0

Asking this question here after doing quite a lot of research on OpenID Connect mechanism including authentication DLLs sessions and cookies in .NET Core. Hope experts like you will be able to help me out with my long pending issue.

I am unable to login to the application and getting below exceptions, when I run my application with more than one pod. With single pod it's working fine.

Exception: The oauth state was missing or invalid. (Unknown location)

Exception: An error was encountered while handling the remote login.

I am using ASP.NET Core 2.1 in Visual Studio 2017 and implemented SSO using OpenId Connect mechanism. Using Ping as identity provider.

The application is deployed in ICP (IBM Cloud) environment and using Kubernetes to create pods.

After getting the exception, if I keep the browser open without click, the exception changes to :

Exception: OAuth Token Endpoint Failure: Status:BadRequestHeader

I tried few things like enabling SQL Server session state for the application (considering it's a distributed session scenario and cud be session values are not available on other pod), Samesite configuration in Startup file, implemented ITicket Session store and few others but no luck.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Rakesh Jha
  • 13
  • 3

1 Answers1

1

Have you configured the Data Protection API in each pod?

Your session cookie issued by ASP.NET core is encrypted using the Data Protection API

To make the cookie from one Pod to be consumable by the other Pod, then both pods needs to be configured using the same key.

The key used to sign the cookie is stored in a Key ring. If you redeploy your application and if you haven't configured it correctly, then a new encryption key will be issued for each service.

If the key that was used to encrypt the cookie can't be found, then this means that existing session cookie in the all clients browsers can't be decrypted anymore.

See this article about this API and this article about how to configure it.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Check this out - https://stackoverflow.com/questions/57164127/the-oauth-state-was-missing-or-invalid-an-error-was-encountered-while-handling – Bokambo Jan 04 '22 at 21:38
  • https://stackoverflow.com/questions/59456415/google-auth-the-oauth-state-was-missing-or-invalid-unknown-location/61950614#61950614 – Bokambo Jan 04 '22 at 21:39
  • Thanks @Bokambo ! Remember - my application works fine and as expected with one pod – Rakesh Jha Jan 05 '22 at 13:08
  • @RakeshJha How did you configure the Data Protection? – Tore Nestenius Jan 05 '22 at 13:18
  • I simply added below lines in ConfigureServise just to check if it works but it's not, I had a plan to store the key into the database later on. services.AddDataProtection() .SetDefaultKeyLifetime(TimeSpan.FromDays(14)); – Rakesh Jha Jan 05 '22 at 13:59
  • If you have two PODS, then cookies will not be shareable without setting the same key in both. As you have it now, you will have two separate keys. – Tore Nestenius Jan 05 '22 at 15:08
  • @ToreNestenius : So are you saying if there are 20 pods , it needs 20 different keys, if Yes, can you share a working example for same ? – Bokambo Jan 05 '22 at 23:29
  • public void ConfigureServices(IServiceCollection services) { services.AddDataProtection() .SetDefaultKeyLifetime(TimeSpan.FromDays(14)); } This does not help with 2 pods – Bokambo Jan 05 '22 at 23:33
  • @ToreNestenius - Thank You !! I believe you mentioned about ProtectKeysWithAzureKeyVault but the application is hosted on IBM Cloud and not sure if this will work on ICP. There are other options available to store key. I tried but unable to implement PersistKeysToDbContext method as the DLL Microsoft.ASPNetCore.DataProtection.EntityFramework not supported for Core 2.1 version. Do you think updating app to core 3.1 version will help? – Rakesh Jha Jan 06 '22 at 08:22
  • 1
    If you have 20 pods ,you can still use one shared key across all the pods, if the 20 pods are the same service. So, basically if you want two service instances to share the same cookie in ASP.NET Core, then these two services need to share the same key. How the key is shared, its up to you. I did blog about it here earlier https://www.edument.se/post/storing-the-asp-net-core-data-protection-key-ring-in-azure-key-vault – Tore Nestenius Jan 06 '22 at 11:18
  • 1
    Issue got resolved after updating updated App to .Net core version 2.2 and implemented DataProtection with DBContext. Than You All !! – Rakesh Jha Jan 07 '22 at 06:15
  • Great! Glad you fixed it – Tore Nestenius Jan 07 '22 at 08:00