@Siegfried Heintze sorry for the delay in replying - I read your follow-up question, did some more digging and then some things came up and I forgot to post it
Anyway apologies for that
I peer checked the following internally with the Identity folks.
Question: How does Microsoft.Identity.Web (wrapping MSAL) work in the scenario where a feature is encrypting (so keys are required) and the app is distributed?
References:
This doc does a fairly good job of outlining how to enable a distributed cache https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-net-token-cache-serialization?tabs=aspnetcore#distributed-token-caches
The troubleshooting guide gives a further clue https://github.com/AzureAD/microsoft-identity-web/wiki/Token-Cache-Troubleshooting#im-using-encryption-and-im-getting-deserialization-errors - quoting: "Be aware that distributed systems do not share encryption keys by default!"
Today, it isn't the [token] cache that matters (you should be able to use any cache) neither should the hosting platform matter (with the exception that some of the Data protection API functions are OS specific, where this is the case it's called out in the docs). The App [host] itself need to be configured for data protection and as part of that you also configure a key store which should be accessible for all instances of the app.
As I understand it the distributed key storage and the token cache are different concerns - the key storage is only required where a feature using encryption is turned on (an example might be csrf mitigations for asp net web apps)
For more information see this doc, I've linked the specific section for docker - hope this helps
https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0#persisting-keys-when-hosting-in-a-docker-container