Skip to content

UserApi.ListUsers possible race conditions in paging with JWK authentication #875

Description

@MichaelGrafnetter

Describe the bug?

UserApi.ListUsers randomly fails enumerating users from one of the subsequent pages JWK authentication.
ApiException with error 403 (Forbidden) is thrown when fetching one of the pages. The exception is thrown by MoveNextAsync() and contains errCode E0000005 and errorSummary "Invalid session". Looks like a race condition to me.

What is expected to happen?

Fetch all users with no exception. In case of an error, the retry policy should be applied instead of throwing an exception immediately.

What is the actual behavior?

In some organizations, the MoveNextAsync() iterator randomly throws an exception around pages 5-6 when a JWK of API service is used. Retry policy does not get applied and the failed request is only sent once.

Everything works when SSWS API tokens are used.

Reproduction Steps?

try
{
    UserApi userApi = new(_oktaConfig);
    int userCount = 0;
    await foreach (var user in userApi.ListUsers(cancellationToken: cancellationToken).ConfigureAwait(false))
    {
        userCount++;
    }
    Console.WriteLine($"Fetched {userCount} Okta users.");
}
catch (ApiException e)
{
    var status = (HttpStatusCode)e.ErrorCode;
    Console.WriteLine($"Error {e.ErrorCode} ({status}) received while trying to fetch Okta users.");
}

Additional Information?

No response

.NET Version

10.0.104

SDK Version

10.0.3

OS version

Windows 11

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions