Works locally, but fails in deployed container with IDX10500

[Jogai]

The validation keeps throwing "IDX10500: Signature validation failed. No security keys were provided to validate the signature."

This one is really baffling to me. I tried everything I could find, but what seems to be fairly simple is really hard to get working. Although it should be simple, your library is seemingly the only one that implements the whole 'validate against a jwksuri' -case.

Locally this works fine. The problem is that the container (based on 'mcr.microsoft.com/dotnet/aspnet:8.0') deployed will not work.

dotnet minimal api setup:

CryptoProviderFactory.Default.CacheSignatureProviders = false;
IdentityModelEventSource.ShowPII = true;

builder.Services.AddDataProtection();

builder.Services.AddMemoryCache();

builder.Services.AddJwksManager()
	.UseJwtValidation();

builder.Services.AddAuthentication(options =>
{
	options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
	options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
	options.SaveToken = true;

	options.SetJwksOptions(
		new JwkOptions
		{
			Audience = "audience", Issuer = "https://keycloak.myProduct.eu/realms/myProduct",
			JwksUri = "https://keycloak.myProduct.eu/realms/myProduct/protocol/openid-connect/certs",
			KeepFor = TimeSpan.FromHours(1)
		});
	options.TokenValidationParameters = new TokenValidationParameters
	{
		ValidateIssuer = false,
		ValidateAudience = false,
		ValidateLifetime = false,
		ValidateIssuerSigningKey = true,
		ValidIssuer = "https://keycloak.myProduct.eu/realms/myProduct",
		ValidAudience = "account",
		ClockSkew = TimeSpan.FromHours(2)
	};

	options.Events = new JwtBearerEvents
	{
		OnAuthenticationFailed = c => c.Response.WriteAsync(JsonConvert.SerializeObject(c.Exception)),
	};
});
builder.Services.AddAuthorization();

log:

2024-04-17 22:06:41
warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
2024-04-17 22:06:41
Storing keys in a directory '/root/.aspnet/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning
2024-04-17 22:06:41
info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[62]
2024-04-17 22:06:41
User profile is available. Using '/root/.aspnet/DataProtection-Keys' as key repository; keys will not be encrypted at rest.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[53]
2024-04-17 22:06:41
Repository contains no viable default key. Caller should generate a key with immediate activation.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[57]
2024-04-17 22:06:41
Policy resolution states that a new key should be added to the key ring.
2024-04-17 22:06:41
info: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[58]
2024-04-17 22:06:41
Creating key {e92cdd27-bdba-48e6-a9f5-3dc207e12223} with creation date 2024-04-17 22:06:41Z, activation date 2024-04-17 22:06:41Z, and expiration date 2024-07-16 22:06:41Z.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[32]
2024-04-17 22:06:41
Descriptor deserializer type for key {e92cdd27-bdba-48e6-a9f5-3dc207e12223} is 'Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60'.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[34]
2024-04-17 22:06:41
No key escrow sink found. Not writing key {e92cdd27-bdba-48e6-a9f5-3dc207e12223} to escrow.
2024-04-17 22:06:41
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
2024-04-17 22:06:41
No XML encryptor configured. Key {e92cdd27-bdba-48e6-a9f5-3dc207e12223} may be persisted to storage in unencrypted form.
2024-04-17 22:06:41
info: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[39]
2024-04-17 22:06:41
Writing data to file '/root/.aspnet/DataProtection-Keys/key-e92cdd27-bdba-48e6-a9f5-3dc207e12223.xml'.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[23]
2024-04-17 22:06:41
Key cache expiration token triggered by 'CreateNewKey' operation.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
2024-04-17 22:06:41
Reading data from file '/root/.aspnet/DataProtection-Keys/key-e92cdd27-bdba-48e6-a9f5-3dc207e12223.xml'.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[18]
2024-04-17 22:06:41
Found key {e92cdd27-bdba-48e6-a9f5-3dc207e12223}.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.DefaultKeyResolver[13]
2024-04-17 22:06:41
Considering key {e92cdd27-bdba-48e6-a9f5-3dc207e12223} with expiration date 2024-07-16 22:06:41Z as default key.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.TypeForwardingActivator[0]
2024-04-17 22:06:41
Forwarded activator type request from Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60 to Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Culture=neutral, PublicKeyToken=adb9793829ddae60
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptorFactory[11]
2024-04-17 22:06:41
Using managed symmetric algorithm 'System.Security.Cryptography.Aes'.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ManagedAuthenticatedEncryptorFactory[10]
2024-04-17 22:06:41
Using managed keyed hash algorithm 'System.Security.Cryptography.HMACSHA256'.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingProvider[2]
2024-04-17 22:06:41
Using key {e92cdd27-bdba-48e6-a9f5-3dc207e12223} as the default key.
2024-04-17 22:06:41
dbug: Microsoft.AspNetCore.DataProtection.Internal.DataProtectionHostedService[65]
2024-04-17 22:06:41
Key ring with default key {e92cdd27-bdba-48e6-a9f5-3dc207e12223} was loaded during application startup.
2024-04-17 22:06:41
warn: Microsoft.AspNetCore.Hosting.Diagnostics[15]
2024-04-17 22:06:41
Overriding HTTP_PORTS '8080' and HTTPS_PORTS ''. Binding to values defined by URLS instead 'http://0.0.0.0:5001'.
2024-04-17 22:06:42
dbug: Microsoft.AspNetCore.Hosting.Diagnostics[13]
2024-04-17 22:06:42
Loaded hosting startup assembly myProduct.Platform.Web
2024-04-17 22:07:10
dbug: Microsoft.AspNetCore.Server.Kestrel.Connections[39]
2024-04-17 22:07:10
Connection id "0HN2V5AT6MJH7" accepted.
2024-04-17 22:07:10
dbug: Microsoft.AspNetCore.Server.Kestrel.Connections[1]
2024-04-17 22:07:10
Connection id "0HN2V5AT6MJH7" started.
2024-04-17 22:07:10
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
2024-04-17 22:07:10
Request starting HTTP/1.1 GET http://demo.myProduct.eu/api/BillOfLading - - -
2024-04-17 22:07:10
dbug: Microsoft.AspNetCore.HostFiltering.HostFilteringMiddleware[0]
2024-04-17 22:07:10
Wildcard detected, all requests with hosts will be allowed.
2024-04-17 22:07:10
warn: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[60]
2024-04-17 22:07:10
Storing keys in a directory '/root/.aspnet/DataProtection-Keys' that may not be persisted outside of the container. Protected data will be unavailable when container is destroyed. For more information go to https://aka.ms/aspnet/dataprotectionwarning
2024-04-17 22:07:10
dbug: Microsoft.AspNetCore.DataProtection.Repositories.FileSystemXmlRepository[37]
2024-04-17 22:07:10
Reading data from file '/root/.aspnet/DataProtection-Keys/key-e92cdd27-bdba-48e6-a9f5-3dc207e12223.xml'.
2024-04-17 22:08:10
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
2024-04-17 22:08:10
Failed to validate the token.
2024-04-17 22:08:10
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
2024-04-17 22:08:10
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignature(String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-04-17 22:08:10
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateSignatureAndIssuerSecurityKey(String token, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-04-17 22:08:10
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
2024-04-17 22:08:10
--- End of stack trace from previous location ---
2024-04-17 22:08:10
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
2024-04-17 22:08:10
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
2024-04-17 22:08:10
at NetDevPack.Security.Jwt.AspNetCore.JwtServiceValidationHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
2024-04-17 22:08:10
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenAsync(String token, TokenValidationParameters validationParameters)
2024-04-17 22:08:10
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
2024-04-17 22:08:10
Bearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
2024-04-17 22:08:10
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1001]
2024-04-17 22:08:10
1 candidate(s) found for the request path '/api/BillOfLading'
2024-04-17 22:08:10
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1005]
2024-04-17 22:08:10
Endpoint 'myProduct.Platform.Web.Controllers.BillOfLadingController.GetBillOfLadings (myProduct.Platform.Web)' with route pattern 'api/BillOfLading' is valid for the request path '/api/BillOfLading'
2024-04-17 22:08:10
dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[1]
2024-04-17 22:08:10
Request matched endpoint 'myProduct.Platform.Web.Controllers.BillOfLadingController.GetBillOfLadings (myProduct.Platform.Web)'
2024-04-17 22:08:10
dbug: Microsoft.AspNetCore.Authorization.AuthorizationMiddleware[0]
2024-04-17 22:08:10
Policy authentication schemes did not succeed
2024-04-17 22:08:10
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-04-17 22:08:10
Authorization failed. These requirements were not met:
2024-04-17 22:08:10
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
2024-04-17 22:08:10
fail: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[1]
2024-04-17 22:08:10
An unhandled exception has occurred while executing the request.
2024-04-17 22:08:10
System.InvalidOperationException: StatusCode cannot be set because the response has already started.
2024-04-17 22:08:10
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ThrowResponseAlreadyStartedException(String value)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.set_StatusCode(Int32 value)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleChallengeAsync(AuthenticationProperties properties)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.<>c__DisplayClass0_0.<<HandleAsync>g__Handle|0>d.MoveNext()
2024-04-17 22:08:10
--- End of stack trace from previous location ---
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
2024-04-17 22:08:10
warn: Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware[2]
2024-04-17 22:08:10
The response has already started, the error handler will not be executed.
2024-04-17 22:08:10
fail: Microsoft.AspNetCore.Server.Kestrel[13]
2024-04-17 22:08:10
Connection id "0HN2V5AT6MJH7", Request id "0HN2V5AT6MJH7:00000001": An unhandled exception was thrown by the application.
2024-04-17 22:08:10
System.InvalidOperationException: StatusCode cannot be set because the response has already started.
2024-04-17 22:08:10
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ThrowResponseAlreadyStartedException(String value)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.set_StatusCode(Int32 value)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleChallengeAsync(AuthenticationProperties properties)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.ChallengeAsync(AuthenticationProperties properties)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, String scheme, AuthenticationProperties properties)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authorization.Policy.AuthorizationMiddlewareResultHandler.<>c__DisplayClass0_0.<<HandleAsync>g__Handle|0>d.MoveNext()
2024-04-17 22:08:10
--- End of stack trace from previous location ---
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.HandleException(HttpContext context, ExceptionDispatchInfo edi)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
2024-04-17 22:08:10
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2024-04-17 22:08:10
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
2024-04-17 22:08:10
Request finished HTTP/1.1 GET http://demo.myProduct.eu/api/BillOfLading - 200 - - 60203.1957ms

cat /root/.aspnet/DataProtection-Keys/key-e92cdd27-bdba-48e6-a9f5-3dc207e-12223.xml

<?xml version="1.0" encoding="utf-8"?>
<key id="e92cdd27-bdba-48e6-a9f5-3dc207e12223" version="1">
  <creationDate>2024-04-17T22:06:41.9612458Z</creationDate>
  <activationDate>2024-04-17T22:06:41.9550478Z</activationDate>
  <expirationDate>2024-07-16T22:06:41.9550478Z</expirationDate>
  <descriptor deserializerType="Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel.AuthenticatedEncryptorDescriptorDeserializer, Microsoft.AspNetCore.DataProtection, Version=8.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60">
    <descriptor>
      <encryption algorithm="AES_256_CBC" />
      <validation algorithm="HMACSHA256" />
      <masterKey p4:requiresEncryption="true" xmlns:p4="http://schemas.asp.net/2015/03/dataProtection">
        <!-- Warning: the key below is in an unencrypted form. -->
        <value>LIQ26XZ4kAgak0M+PZMJANBeuRu8C6PDvn8KisVgiLw77YNgUcN6UOdWWRWRWWSeGSQQnlgQbPthhSpo7gd9EA==</value>
      </masterKey>
    </descriptor>
  </descriptor>
</key>

[brunobritodev]

Hello @Jogai,

Could you provide more insights into your specific use case or objective?

Security.Jwt is designed for generating JWTs (jws, jwe) using a public key cryptosystem. In other hand Security.JwtExtensions was designed to validate jwt issued by third-party systems, leveraging the jwks uri for this purpose.

Security.Jwt package also includes its extensions for validating tokens it has generated itself.

In the code snippet you've shared, I noticed the usage of both Security.Jwt and Security.JwtExtensions:

builder.Services.AddJwksManager()
	.UseJwtValidation(); // <-- Security.Jwt

options.SetJwksOptions(
		new JwkOptions // <-- Security.JwtExtensions
		{
			Audience = "audience", Issuer = "https://keycloak.myProduct.eu/realms/myProduct",
			JwksUri = "https://keycloak.myProduct.eu/realms/myProduct/protocol/openid-connect/certs",
			KeepFor = TimeSpan.FromHours(1)
		});

From my experience, integrating both of these components into the same project can lead to unexpected behaviors. This is because they alter the JWT validation process in different ways, potentially causing compatibility issues. For instance, one extension might modify the validation logic in a manner that inadvertently breaks the functionality provided by the other.

To avoid such complications, it might be beneficial to assess whether both packages are necessary for your project. If your requirements are met by generating and validating JWTs within the same ecosystem, sticking to Security.Jwt and its validation extensions. However, if you need to validate JWTs from external sources, use Security.JwtExtensions instead.

However if you really need both, let me know

[Jogai]

You're right, I don't need both. My case is fairly standard. I have a api and client living on the same domain (demo.whatever.tld) and keycloak next to it (on keycloak.whatever.tld). The api does request a token, and that token is send in the requests to my api (under /api/).

I guess I was just trying to make anything stick at all. But even only using the Jwks stuff from extensions (i did clean out the other dependencies to try) still gives me whats in the log below.

Someting else I noticed. The requests are waiting for a minute or more. That seems weird because even if the token is invalid that should be possible to verify in a few seconds.

Request starting HTTP/1.1 GET http://demo.myProduct.eu/api/TransportRegions - - -
2024-04-19 07:55:07
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[1]
2024-04-19 07:55:07
Failed to validate the token.
2024-04-19 07:55:07
Microsoft.IdentityModel.Tokens.SecurityTokenSignatureKeyNotFoundException: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
2024-04-19 07:55:07
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-04-19 07:55:07
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-04-19 07:55:07
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
2024-04-19 07:55:07
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[7]
2024-04-19 07:55:07
Bearer was not authenticated. Failure message: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
2024-04-19 07:55:07
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1001]
2024-04-19 07:55:07
1 candidate(s) found for the request path '/api/TransportRegions'
2024-04-19 07:55:07
dbug: Microsoft.AspNetCore.Routing.Matching.DfaMatcher[1005]
2024-04-19 07:55:07
Endpoint 'myProduct.Platform.Web.Controllers.TransportRegionsController.GetRegions (myProduct.Platform.Web)' with route pattern 'api/TransportRegions' is valid for the request path '/api/TransportRegions'
2024-04-19 07:55:07
dbug: Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware[1]
2024-04-19 07:55:07
Request matched endpoint 'myProduct.Platform.Web.Controllers.TransportRegionsController.GetRegions (myProduct.Platform.Web)'
2024-04-19 07:55:07
dbug: Microsoft.AspNetCore.Authorization.AuthorizationMiddleware[0]
2024-04-19 07:55:07
Policy authentication schemes did not succeed
2024-04-19 07:55:07
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
2024-04-19 07:55:07
Authorization failed. These requirements were not met:
2024-04-19 07:55:07
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

And since my container is not using persistent storage the key I find at '/root/.aspnet/DataProtection-Keys/' is always new.

[Jogai]

Could this be related: dotnet/aspnetcore#52075 (comment) (although I fail to see why it would locally work then).

[Jogai]

Update, if I set the BackChannelTimeout to a different value it takes that amount of time before the request fails, so its probably something with the httpclient that goes awry.