Multiple IdentityServer Federation : Error Unable to unprotect the message.State

Question

I\'m trying to create a master slave type configuration for authentication with IdentityServer4 as below

MyMasterIdentityServer0 (Master) - receives id_token         


        

Answer 1

I believe you are getting the Unable to unprotect the message.State error because one of your OIDC providers is trying to decrypt/unprotect the message state of the other one. (The message state is just a random string to help with security.)

I suggest that you name the AuthenticationSchemes for each OIDC provider like oidc-demo and oidc-master. Then the external providers should send you back to the corresponding signin-oidc-demo and signin-oidc-master endpoints.

--

Turns out this answer was basically, correct. When using multiple OIDC providers you need different AuthenticationSchemes:

AuthenticationScheme: oidc-google

SignInScheme: IdentityServerConstants.ExternalCookieAuthenticationScheme

Callback: /signin-oidc-google

AND

AuthenticationScheme: oidc-microsoft

SignInScheme: IdentityServerConstants.ExternalCookieAuthenticationScheme

Callback: /signin-oidc-microsoft

If you dont't differentiate OIDC providers, they may try to sign in with the same scheme and the cryptography won't match and only the first OIDC provider registered in your code will work.