Skip to content

Scale-out

Scaling-out security services is done by deploying multiple instances of each service behind a load balancer or any other similar solution, like an IIS Application Request Routing (AAR).

Security Servers Scale-out Architecture

All services can be naturally scaled-out without any change by design, with the exception of the Authentication Web Service. Authentication Web Service as a needs to store some information for keeping state:

  • Duende IdentityServer operational data: For certain operations, Duende IdentityServer needs a persistence store to keep state, this includes: issuing authorization codes, issuing reference and refresh tokens or storing consent. All this information is stored in the database and does not present scaling-out problems. More information at http://docs.identityserver.io/en/latest/topics/deployment.html.
  • ASP.NET Core data protection: ASP.NET Core itself needs shared key material for protecting sensitive data like cookies, state strings etc. See the official docs at https://docs.microsoft.com/es-es/aspnet/core/security/data-protection. Currently, we offer two implementations: the in-memory store or shared UNC path resource.

Authentication scale-out

Load balancer with sticky sessions

We have performed tests configuring the load balancer for Authentication service with sticky sessions, and the access token are refreshed properly.

Sharing Data Protection data

If there are no sticky sessions, then scaling-out authentication servers requires sharing ASP.NET Core data protection and this can be achieved sharing those keys with any of the below options:

Database

In Security database. This can be configured at appsettings.json file at DataProtectionSettings.Mode property introducing the value Database. This option is valid for on-premise and AWS deployments.

AWS System Manager

In cloud deployments in AWS, we can also use AWS System Manager Parameter Store to share the Data Protection data. The type of parameter used is standard, and the key is generated following the pattern: /Sequel.Security/{AuthorityIdOfThisSecurityInstance}/DataProtection, where AuthorityIdOfThisSecurityInstance is the authority id assigned in OpenIdConnect to this Security Service (IdP). This can be configured at appsettings.json file at DataProtectionSettings.Mode property introducing the value AWS.

Load balancers and HTTPS

When deploying Security to AWS behind a Load Balancer or behind any Reverse Proxy (like nginx, traefik, kong...), Security must trust some headers sent by the Load Balancers/Reverse Proxies. Failing to do so, Security will not work properly, with errors like unable to log in in Administration or infinite redirection loop in Authentication. To make Security trust these headers, set the TrustForwardedHeaders setting to true on Security API, Authentication and Authorization.