CryptographicException: The key {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} was not found in the key ring.

[alexchx]

Please provide us with the following information:

This issue is for a: (mark with an x)

- [x] bug report -> please search issues before submitting
- [ ] feature request
- [ ] documentation issue or request
- [ ] regression (a behavior that used to work and stopped in a new release)

The issue was found for the following scenario:

Please add an 'x' for the scenario(s) where you found an issue

1. Web app that signs in users
   1. with a work and school account in your organization: 1-WebApp-OIDC/1-1-MyOrg
   2. with any work and school account: /1-WebApp-OIDC/1-2-AnyOrg
   3. with any work or school account or Microsoft personal account: 1-WebApp-OIDC/1-3-AnyOrgOrPersonal
   4. with users in National or sovereign clouds 1-WebApp-OIDC/1-4-Sovereign
   5. with B2C users 1-WebApp-OIDC/1-5-B2C
2. Web app that calls Microsoft Graph
   1. Calling graph with the Microsoft Graph SDK: 2-WebApp-graph-user/2-1-Call-MSGraph
   2. With specific token caches: 2-WebApp-graph-user/2-2-TokenCache
   3. Calling Microsoft Graph in national clouds: 2-WebApp-graph-user/2-4-Sovereign-Call-MSGraph
3. Web app calling several APIs 3-WebApp-multi-APIs
4. Web app calling your own Web API
5. Web app restricting users
   1. by Roles: 5-WebApp-AuthZ/5-1-Roles
   2. by Groups: 5-WebApp-AuthZ/5-2-Groups
6. Deployment to Azure
7. Other (please describe)

Repro-ing the issue

Repro steps

1. Call AddMsal and AddSqlPerUserTokenCache.
2. Deploy the solution to 2 distributed environments (or the local dev environment and a remote test website) which are consuming the same database,
3. User login the remote test website and call any Graph API (delegated).
4. Same user login the local dev website and call any Graph API (delegated).

Expected behavior

Both steps 3 and 4 have the login and Graph API call successfully.

Actual behavior

Step 4 failed with this error
CryptographicException: The key {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} was not found in the key ring.

Possible Solution

Update this file SqlTokenCacheProviderExtension.cs to call PersistKeysToDbContext for any of the AddDataProtection occurrences (AddSqlAppTokenCache, AddSqlPerUserTokenCache), as the MSAL token cache is persisted in the database, so we should persist the secret info in the same database too for consistence.

Additional context/ Error codes / Screenshots

Any log messages given by the failure

Add any other context about the problem here, such as logs.

• You can enable Middleware diagnostics by uncommenting the following lines
• You can enable personally identifiable information in your exceptions to get more information in the open id connect middleware see Seeing [PII is hidden] in log messages
• Logging for MSAL.NET is described at Loggin in MSAL.NET

OS and Version?

Windows 7, 8 or 10. Linux (which distribution). macOS (Yosemite? El Capitan? Sierra?)

Versions

of ASP.NET Core, of MSAL.NET
ASP.NET Core 3.0

Attempting to troubleshooting yourself:

• did you go through the README.md in the folder where you found the issue?
• did you go through the documentation:
  • Scenario: Web app that signs in users
  • Scenario: Web app that calls web APIs

Mention any other details that might be useful

---

Thanks! We'll be in touch soon.

[TiagoBrenck]

Hi @alexchx,

I have a PR opened with the explanation of this issue. For distributed environments you would have to use AddDistributedSqlServerCache or change the DataProtection to persist the key in a centralized place (shared folder or even key vault).

Please, take a look on that PR and choose a solution that is best for your production environment. Let us know if it worked or if you need more help.

Thanks