Using distributed cache with Duende AccessTokenManagement results in endless loop

[IvanMarkDebono]

I upgraded my Blazor Serverside app from NET5 to NET8 and I am now using Duende.AccessTokenManagement instead of the older TokenProvider implementation described by Microsoft.

So far everything works fine when using the same IUserTokenStore implementation as in the samples.

In my app I use distributed SQL Server cache and I implement a custom ITicketStore for cookie authentication tickets. I then wanted to the replace the sample IUserTokenStore implementation with one that uses distributed cache. My implementation is:

public class UserTokenStore(
    IDistributedCache cache) : IUserTokenStore
{
    private const string KeyPrefix = "UserTokenStore-";

    public Task<UserToken> GetTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null)
    {
        var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("No sub claim");

        if (cache.TryGetValue(sub, out UserToken value))
        {
            return Task.FromResult(value);
        }

        return Task.FromResult(new UserToken { Error = "Not found" });
    }

    public Task StoreTokenAsync(ClaimsPrincipal user, UserToken token, UserTokenRequestParameters? parameters = null)
    {
        var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("No sub claim");

        cache.Set($"{KeyPrefix}{sub}", token, new()
        {
            AbsoluteExpiration = token.Expiration,
            //SlidingExpiration = TimeSpan.FromMinutes(60)
        });

        return Task.CompletedTask;
    }

    public Task ClearTokenAsync(ClaimsPrincipal user, UserTokenRequestParameters? parameters = null)
    {
        var sub = user.FindFirst("sub")?.Value ?? throw new InvalidOperationException("No sub claim");

        cache.Remove($"{KeyPrefix}{sub}");
        return Task.CompletedTask;
    }
}

So now I am using distributed cache instead of the ConcurrentDicctionary.

However, once I did this, the app enters into an endless loop navigating between the OIDC providers connect/authorize URL and the app's return URL.

Is there a reason why this is happening?

[wcabus]

I'm assuming you've based your solution on this sample code: https://github.com/DuendeSoftware/foss/tree/atm-3.2.0/access-token-management/samples/BlazorServer

Did you also implement the custom CookieAuthenticationEvents and OpenIdConnectEvents classes and register them properly? These two event classes work together with the IUserTokenStore to store the token (in OidcEvents.TokenValidated), but also to reject invalid tokens (in CookieEvents.ValidatePrincipal).
The fact that you're stuck in a loop between the OIDC flow and your app, probably means that your app isn't generating the auth cookie. I would place a breakpoint in the ValidatePrincipal method to see what's happening, because I have a feeling that _store.GetTokenAsync is not returning the token from the distributed cache.

[IvanMarkDebono]

Problem solved. I was mixing cache keys.

[wcabus]

Ah yes, now I spotted if (cache.TryGetValue(sub, out UserToken value)) rather than if (cache.TryGetValue($"{KeyPrefix}{sub}", out UserToken value))! Glad you got it resolved :)