问题
I have a .NET Core application with Angular2 UI running in a Service Fabric Cluster that I secured using OpenIddict. I followed this example: https://github.com/openiddict/openiddict-samples/tree/master/samples/RefreshFlow
It works great when I only have one instance of the stateless .NET Core application. When I increase the instance count to two, the authentication fails and I get a bunch of 401 errors. It seems that the token I receive is only good for that particular instance and is rejected on the other instance. I think I understand why this is happening, but I’m not sure how to address it.
Any help would be greatly appreciated.
回答1:
OpenIddict relies on the ASP.NET Core Data Protection stack to generate and protect its authorization codes, refresh tokens and access tokens (unless you explicitly opt for JWT as the access token format).
To ensure these tokens can be read across instances, you must configure ASP.NET Core Data Protection to share the same key ring. I recommend reading the related documentation on Microsoft's website if you need more information about this procedure.
回答2:
I solved this by looking at this: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-storage-providers#azure-and-redis
Here are the basic steps I took:
Create a blob storage account to store the shared keys.
Add the following code to your Startup.cs:
var storageAccount = CloudStorageAccount.Parse("blob storage connection string");
//Create the blob client object.
CloudBlobClient blobClient = storageAccount.CreateCloudBlobClient();
//Get a reference to a container to use for the sample code, and create it if it does not exist.
CloudBlobContainer container = blobClient.GetContainerReference("mycontainer");
container.CreateIfNotExists();
services.AddDataProtection()
.SetApplicationName("MyApplication")
.PersistKeysToAzureBlobStorage(container, "myblobname");
That was it.
来源:https://stackoverflow.com/questions/42628862/openiddict-401-errors-when-two-or-more-service-instance-count