401 unauthenticated errors returned after updating from 7.0.7 to 7.0.8 on every webapp deployment

[Kas-code]

Which version of Duende IdentityServer are you using?

Currently using 7.0.8 - The issue was not happening with 7.0.7

Which version of .NET are you using?

.Net 8

Describe the bug

We are using an app service in Microsoft Azure to host our web Api. Users get a token from IdentityServer to authenticate with our Api.
The Webapp in Azure uses slots for deployment.
Whenever we run a deployment, we have a pipeline that deploys to the staging slot, then swaps the slots.
Using version 7.0.7 of Duende.IdentityServer this worked fine. Users who were using the webapp at the time of deployment could continue using it with no noticeable effects when the slots were swapped.

After updating to 7.0.8 of Duende.IdentityServer, if users are actively using the webapp during a deployment, then they get a 401 unauthorised error for every api request after the slots are swapped. It seems that their token becomes invalid and has to be refreshed. All users become unauthenticated after the deployment until they log out and log back in to our application or wait half an hour - (half an hour seems to be the amount of time it takes for the token to automatically renew). We get a massive barrage of 401 errors observed on AppInsights with every deployment. Clearly this is a very bad user experience to have to log out and log back in whenever we release a new version of our webapp.

My guess is that something changed in version 7.0.8 of Duende.IdentityServer that causes users auth tokens to be wiped when the deployment restarts the web server, this didn't happen in previous versions though.

As a temporary workaround, we've implemented in our axios global config on the front end, if any web request returns a 401 then the app performs a new silent sign in request to refresh the user's auth token automatically, which resolves the problem of the user having to log out and log back in. However it is not ideal as the request that the user made at the time causing the 401 will not get through, which can have the effect of - for example if the user was saving a record at the time they will need to save it again.

To Reproduce

Deployment of the webapp on version 7.0.8 reproduces the issue every time.

Expected behavior

Users should be able to continue using the app after deployments with the same auth token.

[AndersAbel]

There could be multiple causes for this. I would like to start with excluding a basic configuration error. Could you please review https://docs.duendesoftware.com/dataprotection and validate that this is not a data protection issue?

[RolandGuijt]

@Kas-code Is this problem solved for you? If not: can you please follow up? If it is I'd like to close the issue.

[Kas-code]

We still need to review the data protection page in the previous post. We will try to do it this week.
Is the data protection issue a new problem that can crop up in version 7.0.8? Because we only started noticing issues in 7.0.8

[RolandGuijt]

@Kas-code No it isn't. But as Anders said: there can be multiple causes for this. This is just step one of the checks we have in mind.
Can you please let us know when you've checked this?

[maartenba]

(note: we're moving this issue to our new community discussions)