数据保护 - 在多个应用程序之间共享机器密钥

Question

Let's suppose that we have two APIs, one for UserManagement and one for Auth .

UserManagement API is responsible for initial invitation email (where i need a ResetPasswordToken because this is my current app flow) and Auth API is responsible for password recovery (where i need a ResetPasswordToken ).

Of course, i need to specify the same machine key for both applications.

Let's also suppose that those two applications will be deployed behind a load balancer. 2 apps x 3 instances.

It is sufficient to have the same shared location for persisting keys (Redis or so) in both APIs?

services.AddDataProtection().PersistKeysToRedis(/* */);

I'm thinking that if it works for one app, multiple instances scenario, it will work for multiple apps, multiple instances scenario too.

PS: I wasn't able to find anything about any locking mechanism (it seems that there is one just looking at how it behaves)

Another thing that i'm concerned of: race condition?!

Duc_Thuan_Nguy Jun 9, 2017

Out of curiosity, how does key rolling handle concurrency? For example, let's say we have a web-farm with 2 machines and a shared network directory. There may be a race condition in which both machines want to roll a new key at the same time. How is this situation handled? Or the two machines can roll their own new keys and as long as they can have access to both new keys, they can unprotect data smoothly?

Comment reference: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-management

Later edit: It looks like if you have multiple apps it isn't sufficient to specify that you want to persist keys in the same location. There is a concept of application discriminator (all apps being isolated).

You will need something like the following:

services.AddDataProtection(configure => {
                configure.ApplicationDiscriminator = "App.X";
            }).PersistKeysToRedis(/* */);

Locking and race condition questions are still valid.

Answer 1

No, it's not sufficient. ASP.NET Core's data protection isolates applications by default based on file paths, or IIS hosting information, so multiple apps can share a single keyring, but still not be able to read each other's data.

As the docs state

By default, the Data Protection system isolates apps from one another, even if they're sharing the same physical key repository. This prevents the apps from understanding each other's protected payloads. To share protected payloads between two apps, use SetApplicationName with the same value for each app

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .SetApplicationName("shared app name");
}

Answer 2

A quick update on this one: it seems like it's possible to eliminate race conditions by using the DisableAutomaticKeyGeneration method on all of your apps except the "main" one.

ie it will be

    services.AddDataProtection()
        .SetApplicationName("shared app name");

for the main one and

    services.AddDataProtection()
        .SetApplicationName("shared app name")
        .DisableAutomaticKeyGeneration();

for all other apps