Identityserver4: Unable to validate jwt token with self signed certificate

Created on 29 Aug 2018  路  9Comments  路  Source: IdentityServer/IdentityServer4

I am using .Net Core on linux server. I have two services running, one is identity server and another is my web application. I successfully get the token from identity server but my application is not able to validate the token. Here is the error I am getting.

New message was received
fail: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[3]
Exception occurred while processing message.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:5010/.well-known/openid-configuration'.
at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() fail: Microsoft.AspNetCore.Server.Kestrel[13] Connection id "0HLGDLDR5IEOL", Request id "0HLGDLDR5IEOL:00000001": An unhandled exception was thrown by the application. System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:5010/.well-known/openid-configuration'. at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler1.AuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationHandler1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator.AuthenticateAsync(AuthorizationPolicy policy, HttpContext context)
at Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
at Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
at Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequestsTContext

To further clarify, I am using a self signed certificate. When I request the same page i.e. 'https://localhost:5010/.well-known/openid-configuration', with wget with ignoring the certificate error, I am getting 200 - ok response. I guess it has something to do with IdentityServerClient package. It is not ignoring the certificate error. Any ideas on it ?

question
Source
picture Murtuzakabul

All 9 comments

Same problem here without any Docker or Azure. I get this error with IdSrv4 using secured Web.API to retrieve its configuration data from database during introspection. At first I thought it was a blocking issue due to using async methods inside API and inside the resource store implementation. After removing all async coding to determine if that was the problem I now find in my log files the error message in the title of this issue. I am using IdentityServerTools to get access token for accessing the API. I had no trouble with implementing IClientStore and IUserProfile interfaces using calls to API. I one thing I have found in debugging this over the past couple days is the the IResourceStore implementation gets hammered during introspection in this scenario - sounds like some caching is needed.
Using IdSrv4 2.3.0 and ASP.NET Core 2.1.300
Full error message and code location:
InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'
Microsoft.IdentityModel.Protocols.ConfigurationManager<>.GetConfigurationAsync(CancellationToken cancel) in "C:\agent2_work\15\s\src\Microsoft.IdentityModel.Protocols\Configuration\ConfigurationManager.cs", line 211

There seem to many ways to get this error judging from Issue 2337 (https://github.com/IdentityServer/IdentityServer4/issues/2337).

It is interesting the PII is not hidden in the message retrieved by Murtuzakabul.

ghost picture ghost on 29 Aug 2018

@dlutz52 I can keep the PII open as it is not a public address. It is the loopback adapter address (localhost). Let me know if there is still something which I shouldn't have disclosed.

Murtuzakabul picture Murtuzakabul on 30 Aug 2018

IDX20803: Unable to obtain configuration from: '[PII is hidden]'
Microsoft.IdentityModel.Protocols.ConfigurationManager<>.GetConfigurationAsync(CancellationToken cancel) in "C:\agent2_work\15\s\src\Microsoft.IdentityModel.Protocols\Configuration\ConfigurationManager.cs", line 211

This error is coming from the Microsoft code trying to read the discovery document - almost always a DNS/HTTPS problem.

leastprivilege picture leastprivilege on 4 Sep 2018
👍1

I've this same problem.

Id4Svr is running in a Linux container in Azure App Services.

Everything is setup to be HTTPS. However, the client always fails with that same error.

However, if I got to the .well-known url myself, all the endpoints are showing non-HTTPS.

If I run Id4Svr in Azure App Services for Windows (which is IIS) with the same configuration, it's all fine.

kieronlanning picture kieronlanning on 7 Sep 2018

This is all related to the fact that you are behind a load balancer.

Either configure your forwarding headers correctly - or try to hardcode the origin with PublicOrigin

https://leastprivilege.com/2017/10/09/new-in-identityserver4-v2-simplified-configuration-behind-load-balancers-or-reverse-proxies/

leastprivilege picture leastprivilege on 7 Sep 2018
👍1

@leastprivilege That's perfect! Exactly what I was missing.

Thanks!

kieronlanning picture kieronlanning on 7 Sep 2018

I got a similar setup (linux docker containers with self signed dev certificates) and the same problem with the following error messages:

An unhandled exception occurred while processing the request.
SocketException: Cannot assign requested address
System.Net.Http.ConnectHelper.ConnectAsync(string host, int port, CancellationToken cancellationToken)
HttpRequestException: Cannot assign requested address
System.Net.Http.ConnectHelper.ConnectAsync(string host, int port, CancellationToken cancellationToken)
IOException: IDX20804: Unable to retrieve document from: 'https://localhost:44100/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:44100/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)

When i navigate to https://localhost:44100/.well-known/openid-configuration in my browser, i can see the config without any problems at all. Using sdk 2.1.402 and identityserver 2.3.0 preview.

li0nsar3c00l picture li0nsar3c00l on 14 Sep 2018

All set on this issue -- can we close?

brockallen picture brockallen on 15 Sep 2018
👍1

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 12 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Aravind1729 picture Aravind1729  路  3Comments
klioqc picture klioqc  路  3Comments
mackie1001 picture mackie1001  路  3Comments
createroftheearth picture createroftheearth  路  3Comments
eshorgan picture eshorgan  路  3Comments