views:

90

answers:

2

Introduction

We have an OpenID Provider which we created using the DotNetOpenAuth component. Everything works great when we run the provider on a single node, but when we move the provider to a load balanced cluster where multiple servers are handling requests for each session we get issue with the message signing as the DotNetOpenAuth component seems to be using something unique from each cluster node to create the signature.

Exception

DotNetOpenAuth.Messaging.Bindings.InvalidSignatureException: Message signature was incorrect.
  at DotNetOpenAuth.OpenId.ChannelElements.SigningBindingElement.ProcessIncomingMessage(IProtocolMessage message) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\OpenId\ChannelElements\SigningBindingElement.cs:line 139
  at DotNetOpenAuth.Messaging.Channel.ProcessIncomingMessage(IProtocolMessage message) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\Messaging\Channel.cs:line 940
  at DotNetOpenAuth.OpenId.ChannelElements.OpenIdChannel.ProcessIncomingMessage(IProtocolMessage message) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\OpenId\ChannelElements\OpenIdChannel.cs:line 172
  at DotNetOpenAuth.Messaging.Channel.ReadFromRequest(HttpRequestInfo httpRequest) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\Messaging\Channel.cs:line 378
  at DotNetOpenAuth.OpenId.RelyingParty.OpenIdRelyingParty.GetResponse(HttpRequestInfo httpRequestInfo) in c:\BuildAgent\work\7ab20c0d948e028f\src\DotNetOpenAuth\OpenId\RelyingParty\OpenIdRelyingParty.cs:line 493

Setup

We have the machine config setup to use the same machine key on all cluster nodes and we have setup an out of process session with SQL Server.

Question

How do we configure the key used by DotNetOpenAuth to sign its messages so that the client will trust responses from all servers in the cluster during the same session?

+1  A: 

When you create your OpenIdRelyingParty make sure you pass null in the constructor.

This puts your web site into OpenID stateless or 'dumb' mode. It's slightly slower for users to log in (if you even notice) but you avoid having to write an IRelyingPartyApplicationStore to allow DotNetOpenAuth to work across your farm;

var openIdRelyingParty = new OpenIdRelyingParty(null);
Shawn Miller
This is not the relay party, but the provider.
Garth
+1  A: 

You must implement IProviderApplicationStore and pass an instance of this object to the OpenIdProvider instance you create, or set the store type in your web.config file. Your implementation of this interface must provide the access to a database that all servers in your web farm share.

Andrew Arnott
Of course it seems so obvious now that you say it, especially since we've already done the same thing for the RP. Thanks.
Garth