tags:

views:

90

answers:

2
+2  Q: 

Invalid message signature when running OpenId Provider on Cluster

Introduction

We have an OpenID Provider which we created using the DotNetOpenAuth component. Everything works great when we run the provider on a single node, but when we move the provider to a load balanced cluster where multiple servers are handling requests for each session we get issue with the message signing as the DotNetOpenAuth component seems to be using something unique from each cluster node to create the signature.

Exception

DotNetOpenAuth.Messaging.Bindings.InvalidSignatureException: Message signature was incorrect.
  at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.ProcessIncomingMessage(IProtocolMessage message) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\OpenId\ChannelElements\SigningBindingElement.cs:line 139
  at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\Messaging\Channel.cs:line 940
  at DotNetOpenAuth.OpenId.ChannelElements.OpenIdChannel.ProcessIncomingMessage(IProtocolMessage message) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\OpenId\ChannelElements\OpenIdChannel.cs:line 172
  at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\Messaging\Channel.cs:line 378
  at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\OpenId\RelyingParty\OpenIdRelyingParty.cs:line 493

Setup

We have the machine config setup to use the same machine key on all cluster nodes and we have setup an out of process session with SQL Server.

Question

How do we configure the key used by DotNetOpenAuth to sign its messages so that the client will trust responses from all servers in the cluster during the same session?

+1  A: 

When you create your OpenIdRelyingParty make sure you pass null in the constructor.

This puts your web site into OpenID stateless or 'dumb' mode. It's slightly slower for users to log in (if you even notice) but you avoid having to write an IRelyingPartyApplicationStore to allow DotNetOpenAuth to work across your farm;

var openIdRelyingParty = new OpenIdRelyingParty(null);
Shawn Miller  2010-03-24 19:21:58
This is not the relay party, but the provider.
Garth  2010-03-24 19:37:46
+1  A: 

You must implement IProviderApplicationStore and pass an instance of this object to the OpenIdProvider instance you create, or set the store type in your web.config file. Your implementation of this interface must provide the access to a database that all servers in your web farm share.

Andrew Arnott  2010-03-26 02:45:45
Of course it seems so obvious now that you say it, especially since we've already done the same thing for the RP. Thanks.
Garth  2010-03-26 08:14:30

related questions

Having problems with Attributes and DotNetOpenID
Implementing multi-database, multi-provider authentication system...
WSS and OpenID
rpxnow vs dotnetopenid, What do you think ?
How do i moq this DotNetOpenAuth Response object?
RememberMe with DotNetOpenId in ASP.NET MVC
DotNetOpenId ClaimedIdentifier - Is it safe to hard-code this?
DotNetOpenId -- "This message has already been processed" Error
Retrieve GMail data through DotNetOpenId
Can i request a MyOpenId persona's Avatar with dotNetOpenId?
How can i set Policy Url programmatically?
DotNetOpenID Programmatic Login
Problem installing OpenID on ASP.NET MVC Site
How can I change the ReturnUrl for OpenID?
Request email address from OpenID provider
Limited Use OpenID
Get FriendlyIdentifierForDisplay from ClaimedIdentifier in dotNetOpenId
Logging in to an OpenID site from a .net app
What is a good openid selector control?
Specifying a proxy to use with DotNetOpenID
What's the secret to getting ClaimsResponse working with DotNetOpenId?
Can I use OpenId with the ASP MembershipProvider?
How is OpenID implemented?
secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID
OpenID authentication in ASP.NET?