DataProtection-在多个应用程序之间共享机器密钥 [英] DataProtection - Share machine key between multiple applications

问题描述

让我们假设我们有两个API，一个用于UserManagement，一个用于Auth.

Let's suppose that we have two APIs, one for UserManagement and one for Auth.

UserManagement API负责初始邀请电子邮件(在这里我需要ResetPasswordToken，因为这是我当前的应用程序流程)，而Auth API负责密码恢复(在我需要ResetPasswordToken的情况下).

UserManagement API is responsible for initial invitation email (where i need a ResetPasswordToken because this is my current app flow) and Auth API is responsible for password recovery (where i need a ResetPasswordToken).

当然，我需要为两个应用程序指定相同的机器密钥.

Of course, i need to specify the same machine key for both applications.

让我们还假设这两个应用程序将部署在负载均衡器的后面. 2个应用程序x 3个实例.

Let's also suppose that those two applications will be deployed behind a load balancer. 2 apps x 3 instances.

在两个API中为持久键(Redis左右)拥有相同的共享位置就足够了吗?

It is sufficient to have the same shared location for persisting keys (Redis or so) in both APIs?

services.AddDataProtection().PersistKeysToRedis(/* */);

我认为，如果它适用于一个应用程序，多个实例方案，那么它也将适用于多个应用程序，多个实例方案.

I'm thinking that if it works for one app, multiple instances scenario, it will work for multiple apps, multiple instances scenario too.

P.S:我无法找到有关任何锁定机制的任何信息(似乎只有一个机制在研究它的行为)

P.S: I wasn't able to find anything about any locking mechanism (it seems that there is one just looking at how it behaves)

我担心的另一件事:比赛条件?！

Another thing that i'm concerned of: race condition?!

Duc_Thuan_Nguy 2017年6月9日

Duc_Thuan_Nguy Jun 9, 2017

出于好奇，密钥如何滚动 处理并发?例如，假设我们有一个网络农场，其中2 机器和共享的网络目录.可能存在比赛条件 两台机器都希望同时滚动一个新密钥.怎么 这种情况处理了吗?或两台机器可以自己滚动新的 密钥，只要他们可以访问两个新密钥，就可以 顺利解除数据保护?

Out of curiosity, how does key rolling handle concurrency? For example, let's say we have a web-farm with 2 machines and a shared network directory. There may be a race condition in which both machines want to roll a new key at the same time. How is this situation handled? Or the two machines can roll their own new keys and as long as they can have access to both new keys, they can unprotect data smoothly?

注释参考: https://docs.microsoft.com/en-us/aspnet/core/security/data-protection/implementation/key-management

以后的修改::如果您有多个应用程序，那么仅仅指定要在相同位置保留密钥是不够的.应用程序区分符是一个概念(所有应用程序都是隔离的).

Later edit: It looks like if you have multiple apps it isn't sufficient to specify that you want to persist keys in the same location. There is a concept of application discriminator (all apps being isolated).

您将需要以下内容:

services.AddDataProtection(configure => {
                configure.ApplicationDiscriminator = "App.X";
            }).PersistKeysToRedis(/* */);

锁定和竞赛条件问题仍然有效.

Locking and race condition questions are still valid.

推荐答案

否，这还不够. ASP.NET Core的数据保护默认情况下根据文件路径或IIS托管信息来隔离应用程序，因此多个应用程序可以共享一个密钥环，但仍然无法读取彼此的数据.

No, it's not sufficient. ASP.NET Core's data protection isolates applications by default based on file paths, or IIS hosting information, so multiple apps can share a single keyring, but still not be able to read each other's data.

作为文档状态

默认情况下，数据保护系统将应用程序彼此隔离， 即使他们共享相同的物理密钥存储库.这 阻止应用了解彼此受保护的有效负载. 要在两个应用程序之间共享受保护的有效负载，请使用SetApplicationName 每个应用具有相同的值

By default, the Data Protection system isolates apps from one another, even if they're sharing the same physical key repository. This prevents the apps from understanding each other's protected payloads. To share protected payloads between two apps, use SetApplicationName with the same value for each app

public void ConfigureServices(IServiceCollection services)
{
    services.AddDataProtection()
        .SetApplicationName("shared app name");
}

这篇关于DataProtection-在多个应用程序之间共享机器密钥的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！