Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Share oauth state between Owin app instances

See original GitHub issue

Recently we’re upgrading the auth way of a webform app to OpenIdConnect. We’ve imported Microsoft.Owin.Security.OpenIdConnect and it works well if the app is deployed as singleton. But when we deploy more instances and add load balance, the apps throw exceptions related to require nonce or require state.

I find that it seems to be the problem of default DataProtector Owin uses. If a challenge is requested by app-1, and the user logins successfully in Identity Server, then the server redirects the browser to xxx/signin-oidc?code=xxx&state=xxx&.... Due to load balance, the callback is sent to app-2, and app-2 cannot unprotect state and finally stops the next step.

Would anyone like to give me a solution, please?

p.s. I find this issue #435, but in fact I’m not going to share something with a .NET Core app. It will import more Nuget packages which are not updated after 2018. I just want to make sure the instances of same app can protect/unprotect each other.

Issue Analytics

State:
Created a year ago
Comments:7 (3 by maintainers)

Top GitHub Comments

1reaction

Tratchercommented, Apr 1, 2022

The recomendation is to update the request fields to match the public endpoint (scheme, host, port) so that when link and cookies are generated they use the correct value. See similar asp.net core samples: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0#scenarios-and-use-cases

0reactions

LeaFrockcommented, Apr 2, 2022

Thanks for your answer. And also sorry that, I just find the similar issue #332, #352 about nonce cookie problem 😿 .