Details
-
Bug
-
Resolution: Fixed
-
Major
-
2.7.3
-
Security Level: Public
-
None
-
CBG Sprint 83
-
3
Description
During OpenID Connect authentication, Sync Gateway initializes the client with the specified configuration by performing an initial provider metadata discovery from a well-known endpoint and initiates the periodic discovery sync in the background. Initialization of the client is performed lazily (when the first request comes in) and exactly once throughout the life cycle of an SG instance. The caveat is that if the provider is not reachable at the time of initializing the OIDC client, SG won’t refresh the client instance that is cached in memory until the time of the next metadata sync. If the provider becomes available later on and any auth request that is made before the next metadata sync can end up in ”401 Invalid Login” even when there is a valid Bearer token provided in the request header that is obtained from the provider. Today, customers are performing a restart to establish the connection with the provider and that is not desirable. This issue needs to be addressed - force Sync Gateway to reinitialize the client by establishing the connection with the provider during the subsequent authentication request and avoid explicitly restarting the server instance.