Identityserver4: IDX20803: Unable to obtain configuration

Should have searched properly first. Similar issue here. Yet the solution posted by the author is not that clear to me.

Seems like JwtBearer has some problems with HTTPS.

If that's the component that's causing the above error, then it's more of a question for Microsoft, not IdentityServer.

This issue seems to be related to docker containers and not directly to IdentityServer.

We are seeing this exception in production at this very moment. Docker is not involved.
The linked issue mentions a url configuration problem. We haven't changed configuration.
Any ideas?

Hi,
I have the same issue :
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'http://localhost:8082/.well-known/openid-configuration'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'http://localhost:8082/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: Cannot assign requested address ---> System.Net.Sockets.SocketException: Cannot assign requested address.

But if I hit : http://localhost:8082/.well-known/openid-configuration on the browser, it works fine
Is it possible to post a identityserver4-dockercomppose-asp.netmvc configuration sample ?
Regards
@zuckerthoben @brockallen

I have the same problem. Any solution ?
I have installed curl in the docker container and check that it sees configuration:
curl http://192.168.99.100:8080/.well-known/openid-configuration It works. However when I run the application the same error
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'http://192.168.99.100:8080/.well-known/openid-configuration'.

I insert that url into browser and it also works. This is strange because I thought that container can not see the configuration, but it can (checked with curl). It also works when running from Visual Studio on localhost. It just does not work in docker containers, don't know why.

Any ideas ?

I have the same problem. Any solution ?
I have installed curl in the docker container and check that it sees configuration:
curl http://192.168.99.100:8080/.well-known/openid-configuration It works. However when I run the application the same error
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'http://192.168.99.100:8080/.well-known/openid-configuration'.

I insert that url into browser and it also works. This is strange because I thought that container can not see the configuration, but it can (checked with curl). It also works when running from Visual Studio on localhost. It just does not work in docker containers, don't know why.

Any ideas ?

is there any solution so far ?

i got the same issue

I had same issue System.IO.IOException: IDX20804 (Unable to retrieve document from: 'http://localhost:/identity/.well-known/openid-configuration)

TLDR: what @brockallen mentioned I suppose repeatedly turned out to be true - it wasn't Identityserver related issue but a docker and to be specific container communication.

@brockallen - though it's resolved with IssuerUrL at least for local env, curious to how this would work out given we have real services running in kube cluster (aws) behind nginx.
Also as per id4 docs - looks like its suggested not to use this? though I tried to keep this only for local en and not for real environments

Context: identity service is docker container and client api in another local machine and for both local ports mapped to host machine. as many mentioned, could reach respective endpoints from host browser of both services w/o issues including well-known endpoint

The Issue: client api running inside the container would result into IDX20804 (socket error) and IDX20803 when required to reach ids4 well-know. This is because docker compose maps container's localhost: to env host port hence reachable but NOT inside container and thereby no way to reach out to id4 disc endpoint. I could validate by ssh into the running container and curl failed to well-known URL.

The workaround: after multiple options, finally exposed name (domain)based simple URL (http://identityservice) with IssuerUrl property and in client api, ensure same URL for Authority. just to make sure no cert issues, disable Https in options. so at runtime whenever needed by jwt token endpoint was accessible because both containers spun with same compose config indirectly in same default network was a pleasing surprise to seeing working w/o additional complexity of docker network many suggested.

Hope this helps folks as context (docker host) was key in searching for solution and workaround

Cheers!

Hi, @anilraut30 ,@Activesite, @brockallen
this work for me after several weeks of research
identityserver adress = http://10.0.75.1:8080 instead of http://localhost:8080 or anything else.
10.0.75.0 is default docker IP adress.
Do not forget to open port 8080 on firewall
I think I will not put it into production. we can be stuck for a long time
Regards

@logcorner I changed IdentityServerUrl to http://10.0.75.1:8080. I still get the error but get 403 Forbidden as well

The Firewall is disabled.

@anilraut30 Could you please post canonical sample peaces of code for config, controller & api related code? This headache is months. I spent too much time for this... Need help.
Removed all https, no cert issues, etc.. User able to login, but can't get from separate ProfileController user info (user should be able to see/edit profile).

Hi, @anilraut30 ,@Activesite, @brockallen
this work for me after several weeks of research
identityserver adress = http://10.0.75.1:8080 instead of http://localhost:8080 or anything else.
10.0.75.0 is default docker IP adress.
Do not forget to open port 8080 on firewall
I think I will not put it into production. we can be stuck for a long time
Regards

This worked for me. Thanks!

I've run into this outside of Docker containers -- I believe it has something to do with application pool recycling.

Issue
IDX20803 / 20804 errors culminating in a TaskCanceledException after a long idle period (i.e. no requests coming in). It's not reproducible in your browser, because by the time you hit the configuration endpoint, the app is already started back up and responding to requests.

My application uses both UseOpenIdConnectAuthenticationmiddleware and UseIdentityServerBearerTokenAuthentication. I believe the issue to be with UseOpenIdConnectAuthenticationmiddleware.

(Probable) Cause
IdentityServer IIS application pool recycling and/or idle timeout occurring, leading to a relatively slow spin-up of IdentityServer itself, giving the consuming application the opportunity to have its request timeout prior to IdentityServer fully starting back up, causing the error(s) above.

The UseOpenIdConnectAuthenticationmiddleware from MSFT does not appear to have a setting like DelayLoadingMetadata which is available on UseIdentityServerBearerTokenAuthentication. My application uses both for different purposes.

Potential Fix
Application Pool Advanced Settings Updates:

• Start Mode: AlwaysOn
• Idle Time-out (minutes): 0
• Recycling -> Regular Time Interval: 0

I'd recommend watching resource consumption on the Application Pool in case the lack of recycling causes a memory leak somewhere.

I have already applied the first two changes to our IIS app, but still (though less-frequently) encountered the Task Cancelled exception. The default recycling interval was previously set to 1740 minutes, or every 29 hours.

Will report back if this fixes my issue long-term. Hopefully this helps someone in the short-run.

Proposed Long-term Fix

Will report this to MSFT to see if they'll add a metadata loading delay to OpenIdConnectAuthenticationOptions of UseOpenIdConnectAuthentication such that timeouts (and task cancelled exceptions can be avoided)

For anyone reading this trying to use integration tests via the WebApplicationFactory and having your own local IS4 instance run along side your app, the default auth handle for JWT bearer tokens news up an HttpClient all on its own. This wont work for TestServer, it creates a special client for you.

I don't know a good fix yet since by the time you have a working client and test server you are long past being able to configure your server.

Here is where all the pain begins: https://github.com/aspnet/AspNetCore/blob/master/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs#L88

If you follow your way through you get here eventually:
https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/src/Microsoft.IdentityModel.Protocols/Configuration/HttpDocumentRetriever.cs#L44

EDIT: If the Googlers find this, I ended up going with this approach:

var keyFile = File.ReadAllText("./tempkey.rsa");
var tempKey = JsonConvert.DeserializeObject<TemporaryRsaKey>(keyFile, new JsonSerializerSettings { ContractResolver = new RsaKeyContractResolver() });

var tokenValidationParams = new TokenValidationParameters()
{
    ValidIssuer = "http://localhost",
    IssuerSigningKey = IdentityServerBuilderExtensionsCrypto.CreateRsaSecurityKey(tempKey.Parameters, tempKey.KeyId),
    ValidAudience = IntegrationTestConstants.IntegrationTestProtectedResourceName,
    ValidateLifetime = true
};

services
// Set the new default to Integration for testing.
.AddAuthentication(IntegrationTestConstants.IntegrationTestDefaultAuthenticationScheme)
// Register a new handler for Integration
.AddJwtBearer(IntegrationTestConstants.IntegrationTestDefaultAuthenticationScheme, "Integration Testing Auth Scheme", options =>
    {
        options.TokenValidationParameters = tokenValidationParams;
    });

In the end, this circumvents AddJwtBearers hunt for the non-existent discovery document. It grabs the temp key created by IS4 UseDveloperSigningCredentials() and then starts validating tokens using it as they come in.

Happy coding.

I meet the same Issues, I publish the program to server windowserver 2012. and use idsrv3test.pfx
Ultimately, that's how I solved it.
`
public static IServiceCollection AddAuthentication(this IServiceCollection services, IConfiguration configuration)
{
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

        services
            .AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = IdentityServerAuthenticationDefaults.AuthenticationScheme;                           
            })
            .AddIdentityServerAuthentication(options =>
            {

                options.Authority = configuration.GetValue<string>("ApplicationSettings:Authority");
                options.RequireHttpsMetadata = true;
                options.ApiSecret = "Q&tGrEQMypEk.XxPU:%bWDZMdpZeJiyMwpLv4F7d**w9x:7KuJ#fy,E8KPHpKz++";
                options.ApiName = "yiko_identity_api";
                options.JwtBackChannelHandler = GetHandler();
            });   

        return services;
    }

    private static HttpClientHandler GetHandler()
    {
        var handler = new HttpClientHandler();
        handler.ClientCertificateOptions = ClientCertificateOption.Manual;
        handler.SslProtocols = SslProtocols.Tls12;         
        handler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true;
        return handler;
    }`

This method GetHandler() plus RequireHttpsMetadata = true; did a trick for me thank you

Hi All,

I am using Azure AD Claim based Authentication in my ASP.Net MVC project. Application was running fine for 6 months suddenly intermittently it started throwing below error

I put logs in my application and found that when request gets invalidated, then system tries to *Authentication.Challenge for redirection * (Code Snippet below) to external AD login page, but login page never comes up. When I restart the IIS, it again starts working then same process after 3-4 hours same error start and it stops application for all users.

I have been fighting with this error from nearly a month. Please provide any help

**var properties = new AuthenticationProperties { RedirectUri = ApplicationRedirectUri };
if (!string.IsNullOrEmpty(userName.Trim()))
{
properties.Dictionary[XsrfKey] = userName;
}
else
{
string uid = Common.GetUIDCookie(Constants.UserID_Cookie);
if (!string.IsNullOrEmpty(uid))
properties.Dictionary[XsrfKey] = uid;
}

                HttpContext.GetOwinContext()
                   .Authentication.Challenge(properties, OpenIdConnectAuthenticationDefaults.AuthenticationType);**

Inner Exception
IDX20804: Unable to retrieve document from: '[PII is hidden by default.
Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown --- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown
--- at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.d__24.MoveNext()

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.