How to configure ASP.Net Cookie Authentication for a cluster

[drusellers]

Help us make content visible

• Tell us what search terms you used and how you searched docs.
  • cookie
  • cluster
  • dpapi
• Tell us what docs you found that didn't address your concern.
  • https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-6.0
  • https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.cookies.cookieauthenticationoptions.dataprotectionprovider?view=aspnetcore-6.0

Describe the new topic

This page gets very close to answering my question. But in the opening block of content are a list of steps:

• A common data protection key storage location is used.
  • In ASP.NET Core apps, PersistKeysToFileSystem is used to set the key storage location.
  • In .NET Framework apps, Cookie Authentication Middleware uses an implementation of DataProtectionProvider. DataProtectionProvider provides data protection services for the encryption and decryption of authentication cookie payload data. The DataProtectionProvider instance is isolated from the data protection system used by other parts of the app. DataProtectionProvider.Create(System.IO.DirectoryInfo, Action) accepts a DirectoryInfo to specify the location for data protection key storage.
• DataProtectionProvider requires the Microsoft.AspNetCore.DataProtection.Extensions NuGet package:
  • In .NET Framework apps, add a package reference to Microsoft.AspNetCore.DataProtection.Extensions.
• SetApplicationName sets the common app name.

In the point A common data protection key storage location is used it goes on to assume a shared file system location. However in my use case I have one application running on N servers. I have configured Microsoft.AspNetCore.DataProtection.Extensions to use EF Core like so:

services.AddDataProtection()
            .SetApplicationName("myApp")
            .PersistKeysToDbContext<MyDbContext>();

Originally I assumed that this would just work, but each time I deployed my application (which uses a new path like /opt/myApp/v1, /opt/myApp/v2) that application instance would fail to authenticate the cookie. I then found CookieAuthenticationOpions.DataProtectionProvider but I cannot for the life of me figure out how to set it to an instance of my EF Core configured DPAPI. It seems to use the File System by default rather than the method configured in the DI container.

• Explain why this topic is needed.

The docs go into quite a bit of detail about the individual parts of this system (CookieAuth and DPAPI) but don't discuss how to put the two together.

• Suggest a location in the Table of Contents.

Between Share cookies across different base paths and Share cookies across subdomains I'd like to see something like Share cookies in a cluster.

• Write an abstract. In one short paragraph, describe what this topic will cover.

This section would show how to configure Microsoft.AspNetCore.DataProtection.Extensions AND Microsoft.AspNetCore.Authentication.Cookies to work together when using a non-filesystem DPAPI key storage such as Microsoft.AspNetCore.DataProtection.EntityFrameworkCore. Specifically it should show how to set the CookieAuthenicationOptions.DataProtectionProvider to work with the configured DPAPI instance configured in the container.

• Create an outline for the new topic. We'll help review the outline and approve it before anyone writes a topic.

1. Configure DPAPI to use EF Core / Azure Blob Storage / etc
2. Configure ASP.Net Core Identity to use Cookie Based Authentication
3. Show how to get these two things to talk to each other through CookieAuthenicationOptions.DataProtectionProvider or explain how the default system just works.
4. Bonus: discuss how to debug any issues and what log messages should be monitored at what levels.