We’re developing an aspnet core website with webapi backend all on a cloud platform. The auth part is implemented with openidconnect and cookies. Every tab is a new application to reduce release and test times. For the website / applications we have a razor class library that contains the main layout. See all posts in this series cloudnative

Debugging on localhost worked like a charm. But after deploying with 2 instances we received errors. The logging showed: “Unable to unprotect the message.State”. We found that this was documented on https://github.com/AzureAD/microsoft-identity-web/wiki/Deploying-Web-apps-to-App-services-as-Linux-containers#issue-with-scaled-out-web-apps-in-app-services. Since we used 2 instances the encryption key of one instance was unknown to the other instance – the keys needed to be shared.

We configured the applications to use Redis for saving (and sharing) the keys. This also solved the requirement that a user should only login once and have access to all applications.