K
Q

Azure AD Authentication in Kubernetes Unable to unprotect the message.State

2/19/2020

I have a dotnet core mvc web application using AzureAD b2c authentication (via OpenId Connect). This works correctly when I run it against localhost but when I deploy the solution to Kubernetes and I try to login I get the following error:

Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
      An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
 ---> System.Exception: Unable to unprotect the message.State.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)'

I have set up an NGINX ingress with SSL that forwards the traffic to the service in Kubernetes so this is acting as a reverse proxy within the cluster.

To ensure that the request's original hostname is retained I have added the following to the startup.cs:

services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders =
                    ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost;
                options.KnownNetworks.Clear();
                options.KnownProxies.Clear();
            });
app.UseForwardedHeaders();

As well as adding the following annotations to my Ingress

    nginx.ingress.kubernetes.io/proxy_http_version: "1.1"
    nginx.ingress.kubernetes.io/proxy_set_header: "Upgrade $http_upgrade"
    nginx.ingress.kubernetes.io/proxy_set_header: "Connection keep-alive"
    nginx.ingress.kubernetes.io/proxy_set_header: "Host $host"
    nginx.ingress.kubernetes.io/proxy_cache_bypass: "$http_upgrade"
    nginx.ingress.kubernetes.io/proxy_set_header: "X-Forwarded-For $proxy_add_x_forwarded_for"
    nginx.ingress.kubernetes.io/proxy_set_header: "X-Forwarded-Proto $scheme"
    nginx.ingress.kubernetes.io/proxy_buffers: "16 16k"
    nginx.ingress.kubernetes.io/proxy_buffer_size: "32k"

I've also made sure that the reply URLs have been correctly configured in Azure.

Is there a step I am missing when configuring the Ingress (NGINX) that could cause this issue?

-- JPlatt99
azure-ad-b2c
c#
kubernetes
oauth

Similar Questions

Kubernetes on bare metal, exposing services through ingress
Setting up ELK stack on kubernetes using minikube
How to know more details about a previous rollout revision using kubectl?
Serving HTTP/HTTPS service which is outside of Kubernetes cluster through Ingress

1 Answer

3/4/2020

As Chris Padgett suggested it was due to running multiple pods, scaling it down to one replica fixed the issue, I'll have to investigate sharing the data protection key between pods.

A sidenote for anyone reading, this ingress will still give you errors with oidc due to the headers being too large as the following annotations are incorrect

    nginx.ingress.kubernetes.io/proxy_buffers: "16 16k"
    nginx.ingress.kubernetes.io/proxy_buffer_size: "32k"

It should instead be

    nginx.ingress.kubernetes.io/proxy-buffers: "16 16k"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "32k"
-- JPlatt99
Source: StackOverflow