ServerSideSessionCleanupHost null refernce exception

[chrisrestall]

We recently updated our BFF and Duende.IdentityServer.AspNetIdentity/EntityFramework libraries to 7.2.3. We have noticed a periodic null reference exception in our logs:

Stack:

System.NullReferenceException: Object reference not set to an instance of an object.
   at Duende.IdentityServer.Services.DefaultServerUrls.get_Origin() in /_/identity-server/src/IdentityServer/Services/Default/DefaultServerUrls.cs:line 32
   at Duende.IdentityServer.Extensions.ServerUrlExtensions.GetUnicodeOrigin(IServerUrls urls) in /_/identity-server/src/IdentityServer/Extensions/ServerUrlExtensions.cs:line 22
   at Duende.IdentityServer.Services.DefaultIssuerNameService.GetCurrentAsync() in /_/identity-server/src/IdentityServer/Services/Default/DefaultIssuerNameService.cs:line 65
   at Duende.IdentityServer.Services.KeyManagement.KeyManager.CreateAndStoreNewKeyAsync(SigningAlgorithmOptions alg) in /_/identity-server/src/IdentityServer/Services/Default/KeyManagement/KeyManager.cs:line 274
   at Duende.IdentityServer.Services.KeyManagement.KeyManager.CreateNewKeysAndAddToCacheAsync() in /_/identity-server/src/IdentityServer/Services/Default/KeyManagement/KeyManager.cs:line 508
   at Duende.IdentityServer.Services.KeyManagement.KeyManager.GetAllKeysInternalAsync() in /_/identity-server/src/IdentityServer/Services/Default/KeyManagement/KeyManager.cs:line 184
   at Duende.IdentityServer.Services.KeyManagement.KeyManager.GetCurrentKeysAsync() in /_/identity-server/src/IdentityServer/Services/Default/KeyManagement/KeyManager.cs:line 73
   at Duende.IdentityServer.Services.KeyManagement.AutomaticKeyManagerKeyStore.GetAllSigningCredentialsAsync() in /_/identity-server/src/IdentityServer/Services/Default/KeyManagement/AutomaticKeyManagerKeyStore.cs:line 92
   at Duende.IdentityServer.Services.KeyManagement.AutomaticKeyManagerKeyStore.GetSigningCredentialsAsync() in /_/identity-server/src/IdentityServer/Services/Default/KeyManagement/AutomaticKeyManagerKeyStore.cs:line 78
   at Duende.IdentityServer.Services.DefaultKeyMaterialService.GetSigningCredentialsAsync(IEnumerable`1 allowedAlgorithms) in /_/identity-server/src/IdentityServer/Services/Default/DefaultKeyMaterialService.cs:line 60
   at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateJwtAsync(Token token, String payload, Dictionary`2 headerElements) in /_/identity-server/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 130
   at Duende.IdentityServer.Services.DefaultTokenCreationService.CreateTokenAsync(Token token) in /_/identity-server/src/IdentityServer/Services/Default/DefaultTokenCreationService.cs:line 76
   at Duende.IdentityServer.IdentityServerTools.IssueJwtAsync(Int32 lifetime, String issuer, String tokenType, IEnumerable`1 claims) in /_/identity-server/src/IdentityServer/IdentityServerTools.cs:line 147
   at Duende.IdentityServer.Services.DefaultBackChannelLogoutService.CreateTokenAsync(BackChannelLogoutRequest request) in /_/identity-server/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs:line 157
   at Duende.IdentityServer.Services.DefaultBackChannelLogoutService.CreateFormPostPayloadAsync(BackChannelLogoutRequest request) in /_/identity-server/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs:line 133
   at Duende.IdentityServer.Services.DefaultBackChannelLogoutService.SendLogoutNotificationAsync(BackChannelLogoutRequest request) in /_/identity-server/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs:line 111
   at Duende.IdentityServer.Services.DefaultBackChannelLogoutService.SendLogoutNotificationsAsync(LogoutNotificationContext context) in /_/identity-server/src/IdentityServer/Services/Default/DefaultBackChannelLogoutService.cs:line 89
   at Duende.IdentityServer.Services.DefaultSessionCoordinationService.ProcessExpirationAsync(UserSession session) in /_/identity-server/src/IdentityServer/Services/Default/DefaultSessionCoordinationService.cs:line 177
   at Microsoft.Extensions.DependencyInjection.ServerSideSessionCleanupHost.RunAsync(CancellationToken cancellationToken) in /_/identity-server/src/IdentityServer/Hosting/ServerSideSessionCleanupHost.cs:line 148
   at Microsoft.Extensions.DependencyInjection.ServerSideSessionCleanupHost.RunAsync(CancellationToken cancellationToken) in /_/identity-server/src/IdentityServer/Hosting/ServerSideSessionCleanupHost.cs:line 128

Not clear as to the cause.

[wcabus]

The server-side session cleanup hosted service was in the middle of processing expired sessions, and attempted to trigger a back-channel logout to inform clients and/or external identity providers that the user's session should also expire there.

To perform the back-channel logout, another token is created, during which the automatic key management service detected that a new signing key should be created and announced. The code responsible for this, needs to know the current issuer domain, which is derived from the current HTTP context.

And this is where the NullReferenceException came from: there is no current HTTP context during the cleanup process.
As a result, the server-side session triggering this error was successfully removed from the store, but the back-channel logout could not be performed.

[chrisrestall]

Is there anything we need to do on our end or is this a safe to ignore log statement due to timing of session cleanup, backchannel logout and new key creation?

[wcabus]

It is safe to ignore, unless you rely on the back-channel logout to be sent for every expired session. I'm going to check with the engineering team if we can catch this behaviour, but a potential fix might take a while.

[bhazen]

@chrisrestall thanks for reporting the issue. It would be helpful for us to know a bit more about your current IdentityServer setup. Could you please provide the following info:

1. What does your configuration for key management look like? We're mostly interested in any of the settings from KeyManagementOptions which control timing that are different than the defaults and the type of signing keys you're using (RSA vs X509)
2. From which previous version(s) were you upgrading?
3. Are you using the default interval for how long the server-side session cleanup job runs or something different?
4. Do you have any health checks against your IdentityServer instance? If so, against which endpoint(s)?

[chrisrestall]

Sure:

1. Here's are settings for keyManagement:

 "DuendeKeyManagement": {
   "RotationIntervalDays": 30,
   "PropagationTimeDays": 2,
   "RetentionDurationDays": 7,
   "DeleteRetiredKeys": false }

signing keys are signed as RS256

2. We upgraded from 6.3.5 - BFF and EF stuff as well
3. Our serverside session cleanup is set to:

 "IdentityServerSideSession": {
  "RemoveExpiredSessions": true,
  "RemoveExpiredSessionsFrequencySeconds": 120,
  "RemoveExpiredSessionsBatchSize": 20,
  "SessionIdentifierUserClaimDisplay": "name",
  "PublicKey": ""}

4. Yes, we are using the ASPNET diagnostic:

   builder.Services.AddHealthChecks().AddDbContextCheck();
   builder.Services.AddHealthChecks().AddDbContextCheck();
   builder.Services.AddHealthChecks().AddDbContextCheck();

[josephdecock]

Thanks @chrisrestall for these details!

It turns out that the process of creating a new key that Wes was describing above only actually uses the issuer if you wrap your signing keys in an x509 certificate. Since you're not doing that, we can provide a workaround. If we optimize the signing key management code to not attempt to retrieve the issuer if it isn't needed, your configuration should stop throwing this exception.

We're in the process of producing a patch with that optimization/workaround, and we'll publish that soon as version 7.3.2. You mentioned that you're on 7.2.3, so there won't be any breaking changes in this upgrade.

There is still the possibility of this issue coming back if you ever did start using X509 certificates for your signing keys. We're looking at a more general solution to these kinds of problems, but that will involve some larger architectural changes that would come in a future major version. For now, my recommendation is to stick to your current config and use 7.2.3.

If you do need the X509 wrapper, you could work around this by adding a health check that makes requests to the JWKS endpoint in discovery (~/.well-known/openid-configuration/jwks). As Wes was describing, this error is occurring because IdentityServer generates keys on demand. The cleanup job is running when the keys need to be rotated and there hasn't been an http request that would initiate rotation. So, simply making regular requests to the jwks endpoint might prevent that situation or at least make it even rarer - especially if your health check runs more frequently than the cleanup job.

[josephdecock]

Update: 7.3.2 is now available on NuGet. Please try upgrading to it, and let us know if you have any feedback or issues. Thanks!