401 Error when using REST API/ ContentDelivery API in multi instance environment

  • Updated
Description
This error describes an issue when using REST APIs like the ContentDelivery API regarding the OpenID Connect Access token created in the CMS for communication across multiple instances.

 

Steps

Please have your development team and partners review the content and confirm against your implementation.

This is a sample, but it illustrates the steps.


Basically, when calling AddOpenIDConnect(), we configure an endpoint to provide a JWT token and validate that token locally.


It means that a token generated from instance 1 will not likely work with the resource API in instance 2 (in this case, the CD search endpoint).
That is where the 401 comes in.  In single instance you would not see this.
 
For reference, the JWT can be exchanged between two webapp instances:
 

  1. Create the .crt and .key (or .pem) files using openssl
  2. In the Startup.cs, generate a X509 key from cert files in step 1 and use that in AddOpenIdConnect:

 

var certPem = File.ReadAllText("certificate.crt");
var keyPem = File.ReadAllText("privateKey.key");
var tokenKey = X509Certificate2.CreateFromPem(certPem, keyPem);

services.AddOpenIDConnect<ApplicationUser>(
useDevelopmentCertificate: false,
signingCertificate: tokenKey ,
encryptionCertificate: tokenKey ,
createSchema: true,
options =>
{
options.AllowResourceOwnerPasswordFlow = true;
});

In production, you should probably have different keys for signing and encryption credentials.  If you are using DXP then you can just get the certificates from the Azure Key Vault as noted in the documentation.

var certificates = EPiServer.CloudPlatform.Cms.Certificates.CertificatesProvider.Get(_configuration);

services.AddOpenIDConnect<ApplicationUser>(
useDevelopmentCertificate: false,
certificates.SigningCertificate,
certificates.EncryptionCertificate,
createSchema: true);

 
From that same documentation please see the note:
 
In production, provide a certificate in the form of a X509Certificate2 for signing and encrypting tokens. During development, OpenIddict provides one automatically if useDevelopmentCertificate is set to true. If the application is running in DXP, then we will provide certificates automatically via the EPiServer.CloudPlatform.Cms package in version 1.3.0 or later: