search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

IdentityServer4.AccessTokenValidation: The SSL connection could not be established #132

Closed stefan-buys closed 4 years ago

stefan-buys commented 4 years ago

I have a .net core 3.1 web api that uses the IdentityServer4.AccessTokenValidation v3.0.1 Nuget package to validate access tokens.

This has been working well for a while, but over the last week or so I started seeing more and more exceptions with the following stack trace:

IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler[0]
Error parsing discovery document from https://********: Error connecting to https://********/.well-known/openid-configuration. The SSL connection could not be established, see inner exception..
System.InvalidOperationException: Error parsing discovery document from https://********: Error connecting to https://********/.well-known/openid-configuration. The SSL connection could not be established, see inner exception..
at IdentityModel.AspNetCore.OAuth2Introspection.PostConfigureOAuth2IntrospectionOptions.GetIntrospectionEndpointFromDiscoveryDocument(OAuth2IntrospectionOptions options)
at IdentityModel.AspNetCore.OAuth2Introspection.PostConfigureOAuth2IntrospectionOptions.InitializeIntrospectionClient(OAuth2IntrospectionOptions options)
at IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler.LoadClaimsForToken(String token)
at IdentityModel.AspNetCore.OAuth2Introspection.OAuth2IntrospectionHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()

The message refers to an inner exception, but it is not available here (?). Is there a way I can intercept the exception to get the inner exception?

My setup (registration) is as follows:

services
      .AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
      .AddIdentityServerAuthentication(options =>
      {
          options.Authority = authSettings.AuthUri;
          options.ApiName = authSettings.ApiName;
          options.ApiSecret = authSettings.ApiSecret;
          options.RequireHttpsMetadata = true;
       });

What is strange, is that this is intermittent. What could cause this?

leastprivilege commented 4 years ago

The SSL connection could not be established

is pretty obvious. Some HTTPS config does not work anymore. Maybe an expired cert?

stefan-buys commented 4 years ago

The issue is intermittent, certs are valid.

leastprivilege commented 4 years ago

Then I don't know. I don't think the inner exception will give you more details.

You could plugin your own HttpClient for the back-channel though.

stefan-buys commented 4 years ago

In v2.7.0, IdentityServerAuthenticationOptions included IntrospectionBackChannelHandler IntrospectionDiscoveryHandler and JwtBackChannelHandler

in 3.0.1 only JwtBackChannelHandler is available, is that where I would plugin a custom handler?

stefan-buys commented 4 years ago

Closing this as the issue is clearly on my side - however, would be great if the inner exception is bubbled!