OpenIddict: 401 errors when two or more service instance count

Question

I have a .NET Core application with Angular2 UI running in a Service Fabric Cluster that I secured using OpenIddict. I followed this example: https://github.com/openiddict/o

Answer 1

OpenIddict relies on the ASP.NET Core Data Protection stack to generate and protect its authorization codes, refresh tokens and access tokens (unless you explicitly opt for JWT as the access token format).

To ensure these tokens can be read across instances, you must configure ASP.NET Core Data Protection to share the same key ring. I recommend reading the related documentation on Microsoft's website if you need more information about this procedure.

Answer 2

I solved this by looking at this: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers#azure-and-redis

Here are the basic steps I took:

1. Create a blob storage account to store the shared keys.

2. Add the following code to your Startup.cs:

var storageAccount = CloudStorageAccount.Parse("blob storage connection string");

//Create the blob client object.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();

//Get a reference to a container to use for the sample code, and create it if it does not exist.
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();

services.AddDataProtection()
    .SetApplicationName("MyApplication")
    .PersistKeysToAzureBlobStorage(container, "myblobname");

That was it.