-
Notifications
You must be signed in to change notification settings - Fork 401
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Retry RemoteKeySet#updateKeys on error #372
Comments
Are you actually hitting issues or is this theoretical? Retry strategies are usually documented as part of your API contract (e.g. https://google.aip.dev/194). To the best of my knowledge, there's nothing in the spec, and I wouldn't want to make assumptions about what responses indicate a request is or isn't retryable. Is this about adding Retry-After support?
I'm inclined to omit retry logic since its simpler and easier to reason about this way. |
For some additional context, this library used to implement Cache-Control header parsing. It ended up causing more headaches than it solved, and was ripped out eventually. |
Thanks for your response! I am indeed experiencing issues due to unreliable network connections, which led me to digging this code path. I am not familiar with the OpenID Connect Core spec, and indeed do not see any mentions of error handling / retrying. I'll refer to the HTTP spec (RFC9110), which says (roughly): the
AIP194 follows the same logic:
Even today, go-oidc will send multiple I'd recommend adding retry logic for network errors, such as connection or read timeouts, as well as the following HTTP status codes:
Supporting the I also wanted to mention that it seems like errors from this |
Sounds good! I think my main concern is if we hit a net deadline (e.g. timing out after 30 seconds and not getting an HTTP response). Retrying that operation might result in the code blocking for some unreasonable amount of time. There is also: #248 Just to unblock you, we could start returning wrapped HTTP errors when we hit non-2XX HTTP responses from all of our APIs. Similar to https://pkg.go.dev/golang.org/x/oauth2#RetrieveError You'd be able to do the retry in your call to Verify(), then we can figure out details for retry-by-default later. |
go-oidc/oidc/jwks.go
Lines 221 to 248 in 921a42b
It looks like this function does not attempt to retry on errors. This function performs a GET, so most errors should be retry-friendly. A single retry would significantly[1] help recover from most errors.
[1]: source: none :)
The text was updated successfully, but these errors were encountered: