RolandGuijt
commented
4 days ago There is no known reason why the expiration column suddenly would get a value while upgrading IdentityServer or by changing the key material. However, changing the keys would render the existing tokens invalid. As a side note: we recommend to use IdentityServer's automatic key management feature when you have a business license or higher. This will make sure the keys are rotated automatically.
The exception you show at the end of the issue has to do with ASP.NET Core's data protection. When the application didn't have an application name assigned and you changed the hosting/location of the application the items in the persisted grant store can't be read anymore since they are protected with data protection. Please read our data protection guide that explains what I mean.
Which version of Duende.AccessTokenManagement are you using?
7
Which version of .NET are you using?
8
Describe the bug
We are using three authentication mechanism to log our members into the app using Deunde Identity Server User/Password, PIN and biometrics. We have recently upgraded the Duende Identity Server after vulnerability fix package was released. After update all our refresh tokens in the DB got expired in the "PersistedGrants" table "Expiration" column. This issue is now forcing all our members to use the UserName/Password flow.
While upgradation we didn't notice any change in the new DB migrations or in the posts/documents related to refresh token expiry behavior. So my question is this an expected behavior after the vulnerability fix package update or it might be some other possible cause?
On another note we also changed the way we use and store certificate for private key to sign tokens because our API is hosted on Azure App Service and it was throwing "Keyset not found" error so we changed it from:
var cert = new X509Certificate2(pfxBytes, (string)null, X509KeyStorageFlags.MachineKeySet);
X509Certificate2 cert = new X509Certificate2(file, (string)null, X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.PersistKeySet | X509KeyStorageFlags.UserKeySet | X509KeyStorageFlags.Exportable );
Is above the possible cause to expire tokens?
Third change we did was upgrading the Deunde license which does not seems to cause it but worth mentioning here.
To Reproduce
1) Upgrade Identity Project from .Net version 6 to 8 2) Upgrade from Duende Identity Server packages from version 6 to 7 3) Try the Refresh Tokens flow all the refresh tokens get expire when version is updated
Expected behavior
Refresh token should not expire upon upgradation.
Log output/exception with stacktrace
Duende.IdentityServer.Stores.DefaultRefreshTokenStore Failed to deserialize JSON from grant store. System.Security.Cryptography.CryptographicException: The payload was invalid. For more information go to https://aka.ms/aspnet/dataprotectionwarning at Microsoft.AspNetCore.DataProtection.Cng.CbcAuthenticatedEncryptor.DecryptImpl(Byte pbCiphertext, UInt32 cbCiphertext, Byte pbAdditionalAuthenticatedData, UInt32 cbAdditionalAuthenticatedData) at Microsoft.AspNetCore.DataProtection.Cng.Internal.CngAuthenticatedEncryptorBase.Decrypt(ArraySegment
1 ciphertext, ArraySegment1 additionalAuthenticatedData) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status) at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData) at Microsoft.AspNetCore.DataProtection.DataProtectionCommonExtensions.Unprotect(IDataProtector protector, String protectedData) at Duende.IdentityServer.Stores.Serialization.PersistentGrantSerializer.Deserialize[T](String json) in /_/src/Storage/Stores/Serialization/PersistentGrantSerializer.cs:line 103 at Duende.IdentityServer.Stores.DefaultGrantStore`1.GetItemByHashedKeyAsync(String hashedKey)Additional context