ASP.NET TicketDataFormat.Unprotect(cookieValue) returns null

Question

I am trying to decrypt an authentication cookie set by another .NET 4.6.2 MVC app which was created with the following in the Startup.Auth:

            TicketDataFormat = new AspNetTicketDataFormat(
                new DataProtectorShim(
                    DataProtectionProvider.Create(new DirectoryInfo(@"C:\Keys\"))
                        .CreateProtector("blah")))

This is what I'm doing to try and decrypt it:

//  Create a data protector to facilitate in decrypting the cookie.
var provider = DataProtectionProvider.Create(new DirectoryInfo(keyDirectory));
var dataProtector = provider.CreateProtector(dataProtectorPurpose);

//  Decrypt the cookie, obtaining an authentication ticket.
var ticketDataFormat = new TicketDataFormat(dataProtector);
var ticket = ticketDataFormat.Unprotect(cookieValue);

This was working fine up until I started to do some Identity customisation. I have created a new IdentityUser which inherits from IdentityUser just so I can add a few extra fields. Is it failing to read the identity now maybe?

Thanks

Answer 1

I have solved this through a lot of playing about.

It turned out to be a combination of the following issues:

• The purpose and sub purposes strings provided to the DataProtectionProvider CreateProtector method were not set to "Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationMiddleware", "Cookies", "v2". I just had them as another string value as from reading the docs, I thought this could be just any string, as long as they were the same between the apps needing to share the cookie.

---

• One of the apps was using version 1.1.2 of the Microsoft.AspNetCore.DataProtection NuGet package, whereas the other was using version 1.1.1. I upgraded the 1.1.1 -> 1.1.2.

All seems to work fine now. So having a custom user identity in one app which is not in the other does not matter, the cookie can still be understood and a ClaimsIdentity extracted.