CODEWITHSUNDEEP
c#azureasp.net-coredevopsazure-traffic-manager
Maksym Shuldiner
Maksym Shuldiner

Reputation: 23

unable to unprotect the message.state when using Azure Traffic Manager

I'm using OpenID authentication. When I have several app services from different regions inside Traffic Manager, I get above error regarding the state of authentication. It occures even when I use this code :

    private async Task ConfigureDataProtection(IServiceCollection services)
    {
        var container = "container";
        var relativePath = "folder/keys.xml";
        var connectionString = Configuration.GetSection("ConnectionStrings:AzureConnectionString").Value;
        var storageAccount = CloudStorageAccount.Parse(connectionString);
        await EnsureContainerExists(storageAccount, container);
        services.AddDataProtection().PersistKeysToAzureBlobStorage(storageAccount, relativePath);
    }

When I host horizontally scaled app services from one region, everything works fine. I'm using Azure. Why can this issue occur?

Upvotes: 0

Views: 338

Answers (1)

Sourav
Sourav

Reputation: 1083

The error unable to unprotect the message.state when using Azure Traffic Manager you are getting is due to the data protection mechanism used by ASP.NET Core.

While using OpenID authentication with multiple instances of app service running in different regions behind Azure Traffic Manager, the data protection keys used to encrypt and decrypt the authentication state are not in synchronize across all instances. Hence this causes the error.

One solution is to use a centralized data protection approach that allows all instances of the app service to share duplicate data protection keys. This can be done by using Azure Blob Storage to store the data protection keys, as you are already doing in your code.

Add DataProtectionProvider as mentioned in Github.

Thanks @ jkotalik for the GitHub Code.

options.DataProtectionProvider = options.DataProtectionProvider ?? _dp;

    if (string.IsNullOrEmpty(options.SignOutScheme))
     {
          options.SignOutScheme = options.SignInScheme;
     }

    if (options.StateDataFormat == null)
      {
           var dataProtector = options.DataProtectionProvider.CreateProtector(
           typeof(OpenIdConnectHandler).FullName, name, "v1");
           options.StateDataFormat = new PropertiesDataFormat(dataProtector);
      }

If you use multiple OIDC middleware, you must set a unique CallbackPath for each.

For further information refer to SO link

Upvotes: 0

Related Questions