Identityserver4.admin: Hosting on Docker Swarm with Traefik

Created on 14 Dec 2019  路  11Comments  路  Source: skoruba/IdentityServer4.Admin

Dear,

I try to host the dev version (.net core 3 and docker support) on Docker Swarm with Traefik, you can find more information about the environment here : https://dockerswarm.rocks/traefik/
Both STS and the API (Swagger) work well but I'm facing an error when I access the Admin that I don't understand :

An unhandled exception occurred while processing the request.
HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()

Exception: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler.HandleRequestAsync()

I don't really now where to search ?

Thanks

question
Source
picture krejcimichael

Most helpful comment

Look at this: https://identity.octopus.dev.naxosit.com/.well-known/openid-configuration

  • all urls are without https, this causes this issue probable.

Ok, it was the reason, now it works.
Thanks for pointing the problem.
So I have updated the startup, in the method Configure() :

public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseForwardedHeaders();

And in the method ConfigureServices() :

services.Configure<ForwardedHeadersOptions>(options => { options.ForwardedHeaders = ForwardedHeaders.XForwardedProto; });

Also I had to update the dockerfiles to use the "-bionic" image of .net core 3.0, because of this problem : https://github.com/dotnet/SqlClient/issues/222

FROM mcr.microsoft.com/dotnet/core/aspnet:3.0-bionic AS base
WORKDIR /app
EXPOSE 80

FROM mcr.microsoft.com/dotnet/core/sdk:3.0-bionic AS build
WORKDIR /src
picture krejcimichael on 20 Dec 2019
1 👍1

All 11 comments

Hi, can you send detailed trace? From this message you got 401, but I don鈥檛 know why. More details will be perfect.

skoruba picture skoruba on 15 Dec 2019

Hi,

Here the trace that I have in the table "Log"

System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

System.Exception: An error was encountered while handling the remote login.
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.CspMiddleware.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at NWebsec.AspNetCore.Middleware.Middleware.MiddlewareBase.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

krejcimichael picture krejcimichael on 15 Dec 2019

Did you change configuration of admin authentication? Is it default configuration?

skoruba picture skoruba on 15 Dec 2019

Hi,

I have just adapted the default configuration in the docker-compose : 

environment:
  - ASPNETCORE_URLS=http://0.0.0.0:80
  - ASPNETCORE_ENVIRONMENT=Development
  - "ConnectionStrings__ConfigurationDbConnection=xxx"
  - "ConnectionStrings__PersistedGrantDbConnection=xxx"
  - "ConnectionStrings__IdentityDbConnection=Server=xxx"
  - "ConnectionStrings__AdminLogDbConnection=Server=xxx"
  - "ConnectionStrings__AdminAuditLogDbConnection=Server=xxx"
  - AdminConfiguration__IdentityServerBaseUrl=https://identity.octopus.dev.naxosit.com
  - AdminConfiguration__IdentityAdminBaseUrl=https://identity-admin.octopus.dev.naxosit.com
  - AdminConfiguration__IdentityAdminRedirectUri=https://identity-admin.octopus.dev.naxosit.com/signin-oidc
  - "IdentityServerData__Clients__0__ClientUri=https://identity-admin.octopus.dev.naxosit.com"
  - "IdentityServerData__Clients__0__RedirectUris__0=https://identity-admin.octopus.dev.naxosit.com/signin-oidc"
  - "IdentityServerData__Clients__0__FrontChannelLogoutUri=https://identity-admin.octopus.dev.naxosit.com/signin-oidc"
  - "IdentityServerData__Clients__0__PostLogoutRedirectUris__0=https://identity-admin.octopus.dev.naxosit.com/signout-callback-oidc"
  - "IdentityServerData__Clients__0__AllowedCorsOrigins__0=https://identity-admin.octopus.dev.naxosit.com"
  - "IdentityServerData__Clients__1__RedirectUris__0=https://identity-api.octopus.dev.naxosit.com/swagger/oauth2-redirect.html"
  - "Serilog__WriteTo__1__Args__connectionString=xxx"
command: dotnet Skoruba.IdentityServer4.Admin.dll /seed
krejcimichael picture krejcimichael on 16 Dec 2019

I have to test it, but localy with docker-compose this settings works fine.

Any idea @bravecobra @xmichaelx ?

skoruba picture skoruba on 18 Dec 2019

Is identity.octopus.dev.naxosit.com resolvable from both inside (by the container running the admin) and outside the swarm network?

bravecobra picture bravecobra on 20 Dec 2019

Is identity.octopus.dev.naxosit.com resolvable from both inside (by the container running the admin) and outside the swarm network?

Hi, yes I have tried from the inside of the container and it works, also from the outside.

image

krejcimichael picture krejcimichael on 20 Dec 2019

Look at this: https://identity.octopus.dev.naxosit.com/.well-known/openid-configuration

  • all urls are without https, this causes this issue probable.
skoruba picture skoruba on 20 Dec 2019

.well-known/openid-configuration

Good point, so IdentityServer doesn't know that he is hosted on https.
I will take a look at the forwaded headers.

krejcimichael picture krejcimichael on 20 Dec 2019

Look at this: https://identity.octopus.dev.naxosit.com/.well-known/openid-configuration

  • all urls are without https, this causes this issue probable.

Ok, it was the reason, now it works.
Thanks for pointing the problem.
So I have updated the startup, in the method Configure() :

public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { app.UseForwardedHeaders();

And in the method ConfigureServices() :

services.Configure<ForwardedHeadersOptions>(options => { options.ForwardedHeaders = ForwardedHeaders.XForwardedProto; });

Also I had to update the dockerfiles to use the "-bionic" image of .net core 3.0, because of this problem : https://github.com/dotnet/SqlClient/issues/222

FROM mcr.microsoft.com/dotnet/core/aspnet:3.0-bionic AS base
WORKDIR /app
EXPOSE 80

FROM mcr.microsoft.com/dotnet/core/sdk:3.0-bionic AS build
WORKDIR /src
krejcimichael picture krejcimichael on 20 Dec 2019
1 👍1

Thanks for your feedback 馃憤馃徏

skoruba picture skoruba on 20 Dec 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

xmichaelx picture xmichaelx  路  3Comments
adeelansari picture adeelansari  路  4Comments
denisisack picture denisisack  路  4Comments
we4sz picture we4sz  路  4Comments
skoruba picture skoruba  路  4Comments