We have 2 app services that share values using dataprotection and a cookie. In our local development environment our solution works with Azurite, but when deployed to Azure App Service running Linux it fails with the error: "The key {GUID} was not found in the key ring". The GUID it returns is different from the one created and stored in the blob container used for sharing the dataprotection keys. We have not been able to figure out where the GUID originates from. But we have 2 secondary apps, that both return the same GUID.
The code configuring dataprotection looks like (from Startup.cs):
string applicationName = Configuration.GetValue<string>("DataProtection:ApplicationName");
string storageUrl = Configuration.GetValue<string>("DataProtection:StorageUrl");
var client = new BlobServiceClient(new Uri(storageUrl), new DefaultAzureCredential());
var containerName = Configuration.GetValue<string>("DataProtection:ContainerName");
BlobContainerClient containerClient = client.GetBlobContainerClient(containerName);
var blobName = Configuration.GetValue<string>("DataProtection:BlobName");
BlobClient blobClient = containerClient.GetBlobClient(blobName);
services.AddDataProtection()
.SetApplicationName(applicationName)
.SetDefaultKeyLifetime(TimeSpan.FromDays(7))
//.DisableAutomaticKeyGeneration()
.PersistKeysToAzureBlobStorage(blobClient);
This part is also present in the secondary app service. With difference that DisableAutomaticKeyGeneration() is enabled. So only the main app is creating keys.
Then in the controller we have, here we encrypt the data and store it in a variable:
var dataProtectionProvider = DataProtectionProvider.Create("config");
var protector = dataProtectionProvider.CreateProtector("Program.No-DI");
var data = "shared value";
string protectedCookie = protector.Protect(data);
HttpContext.Response.Cookies.Append("user.config", protectedCookie, options);
In the secondary app we read the cookie and on decryption it throws the error:
var dataProtectionProvider = DataProtectionProvider.Create("config");
var protector = dataProtectionProvider.CreateProtector("Program.No-DI");
try
{
// retrieve encrypted cookie contents.
var cookieEnc = HttpContext.Request.Cookies["user.config"];
var cookieDec = protector.Unprotect(cookieEnc);
ViewData["cookieDec"] = cookieDec;
}
catch (Exception ex)
{
ViewData["cookieDec"] = ex.Message;
}
The exact message is:
The key {123abc12-12ab-12ab-ab12-12a1ab123abc} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning
Why is it asking for a different key and where does that key come from?