I have an ASP.NET Core 2.1 Angular 6 application hosted on an IIS server. I am having issues with my refresh token being invalid. I have an IIS ARR Round Robin cluster. Everything works when only one server is online. However when multiple servers are online, my refresh token is only valid when requests are made to the server that issued the token.
Iv addeded this to my startup.cs with no success
app.UseForwardedHeaders(new ForwardedHeadersOptions
{
ForwardedHeaders = ForwardedHeaders.All
});
string XForwardedPathBase = "X-Forwarded-PathBase";
string XForwardedProto = "X-Forwarded-Proto";
app.Use((context, next) =>
{
if (context.Request.Headers.TryGetValue(XForwardedPathBase, out StringValues pathBase))
{
context.Request.PathBase = new PathString(pathBase);
}
if (context.Request.Headers.TryGetValue(XForwardedProto, out StringValues proto))
{
context.Request.Protocol = proto;
}
return next();
});
The problem was that the keys were being stored on the local machine by default. In a web farm you need to save it somewhere each host can access it. I added this to my startup.cs and its working. Not sure why but there is no option to store the key in a sql server.
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.1