Share ASP.NET Core data protection between applications without breaking existing cookies and tokens

Question

We are using ASP.NET Core Data Protection in combination with ASP.NET Identity with Cookie Authentication in an ASP.NET Core web application. We also send Reset-Password links using ASP.NET Core Identity which uses the data protection keys for that. We persist the data protection keys in our database using entity framework. By storing the keys in the database, we don't have any issues when swapping deployment slots in Azure.

services
  .AddDataProtection()
  .PersistKeysToDbContext<KeysContext>();

This all works as expected and we are running in production for several years already.

We now have a new feature, where the user can delay the sending of invitation links for new users. These generated invitation links use the ResetPassword token provider from ASP.NET Identity. We are using an Azure Function for that, where the invitation links are generated and sent in the Azure Function at a later point in time.

var token = await this.userManager.GeneratePasswordResetTokenAsync(user);

The problem now is, that the Azure Function needs to use the same data protection keys as the web application, since the generated ResetPassword tokens are later "consumed" and verified in the web application. This can be done using the ApplicationDescriminator when configuring the data protection. Every application (i.e our web application and our Azure Function) need to use the same ApplicationDescriminator:

services
   .AddDataProtection(o => o.ApplicationDiscriminator = "Our-Application-Name")
   .PersistKeysToDbContext<KeysContext>();

But when we now set the ApplicationDescriminator in our existing and running web application initially to "Our-Application-Name", all our already sent tokens (Invitations, Reset Password, Change Email, ...) will get invalid and also our ASP.NET Core Identity Cookie will get invalid and all users will get logged out.

Is there any way of telling the Azure Function to use the same data protection keys as the web application without changing or breaking the existing tokens in the web application?

Answer 1

We found a pretty hacky solution to not break the existing tokens and cookies in the web application: Instead of specifying the ApplicationDiscriminator in the web application and in the Azure Function explicitly, we specify the ApplicationDescriminator only in the Azure Function and set it to "D:\home\site\wwwroot".

This value is the default value in the web application when not specifying any value, since the default implementation in the ASP.NET Core data protection uses the HostingApplicationDiscriminator which uses the IHostEnvironment.ContentRootPath property. For an Azure deployment, this ContentRootPath is set to "D:\home\site\wwwroot" by default.

We are not very happy with this approach, since this seems like a hack, but it's still better than breaking all tokens and cookies by specifying the ApplicationDescriminator explicitly.