Set-up: I have two servers which both have an individual IIS instance of my .NET Core OpenId Authorization application.
There is an intermittent issue occurring whereby if the user's request started on Server 1, at some point during the requests the user's request is moved over to Server 2, then authorisation fails with the following message:
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
...
fail: IdentityServer4.Validation.TokenRequestValidator[0]
Invalid authorization code{ code = REDACTED }, details: {
...
"GrantType": "authorization_code",
"Error": "invalid_grant",
"Category": "Token",
"Name": "Token Issued Failure",
"EventType": "Failure",
It seems that if my load balancer has moved the user over to the opposite server, then the request to /connect/token is always failing with the above. However, if I am to take one of my servers offline and retest the authorization request, then it is working perfectly well.
How do I go about allowing both of my servers to accept requests to /connect/token even if the request started on the opposite server?
There are many things that you need to keep track of when you use load-balancers.
First of all you need to make sure the session cookie works across both machines and you need to provide a shared data protection key that both services uses.
Do you have one more multiple IdentityServer instances? regardless you should also provide a proper token signing key and not using the AddDeveloperSigningCredential method in your startup class.
When a user is asked to signin, the instance (with AddOpenIDConnect) should be the same instance that also handles the callback from IdentityServer (the request to /signin-oidc).
For example the state parameter and PKCE values are not shared across the instances.
I recently blogged about the state and nonce parameter here: