Error related to the signing key in Staging (Non-prod) environments

[nisargshah1711]

Which version of Duende IdentityServer are you using? 7.0.6

Which version of .NET are you using? .NET 8.0

Describe the bug "Error unprotecting the IdentityServer signing key with kid 51EE19033AA5D1582685D66DD1193DFC. This is likely due to the ASP.NET Core data protection key that was used to protect it is not available. This could occur because data protection has not been configured properly for your load balanced environment, or the IdentityServer signing key store was populated with keys from a different environment with different ASP.NET Core data protection keys. Once you have corrected the problem and if you keep getting this error then it is safe to delete the specific IdentityServer signing key with that kid."

To Reproduce When we try to logout from our one of the application, it should redirect to the login page of Identity server, instead we are getting an error page:

Expected behavior

It should show the login page.

Log output/exception with stacktrace

"Error unprotecting the IdentityServer signing key with kid 51EE19033AA5D1582685D66DD1193DFC. This is likely due to the ASP.NET Core data protection key that was used to protect it is not available. This could occur because data protection has not been configured properly for your load balanced environment, or the IdentityServer signing key store was populated with keys from a different environment with different ASP.NET Core data protection keys. Once you have corrected the problem and if you keep getting this error then it is safe to delete the specific IdentityServer signing key with that kid."

Additional context

This problem is happening only in non production environments, also we are seeing new keys generated in keys folder. So at this moment there are 4 to 5 files in the keys folder. This could be the cause. But we need to know the exact reason why it is happening.

Add any other context about the problem here.

[RolandGuijt]

Can you please read through our doc around data protection and see if that solves the issue for you? If not, please report back.

[RolandGuijt]

@nisargshah1711 Did the doc solve it for you?

[RolandGuijt]

I'm assuming this solved the issue, so I'm closing it. If not please feel free to reopen and add to it.

[nisargshah1711]

@RolandGuijt Hey sorry for late response. this is still not solved for us. Can you please guide me to the exact solution? I can provide you more details if you want. This is only happening in non-production environments.

[RolandGuijt]

You're mentioning this is happening in non-production environments. Is the key location being shared with multiple (test/staging) instances of IdentityServer? Also: looking at the screenshot it seems you're using IIS and IdentityServer might have been mapped to run in a subdirectory. Can you please check the discovery document (/.well-known/openid-configuration) and see if all the paths to the endpoints are what you would expect? If not please make sure the ForwardedHeaders middleware is in your pipeline. Please look here for more information.

[nisargshah1711]

Yes it is being shared on multiple test environments (dev / staging). We use IIS server and yes i checked the discovery point and all the endpoints are as expected. What I think the issue could be is whenever we change the code it generates a new key on local and i believe we had pushed that new key once and since then this issue started. So if I go on the server where this app is hosted, it has 3 keys in the keys folder.

Could this be a reason?