Error unprotecting key with kid

[sreejusreekumar]

Identity Server 6.0

.Net 6.0

We operate an Identity Server within a load-balanced environment. To facilitate token validation for requests arriving at the servers, especially those not originating from the generated token, we've implemented a data protection mechanism and stored the keys at the database level. We are encountering the following exception reported by the Identity Server regularly. We haven't identified a solution to address the issue and would like to collaborate with the team to explore possible resolutions.

Log output/exception with stacktrace

Error unprotecting key with kid <xxxxxxxxxxx>.
System.Security.Cryptography.CryptographicException: The key xxxxxxxxxxx> was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
   at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
   at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData)
   at Duende.IdentityServer.Services.KeyManagement.DataProtectionKeyProtector.Unprotect(SerializedKey key) in /_/src/IdentityServer/Services/Default/KeyManagement/DataProtectionKeyProtector.cs:line 75
   at Duende.IdentityServer.Services.KeyManagement.KeyManager.<GetKeysFromStoreAsync>b__20_0(SerializedKey x) in /_/src/IdentityServer/Services/Default/KeyManagement/KeyManager.cs:line

[AndersAbel]

The error message indicates that there are IdentityServer signing keys in the store that cannot be read with any of the accessible data protection keys. This is typically caused when the data protection is not properly wired up to share the data protection keys between the nodes in a load balanced environment. Please note that the identity server signing keys and the data protection keys are two different sets of keys; the latter is used to encrypt the former.

If you have recently updated your data protection key configuration this can also be caused by stale data that was created with keys no longer accessible with the new configuration. The easiest in that case is to simply remove the old records from the database. If that would cause unacceptable interruptions to the environment it is possible to migrate the data protection keys (but not trivial).

[sreejusreekumar]

We've previously removed old records from the dbo.keys, but the issue still persists in the system. Are there additional steps we can take to migrate data protection keys? Moreover, is there documentation available on configuring data protection so that we can revalidate the current system configuration?

[AndersAbel]

If you have removed stale/old records from the keys table after changing the data protection setup the problem should go away. I think that revalidating the data protection setup is a good idea. We have an overview page in our documentation. It describes how IdentityServer uses data protection and contains links to the relevant Microsoft documentation on data protection configuration.

[josephdecock]

Any update here? Can we close this issue?

[josephdecock]

Closing due to inactivity, but feel free to reopen if necessary.