Share oauth state between Owin app instances
See original GitHub issueRecently we’re upgrading the auth way of a webform app to OpenIdConnect. We’ve imported Microsoft.Owin.Security.OpenIdConnect
and it works well if the app is deployed as singleton. But when we deploy more instances and add load balance, the apps throw exceptions related to require nonce
or require state
.
I find that it seems to be the problem of default DataProtector
Owin uses. If a challenge is requested by app-1, and the user logins successfully in Identity Server, then the server redirects the browser to xxx/signin-oidc?code=xxx&state=xxx&...
. Due to load balance, the callback is sent to app-2, and app-2 cannot unprotect state
and finally stops the next step.
Would anyone like to give me a solution, please?
p.s. I find this issue #435, but in fact I’m not going to share something with a .NET Core app. It will import more Nuget packages which are not updated after 2018. I just want to make sure the instances of same app can protect/unprotect each other.
Issue Analytics
- State:
- Created a year ago
- Comments:7 (3 by maintainers)
Top GitHub Comments
The recomendation is to update the request fields to match the public endpoint (scheme, host, port) so that when link and cookies are generated they use the correct value. See similar asp.net core samples: https://docs.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-6.0#scenarios-and-use-cases
Thanks for your answer. And also sorry that, I just find the similar issue #332, #352 about nonce cookie problem 😿 .