I have a .NET Core application with Angular2 UI running in a Service Fabric Cluster that I secured using OpenIddict. I followed this example: https://github.com/openiddict/openiddict-samples/tree/master/samples/RefreshFlow
It works great when I only have one instance of the stateless .NET Core application. When I increase the instance count to two, the authentication fails and I get a bunch of 401 errors. It seems that the token I receive is only good for that particular instance and is rejected on the other instance. I think I understand why this is happening, but I’m not sure how to address it.
Any help would be greatly appreciated.
OpenIddict relies on the ASP.NET Core Data Protection stack to generate and protect its authorization codes, refresh tokens and access tokens (unless you explicitly opt for JWT as the access token format).
To ensure these tokens can be read across instances, you must configure ASP.NET Core Data Protection to share the same key ring. I recommend reading the related documentation on Microsoft's website if you need more information about this procedure.