Modgud.Client.AspNetCore (UserInfoEnricher) currently calls /connect/userinfo on every authenticated request (hooked on JwtBearerEvents.OnTokenValidated, no caching; fails open on IdP outage). Meanwhile resource_access has been baked into access tokens at issuance for some time, so for JWT clients the round-trip is usually redundant.
Task:
- Reconstruct the intended design from the git history of the client library and the token-baking change (this behavior has been revised several times; the current state may not reflect the last decision).
- Decide and implement the target behavior, e.g.: use the token-embedded
resource_access when present; fall back to userinfo only for tokens without it; optionally add a bounded cache with a documented staleness guarantee.
- Document the resulting profiles (stateless JWT / reference+introspection / cached refresh) with their security, availability and freshness guarantees in
docs/integrate/resource-server.md.
Modgud.Client.AspNetCore(UserInfoEnricher) currently calls/connect/userinfoon every authenticated request (hooked onJwtBearerEvents.OnTokenValidated, no caching; fails open on IdP outage). Meanwhileresource_accesshas been baked into access tokens at issuance for some time, so for JWT clients the round-trip is usually redundant.Task:
resource_accesswhen present; fall back to userinfo only for tokens without it; optionally add a bounded cache with a documented staleness guarantee.docs/integrate/resource-server.md.