Okta ASP.NET middleware doesn't respect Cache-Control headers

Hi,
in .net core application I’m using Okta.AspNetCore nuget package to validate JWT tokens.

builder.Services
    .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddOktaWebApi(new OktaWebApiOptions()
    {
        OktaDomain = oktaOptions.Domain,
        AuthorizationServerId = "default",
        Audience = oktaOptions.Audience
    });

While testing behaviour I noticed that Cache-Control headers were not respected and signing keys with no-cache directive were still cached. This might be a problem as Okta rotates signing keys after each 90 days and caching them always will cause authentication errors

Hello, @Valdas
Steps to Address Cache-Control Headers Issue
Custom HttpClient for Token Validation:
You can configure a custom HttpClient to handle the caching behavior more precisely. This allows you to set the Cache-Control headers explicitly.

builder.Services.AddHttpClient(“OktaClient”, client =>
{
client.DefaultRequestHeaders.CacheControl = new CacheControlHeaderValue
{
NoCache = true
};
});

builder.Services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddOktaWebApi(new OktaWebApiOptions()
{
OktaDomain = oktaOptions.Domain,
AuthorizationServerId = “default”,
Audience = oktaOptions.Audience,
HttpClient = builder.Services.BuildServiceProvider().GetRequiredService().CreateClient(“OktaClient”)
});

Manual Cache Invalidation:
Implement a mechanism to manually invalidate the cached signing keys periodically, ensuring they are refreshed before Okta rotates them.
Check Okta SDK Updates:
Ensure you are using the latest version of the Okta.AspNetCore package, as there might be updates or fixes related to this issue.
Custom Token Validation Logic:
As a last resort, you can implement custom token validation logic to handle the caching behavior according to your requirements.

I hope this info is helpful to you.

Best Regard,
Gregory Chavez

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.