Question : Load-balancing issue when calling API : Access Denied

[matthieuklotz]

I have hosted my API and Identity Server v3 on the same website and deployed it on an Azure Web App. Everything works fine when I only have one instance of my web application, but when I scale it to two or more instances, I may have an Unauthorized http response when calling the API (idsrv always return a token, so no problem with it).

This is the client code :

OAuth2Client client = new OAuth2Client(new Uri("https://<host>/idsrv/connect/token"), "clientId", "clientSecret");
TokenResponse response = client.RequestClientCredentialsAsync("scope").Result;
using (HttpClient webClient = new HttpClient())
{
    webClient.SetBearerToken(response.AccessToken);
    Uri webApiUri = new Uri("https://<host>" + string.Format(CultureInfo.InvariantCulture, "/account/user");
    HttpResponseMessage httpResponse = webClient.GetAsync(webApiUri).Result;
}

The API is secured by using UseIdentityServerBearerTokenAuthentication. The machine key is synchronized between all instances of the web application (It is set in the web.config).

Is there someone who already had this load-balancing issue ? I do not have any clue to solve it :/ Thanks in advance for your reply. Best regards.

[leastprivilege]

See here: https://identityserver.github.io/Documentation/docs/advanced/deployment.html

Are you using JWTs or reference tokens?

[matthieuklotz]

We are using JWT's token. I've checked the deployment document. The following points respect the document :

• Machine Keys are synchronized
• RequireSSL and PublicOrigin are set
• Signing Keys are deployed in the App_Data folder of the website
• Configuration Data are "hard coded" (we redeploy the app when we add a client, or other)
• We do not use authorization codes, reference token and refresh tokens

In the Startup.config, IdentityServer is map on /idsrv with :

application.Map("/idsrv", app =>
{
      // Setting factory options , etc... then :
     app.UseIdentityServer(options);
});

API are map on the root folder.

[matthieuklotz]

OK sorry... I did not see that the client we use is configured to use reference token... I'll change it to JWTs.

Edit : issue solved, it was due to the reference token...