Authentication enters into infinite loop

[cryo75]

I have a Blazor server-side app set up and initially authentication will work as expected. I am also using sql server distributed cache to store authentication tickets (ITicketStore) and user tokens (IUserTokenStore)

Setting up of services is:

services.AddDistributedSqlServerCache(options =>
{
    options.ConnectionString = Configuration.GetConnectionString("App");
    options.SchemaName = "dbo";
    options.TableName = "Cache";
});

services.Configure<CookiePolicyOptions>(options =>
{
    options.CheckConsentNeeded = context => true;
    options.ConsentCookie.Path = "/Shop";
    options.MinimumSameSitePolicy = SameSiteMode.None;
    options.Secure = CookieSecurePolicy.Always;
});

services.AddSingleton<ITicketStore, AuthenticationTicketStore>();
services.AddOptions<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme)
        .Configure<ITicketStore>((options, store) =>
        {
            options.Cookie.IsEssential = true;
            options.Cookie.Path = "/Shop";
            options.ExpireTimeSpan = TimeSpan.FromDays(14);
            options.SessionStore = store;
            options.SlidingExpiration = true;
        });

services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
    options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
    options.DefaultSignOutScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
    options.Cookie.IsEssential = true;
    options.Cookie.Path = "/Shop";
    options.Cookie.SameSite = SameSiteMode.Lax;
    options.EventsType = typeof(CookieEvents);
})
.AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
{
    options.Authority = Configuration["App:Issuer"];
    options.ClientId = Configuration["App:ClientId"];
    options.ClientSecret = Configuration["App:ClientSecret"];
    options.ResponseType = OpenIdConnectResponseType.Code;
    options.ResponseMode = OpenIdConnectResponseMode.FormPost;
    options.MapInboundClaims = false;
    options.GetClaimsFromUserInfoEndpoint = true;
    options.SaveTokens = true;
    options.Scope.Clear();
    options.Scope.Add(OpenIdConnectScope.OpenIdProfile);
    options.Scope.Add(OpenIdConnectScope.Email);
    options.Scope.Add(OpenIdConnectScope.OfflineAccess);
    options.TokenValidationParameters = new()
    {
        NameClaimType = "name",
        RoleClaimType = "role",
    };
    options.EventsType = typeof(OidcEvents);
});

services.AddOpenIdConnectAccessTokenManagement()
    .AddBlazorServerAccessTokenManagement<UserTokenStore>();

services.AddAuthorizationCore();
services.AddCascadingAuthenticationState();

This is my implementation of the ITicketStore:

public class AuthenticationTicketStore(
    IDistributedCache cache,
    ILogger<AuthenticationTicketStore> logger) : ITicketStore
{
    private const string KeyPrefix = "AuthSessionStore-";
    private readonly TicketSerializer ticketSerializer = TicketSerializer.Default;

    public async Task<string> StoreAsync(AuthenticationTicket ticket)
    {
        var key = $"{KeyPrefix}{Guid.NewGuid():N}";
        await RenewAsync(key, ticket);

        return key;
    }

    public Task RenewAsync(string key, AuthenticationTicket ticket)
    {
        ArgumentNullException.ThrowIfNull(ticket);

        try
        {
            var options = new DistributedCacheEntryOptions();

            var expiresUtc = ticket.Properties.ExpiresUtc;
            if (expiresUtc.HasValue)
            {
                options.SetAbsoluteExpiration(expiresUtc.Value);
            }

            if (ticket.Properties.AllowRefresh ?? false)
            {
                options.SetSlidingExpiration(TimeSpan.FromMinutes(60));
            }

            return cache.SetAsync(key, ticketSerializer.Serialize(ticket), options);
        }
        catch (Exception ex)
        {
            logger.LogError(ex);
        }

        return null;
    }

    public async Task<AuthenticationTicket> RetrieveAsync(string key)
    {
        try
        {
            var value = await cache.GetAsync(key);
            return value != null ? ticketSerializer.Deserialize(value) : null;
        }
        catch (Exception ex)
        {
            logger.LogError(ex);
        }

        return null;
    }

    public Task RemoveAsync(string key) => cache.RemoveAsync(key);
}

I baed my code in the v3.3.0 sample and everything works fine until after some hours of inactivity (maybe 24hours). When the user starts the app again it enters into an infinite redirect loop between the auth provider and the login callback. The cookie events SigningIn and SignedIn are called ad infinitum. Also, the RenewAsync is called within this infinite loop and a new cache entry is added every time.

The only way to stop the loop by the user is to delete the cookies. Once done, the user is redirected to the login page as normal and flow proceeds as expected.

From what I can see, cookie/authentication configuration looks good.

Could the expiration settings of the different tickets/tokens/cache entries be causing this issue?

[wcabus]

I would suggest adding some breakpoints in the various CookieEvents methods you've overridden, to step through the flow when the redirect loop occurs. This typically happens because the cookie authentication middleware is rejecting the principal, but the reason is not apparent from the code you shared. Usually, when using custom stores, it's an issue with mixing cache keys.

There is one thing I would to, and that's a small bugfix in the AuthenticationTicketStore class you shared:

public async Task RenewAsync(string key, AuthenticationTicket ticket)
{
    ArgumentNullException.ThrowIfNull(ticket);

    try
    {
        var options = new DistributedCacheEntryOptions();

        var expiresUtc = ticket.Properties.ExpiresUtc;
        if (expiresUtc.HasValue)
        {
            options.SetAbsoluteExpiration(expiresUtc.Value);
        }

        if (ticket.Properties.AllowRefresh ?? false)
        {
            options.SetSlidingExpiration(TimeSpan.FromMinutes(60));
        }

        // Added await here, because if something would've failed here, you'd never fall into the catch block in this method.
        return await cache.SetAsync(key, ticketSerializer.Serialize(ticket), options);
    }
    catch (Exception ex)
    {
        logger.LogError(ex);
    }
}

[cryo75]

I catched that missing await already but return does not apply in that method. However that does not fix the problem. I am overriding just ValidatePrincipal and SigningOut and I'm logging there too.

The methods SigningIn and SignedIn enter into an infinite loop.

What other code is executed between these 2 methods where I can debug/log?

[wcabus]

ValidatePrincipal is typically where the current principal is being rejected and where the loop is being caused.

[cryo75]

This is my CookieEvents implementation (based on the sample):

public class CookieEvents(IUserTokenStore store,
    ILogger<CookieEvents> logger) : CookieAuthenticationEvents
{
    public override Task SignedIn(CookieSignedInContext context)
    {
        logger.LogDebug("Signing in to cookie authentication.");
        return base.SignedIn(context);
    }

    public override Task SigningIn(CookieSigningInContext context)
    {
        logger.LogDebug("Signing in with cookie authentication.");
        return base.SigningIn(context);
    }

    public override async Task ValidatePrincipal(CookieValidatePrincipalContext context)
    {
        logger.LogDebug("Validating principal for cookie authentication.");

        var token = await store.GetTokenAsync(context.Principal!);
        if (token.IsError)
        {
            logger.LogError($"Token validation failed: {token.Error}");
            context.RejectPrincipal();
        }

        await base.ValidatePrincipal(context);
    }

    public override async Task SigningOut(CookieSigningOutContext context)
    {
        logger.LogDebug("Signing out from cookie authentication.");

        await context.HttpContext.RevokeRefreshTokenAsync();
        await base.SigningOut(context);
    }
}

As you can see, I'm logging the events. However, the log shows the following:

2025-07-04 17:29:52.834 [DBG] [CookieEvents.SigningIn] Signing in with cookie authentication.
2025-07-04 17:29:52.841 [DBG] [CookieEvents.SignedIn] Signing in to cookie authentication.
2025-07-04 17:29:53.598 [DBG] [CookieEvents.SigningIn] Signing in with cookie authentication.
2025-07-04 17:29:53.601 [DBG] [CookieEvents.SignedIn] Signing in to cookie authentication.
etc...

Nothing else is being logged between these 2 events.

[cryo75]

I am setting a cookie path for all cookies (authentication, culture, consent). I noticed that when this infinite redirect happens there is an extra set of cookies but the path is just '/'. This is the problem because as soon as I delete these cookies, leave those with the path and refresh the page, everything works as expected.

So which middleware can be recreating these set of cookies without the path?

[wcabus]

Based on the code you've shared, there's only one instance of the cookie middleware in play. I would log more details in the SigninIn and SingedIn events: the context will show you the scheme and cookie options being used which contains the path among other settings.

If you could share a repository which mimics this situation, that could also help finding the issue.
That said, the infinite loop does not seem to be caused by using Duende.AccessTokenManagement.