We are running an Azure app service (linux) which is used for authentication and authorization. It is using Microsoft Identity to use Azure AD authentication, so we are using Azure ad oidc. Couple of months ago we didn't have any problems, but when we added front door and scaled our app service to 3 instances, this started happening "Unable to unprotect the message.State".
This error happens as soon as we land on our page, because when you open it it will redirect you to azure ad to sign in. The weird thing is, when you refresh the page one or two times, it goes through and signs you in without the error.
Our latest setup looks like this: startup.cs (https://i.stack.imgur.com/doVNb.png)
with redis as the store for keys.
Did anyone have this kind of problem, after using dataprotection?
We followed the answers from here https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers#issue-with-scaled-out-web-apps-in-app-services , and tried data protection with: azure blob storage with azure keyvault and without, tried storing the keys in our db and in the end tried redis but none of those solution worked. Also session affinity is on.
When you have multiple instances of the client, you must ensure that the Data Protection API is configured to use the same shared encryption key across all the instances. Otherwise the the state parameter can't be decrypted.
I recently blogged about the state parameter and how it is encrypted at:
Demystifying OpenID Connect’s State and Nonce Parameters in ASP.NET Core
See this post about configuring the Data Protection API here:
Configure ASP.NET Core Data Protection