react to feedback

Author: Rick-Anderson

aspnetcore/security/data-protection/configuration/scaling.md

@@ -32,7 +32,7 @@ The following scenarios do ***NOT*** provide automatic key storage in a shared l
 
 ## Managing Data Protection keys outside the app
 
-An app with multiple instances may occasionally see an error like `System.Security.Cryptography.CryptographicException: The key {A6EF5BC2-FDCC-4C0C-A3A5-CDA9A1733D70} was not found in the key ring.`.  This can happen when instances get out of sync and data protected on one instance (e.g. an anti-forgery token) is unprotected on another instance (e.g. because a form was served from the former and posted to the latter) that doesn't yet know about that key.  When this happens, an app user may have to resubmit a form or re-authenticate (if it was an authentication token that couldn't be unprotected).
+An app with multiple instances might encounter a [System.Security.Cryptography.CryptographicException](/dotnet/api/system.security.cryptography.cryptographicexception) with the message `The key {A6EF5BC2-FDCC-4C0C-A3A5-CDA9A1733D70}` `was not found in the key ring.` This error occurs when instances become out of sync, causing data protected on one instance, such as an anti-forgery token, to fail when unprotected on another instance. This can happen, for example, if a form is served by one instance but posted to another that has not yet updated its key ring. When this issue arises, users may need to resubmit a form or re-authenticate if the issue involves an authentication token.
 
 One common reason app instances end up with different sets of keys is that, in the absence of a usable key (e.g. due to expiration, lack of access to the backing repository, etc), an instance will generate a new key of its own.  Until that key has propagated to all other instances (which can take up to two days), there's a risk that data protected with that new key will sent to an instance that doesn't know how to unprotect it.
 

aspnetcore/security/data-protection/configuration/scaling/samples/AzBlobKey/AzBlobKey.csproj

@@ -0,0 +1,17 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net9.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Azure.Extensions.AspNetCore.DataProtection.Keys" Version="1.3.0" />
+    <PackageReference Include="Azure.Identity" Version="1.13.1" />
+    <PackageReference Include="Microsoft.Extensions.Azure" Version="1.9.0" />
+	  <PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="9.0.0" />
+  </ItemGroup>
+
+	
+</Project>

aspnetcore/security/data-protection/configuration/scaling/samples/AzBlobKey/Program.cs

@@ -0,0 +1,21 @@
+using Azure.Identity;
+using Microsoft.AspNetCore.DataProtection;
+
+var hostBuilder = new HostApplicationBuilder();
+
+hostBuilder.Configuration.AddJsonFile("appsettings.json", optional: false, reloadOnChange: false);
+
+var blobStorageUri = hostBuilder.Configuration["AzureURIs:BlobStorage"]!;
+var keyVaultURI = hostBuilder.Configuration["AzureURIs:KeyVault"]!;
+
+// Use the same persistence and protection mechanisms as your app
+hostBuilder.Services
+    .AddDataProtection()
+    .PersistKeysToAzureBlobStorage(new Uri(blobStorageUri), new DefaultAzureCredential())
+    .ProtectKeysWithAzureKeyVault(new Uri(keyVaultURI), new DefaultAzureCredential());
+
+using var host = hostBuilder.Build();
+
+// Perform a dummy operation to force key creation or rotation, if needed
+var dataProtector = host.Services.GetDataProtector("Default");
+dataProtector.Protect([]);

aspnetcore/security/data-protection/configuration/scaling/samples/AzBlobKey/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}