequest CreateTokenIntrospectionRequest(
         {
             if (options.ClientSecret == null && options.ClientAssertionExpirationTime <= DateTime.UtcNow)
             {
-                lock (options.AssertionUpdateLockObj)
+                await options.AssertionUpdateLock.WaitAsync();
+
+                try
                 {
                     if (options.ClientAssertionExpirationTime <= DateTime.UtcNow)
                     {
@@ -208,13 +210,17 @@ private static TokenIntrospectionRequest CreateTokenIntrospectionRequest(
                             ClientAssertion = options.ClientAssertion ?? new ClientAssertion()
                         };
 
-                        events.UpdateClientAssertion(updateClientAssertionContext);
+                        await events.UpdateClientAssertion(updateClientAssertionContext);
 
                         options.ClientAssertion = updateClientAssertionContext.ClientAssertion;
                         options.ClientAssertionExpirationTime =
                             updateClientAssertionContext.ClientAssertionExpirationTime;
                     }
                 }
+                finally
+                {
+                    options.AssertionUpdateLock.Release();
+                }
             }
 
             return new TokenIntrospectionRequest
diff --git a/src/OAuth2IntrospectionOptions.cs b/src/OAuth2IntrospectionOptions.cs
@@ -7,6 +7,7 @@
 using Microsoft.AspNetCore.Http;
 using System;
 using System.Net.Http;
+using System.Threading;
 
 namespace IdentityModel.AspNetCore.OAuth2Introspection
 {
@@ -45,7 +46,7 @@ public OAuth2IntrospectionOptions()
         /// </summary>
         public string ClientSecret { get; set; }
 
-        internal object AssertionUpdateLockObj = new object();
+        internal readonly SemaphoreSlim AssertionUpdateLock = new SemaphoreSlim(1, 1);
 
         internal ClientAssertion ClientAssertion { get; set; }
 

Original file line number	Diff line number	Diff line change
`@@ -178,7 +178,7 @@ private static async Task<TokenIntrospectionResponse> LoadClaimsForToken(`
`178`	`178`	`OAuth2IntrospectionOptions options)`
`179`	`179`	`{`
`180`	`180`	`var introspectionClient = await options.IntrospectionClient.Value.ConfigureAwait(false);`
`181`		`- using var request = CreateTokenIntrospectionRequest(token, context, scheme, events, options);`
	`181`	`+ using var request = await CreateTokenIntrospectionRequest(token, context, scheme, events, options);`
`182`	`182`
`183`	`183`	`var requestSendingContext = new SendingRequestContext(context, scheme, options)`
`184`	`184`	`{`
`@@ -190,7 +190,7 @@ private static async Task<TokenIntrospectionResponse> LoadClaimsForToken(`
`190`	`190`	`return await introspectionClient.IntrospectTokenAsync(request).ConfigureAwait(false);`
`191`	`191`	`}`
`192`	`192`
`193`		`- private static TokenIntrospectionRequest CreateTokenIntrospectionRequest(`
	`193`	`+ private static async ValueTask<TokenIntrospectionRequest> CreateTokenIntrospectionRequest(`
`194`	`194`	`string token,`
`195`	`195`	`HttpContext context,`
`196`	`196`	`AuthenticationScheme scheme,`
`@@ -199,7 +199,9 @@ private static TokenIntrospectionRequest CreateTokenIntrospectionRequest(`
`199`	`199`	`{`
`200`	`200`	`if (options.ClientSecret == null && options.ClientAssertionExpirationTime <= DateTime.UtcNow)`
`201`	`201`	`{`
`202`		`- lock (options.AssertionUpdateLockObj)`
	`202`	`+ await options.AssertionUpdateLock.WaitAsync();`
	`203`	`+`
	`204`	`+ try`
`203`	`205`	`{`
`204`	`206`	`if (options.ClientAssertionExpirationTime <= DateTime.UtcNow)`
`205`	`207`	`{`
`@@ -208,13 +210,17 @@ private static TokenIntrospectionRequest CreateTokenIntrospectionRequest(`
`208`	`210`	`ClientAssertion = options.ClientAssertion ?? new ClientAssertion()`
`209`	`211`	`};`
`210`	`212`
`211`		`- events.UpdateClientAssertion(updateClientAssertionContext);`
	`213`	`+ await events.UpdateClientAssertion(updateClientAssertionContext);`
`212`	`214`
`213`	`215`	`options.ClientAssertion = updateClientAssertionContext.ClientAssertion;`
`214`	`216`	`options.ClientAssertionExpirationTime =`
`215`	`217`	`updateClientAssertionContext.ClientAssertionExpirationTime;`
`216`	`218`	`}`
`217`	`219`	`}`
	`220`	`+ finally`
	`221`	`+ {`
	`222`	`+ options.AssertionUpdateLock.Release();`
	`223`	`+ }`
`218`	`224`	`}`
`219`	`225`
`220`	`226`	`return new TokenIntrospectionRequest`