Closed foomaniac closed 3 weeks ago
foomaniac
commented
1 month ago Sorry just to add a thought to this too, we haven't implemented Automatic key management, after further reading of the upgrade guide for 4 to 6 that our developer followed, am I right in reading that if you didn't implement automatic key management, then the data protection api configuration wasn't needed? Or have I got that wrong?
If that's correct, then I reaaalllyyy don't understand these key ring errors.
RolandGuijt
commented
1 month ago The data in the persisted grant store, including refresh tokens, is protected using data protection too. That means that when the data protection configuration is changed (setting an application name e.g.) the existing data in the store can't be read anymore.
Migrating the existing data is hard. My suggestion is, if at all possible, to delete the data in the store and ask your clients to login again starting a new cycle of refresh tokens and other grants.
RolandGuijt
commented
1 month ago @foomaniac Would you like to add something to the issue? If not I want to close it.
AndersAbel
commented
3 weeks ago Closing this issue due to inactivity, please feel free to comment/reopen if needed.
Duende Version 6
.net 6
Refresh token validation failed. The key {XXXX} was not found in the key ring
We're currently suffering from the error above when some of our clients are calling for a token using the refresh token. It appears during an update from ID Server 4 to Duende 6 to implement an enterprise licence last year, we missed the requirement to implement the correct .Net Data Protection Api configuration.
Having searched this forum and support online everything points to this, so we assume this is what we need to do to resolve it.
However what's confusing is, only one client is reporting problems currently which tie up with these errors. While in the process of applying the missing configuration, they've discovered reducing the token validation period has helped reduce the issues for them. Unfortunately previous knowledge of this area has left our business, so confidence is an issue with this. Something says there's going to be a painfully obvious reason for this (maybe app recycle not happening during the shorter refresh period?)
We had a couple of questions that we thought we might as well ask regarding this, first is, regards to the impact area, is it largely just use of refresh tokens that this missing configuration impacts? And also is there any sane reason why reducing the validity period would help with this problem?
We're under pressure to implement the fix whilst getting questions from the client affected and management at the moment. It seems also that for another client, the error happens a lot, but it does not impact them. I can only assume they potentially trap the error and automatically call for a new token?
Appreciate it's all a bit vague in regards what we're posting for, but just hoped for a bit of input on the above to help us understand the impact a bit better.
Finally, there's definitely nothing else that could cause this other than data protection api configuration?
Thank you!
Confirming the error details below:
The key {xxxxxx} was not found in the key ring. For more information go to http://aka.ms/dataprotectionwarning
System.Security.Cryptography.CryptographicException: at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore (Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect (Microsoft.AspNetCore.DataProtection, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60) at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect (Microsoft.AspNetCore.DataProtection.Abstractions, Version=6.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60) at Duende.IdentityServer.Stores.Serialization.PersistentGrantSerializer.Deserialize (Duende.IdentityServer.Storage, Version=6.3.10.0, Culture=neutral, PublicKeyToken=null: /_/src/Storage/Stores/Serialization/PersistentGrantSerializer.cs:99) at Duende.IdentityServer.Stores.DefaultGrantStore`1+d_21.MoveNext (Duende.IdentityServer, Version=6.3.10.0, Culture=neutral, PublicKeyToken=null: //src/IdentityServer/Stores/Default/DefaultGrantStore.cs:146)