What are the special considerations for using MSAL & Azure Active Directory with regard to Caching, Data Protection & Auto Scalers?

Siegfried Heintze 1,906 Reputation points
2023-07-05T18:18:00.5+00:00

Background:

Back in Aug 2021 I had a terrible time enhancing a simple Azure AD demo (https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/4-WebApp-your-API/4-2-B2C/README.md) to run in side a Kubernetes replica set. After filing a support ticket in Oct 2021, I as able to make the sample work in late Feb 2022 by abandoning the nuget package for Redis Caching in favor of the StackExchange nuget package for Redis caching with the guidance from Microsoft support (it took months of staring at deep stack traces with many Microsoft Support Specialists).

Questions:

  1. As I recently learned from Ben (https://learn.microsoft.com/en-us/answers/questions/587801/how-to-run-nodejs-in-kubernetes-replica-set-with-a) the problem was because MSAL uses data protection. Can I assume that a cache that implements the data protection is also required for Azure Container Apps, App Service Scale sets (for function apps and web apps) if I am authenticating with MSAL?
  2. As I explained above, the solution was to use a cache that supported the data protection feature required by MSAL which (at the time) did not include the Microsoft Nuget package for Redis. So which caches support MSAL data protection requirement today? What about these caches: https://learn.microsoft.com/en-us/aspnet/core/performance/caching/distributed?view=aspnetcore-7.0? This list does not include the cosmos cache (https://learn.microsoft.com/en-us/azure/cosmos-db/nosql/session-state-and-caching-provider) and makes me worried that maybe the cosmos cache does not support data protection.

It would sure be nice if those last two web pages explicitly stated that they support (or don't support) the data protection feature required by MSAL.

Thanks

Siegfried

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,331 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,741 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,181 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,896 questions
{count} votes

Accepted answer
  1. Ben Gimblett 4,540 Reputation points Microsoft Employee
    2023-07-26T09:05:56.99+00:00

    @Siegfried Heintze sorry for the delay in replying - I read your follow-up question, did some more digging and then some things came up and I forgot to post it

    Anyway apologies for that

    I peer checked the following internally with the Identity folks.

    Question: How does Microsoft.Identity.Web (wrapping MSAL) work in the scenario where a feature is encrypting (so keys are required) and the app is distributed?

    References:

    This doc does a fairly good job of outlining how to enable a distributed cache https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnetcore#distributed-token-caches

    The troubleshooting guide gives a further clue https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Cache-Troubleshooting#im-using-encryption-and-im-getting-deserialization-errors  - quoting: "Be aware that distributed systems do not share encryption keys by default!"

    Today, it isn't the [token] cache that matters (you should be able to use any cache) neither should the hosting platform matter (with the exception that some of the Data protection API functions are OS specific, where this is the case it's called out in the docs). The App [host] itself need to be configured for data protection and as part of that you also configure a key store which should be accessible for all instances of the app.

    As I understand it the distributed key storage and the token cache are different concerns - the key storage is only required where a feature using encryption is turned on (an example might be csrf mitigations for asp net web apps)

    For more information see this doc, I've linked the specific section for docker - hope this helps
    https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0#persisting-keys-when-hosting-in-a-docker-container


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.