stackoom
  简体   繁体   中英

Identity Server 4 Running Behind a load Balancer

 原文  2017-05-11 13:01:40       c#/ .net/ asp.net-core/ asp.net-identity

Question

I have setup Identity Server 4 for my project using Entity Framework. I already configured the service to use a persisted grant Store and a Signed Certificate. 

services.AddIdentityServer()
        .AddSigningCredential(Config.GetSigningCertificate())
        .AddResourceOwnerValidator<ResourceOwnerPasswordValidator>()
        .AddProfileService<ProfileService>()
        .AddConfigurationStore(builder =>
                    builder.UseSqlServer(connectionString, options =>
                        options.MigrationsAssembly(migrationsAssembly)))
        .AddOperationalStore(builder =>
                    builder.UseSqlServer(connectionString, options =>
                        options.MigrationsAssembly(migrationsAssembly)));

Here is the configuration of the service.

The problem is when I run my server behind a load balancer with for exemple 2 identic instances handling all the request, the server where the user did not logged in fail to decode the JWT token, leading to 401 unauthorized errors.

I'm assuming the sigining method of the tokens or their encription is the problem but I cannot find a way to solve this.

Here is the rest of my configuration.

The Configure: 

app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
      Authority = url,
      // Authority = "http://localhost:5000",
      AllowedScopes = { "WebAPI" },
      RequireHttpsMetadata = false,
      AutomaticAuthenticate = true,
      AutomaticChallenge = true,

});

the Client: 

new Client
{
     ClientId = "Angular2SPA",
     AllowedGrantTypes = GrantTypes.ResourceOwnerPassword, // Resource Owner Password Credential grant.
     AllowAccessTokensViaBrowser = true,
     RequireClientSecret = false, // This client does not need a secret to request tokens from the token endpoint.
     AccessTokenLifetime = 7200, // Lifetime of access token in seconds.
     AllowedScopes = {
                       IdentityServerConstants.StandardScopes.OpenId, // For UserInfo endpoint.
                       IdentityServerConstants.StandardScopes.Profile,
                       "roles",
                       "WebAPI"
                      },
     AllowOfflineAccess = true, // For refresh token.
     AccessTokenType = AccessTokenType.Jwt

}

I also implemented my own IResourceOwnerPasswordValidator and IProfileService.

Any idea why is this happening?

1 answers

solution1
 0  2018-07-16 16:45:21

I had a similar issue, load balancing Identity Server 4 and was able to share the keys using .AddDataProtection() in ConfigureServices of Startup.cs . 

public void ConfigureServices(IServiceCollection services)
{
// Other service configurations

  services.AddDataProtection();

// Additional service configurations    
}

As a side note, if you go this route, consider encrypting those keys (in whichever medium you decide to use) using an extension like .ProtectKeysWith* (there are several options) . See https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/introduction?view=aspnetcore-2.1 for further information

HTH

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Identity Server with MVC Client running behind an AWS Load Balancer Detect if AWS Server is behind a Load Balancer or not Configuring WCF behind a load balancer and SSL How to configure UseCookieAuthentication behind a load balancer TCP listener not working when it is behind a load balancer DotNetOpenAuth - How to make it work behind a load balancer? WCF services endpoint binding behind load balancer Getting Ip from DefaultHubCallerContext behind a load balancer Connecting to a specific server that is behind the balancer with C# Is it possible from WCF client to get the service IP behind a load balancer?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM