search

IdentityServer / IdentityServer4.AccessTokenValidation

IdentityServer Access Token Validation for ASP.NET Core
Apache License 2.0
544 stars 214 forks source link

IDX10803 and IDX10804 Unable to obtain configuration from: 'https://localhost/.well-known/openid-configuration' #55

Closed VladiGGeorgiev closed 7 years ago

VladiGGeorgiev commented 7 years ago

Issue

I am using Identity Server 4 with ASP.NET Core, self-signed certificate generated from IIS 10. I am using different certificates for https and for identity. I am using resource owner password grant. The Identity Server is in the same project with the application. I am trying to access the authorized action throw the angular 2 application. I can successfully get an access token and refresh token, but when I try to make a request to authorized endpoint, there is an error. I can view the metadata from my browser.

services.AddIdentityServer()
    .AddSigningCredential(new X509Certificate2(...))
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddResourceOwnerValidator<ResourceOwnerValidator>()
    .AddProfileService<ProfileService>()
    .AddCustomTokenRequestValidator<CustomTokenRequestValidator>();

I am using IdentityServerAuthentication from IdentityServer4.AccessTokenValidation:

var identityServerOptions = new IdentityServerAuthenticationOptions
{
     Authority = "https://localhost/",
     ApiName = "api1",
     RequireHttpsMetadata = true,
     AllowedScopes = new string[] { "api1", "offline_access" },
};
app.UseIdentityServerAuthentication(identityServerOptions);

Exception:

-       exception   {System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'https://localhost/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'https://localhost/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.Http.WinHttpException: A security error occurred
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.WinHttpHandler.<StartRequest>d__105.MoveNext()
   --- End of inner exception stack trace ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Net.Http.HttpClient.<FinishSendAsync>d__58.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.<GetDocumentAsync>d__8.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.<GetDocumentAsync>d__8.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.<GetAsync>d__3.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.<GetConfigurationAsync>d__24.MoveNext()
   --- End of inner exception stack trace ---
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.<GetConfigurationAsync>d__24.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.<HandleAuthenticateAsync>d__1.MoveNext()}  System.Exception {System.InvalidOperationException}

Package versions

<PackageReference Include="IdentityServer4" Version="1.4.0" />
<PackageReference Include="IdentityServer4.AccessTokenValidation" Version="1.1.0" />
<PackageReference Include="Microsoft.AspNet.Tooling.Razor" Version="1.0.0-rc1-final" />
<PackageReference Include="Microsoft.AspNetCore" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Owin" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.StaticFiles" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.FileProviders.Embedded" Version="1.1.0" />
<PackageReference Include="Microsoft.AspNetCore.Routing" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Logging" Version="1.1.1" />
<PackageReference Include="Serilog.Extensions.Logging.File" Version="1.0.1-dev-00008" />
<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.1.2" />
<PackageReference Include="Microsoft.AspNetCore.Server.IISIntegration" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Server.Kestrel" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.FileExtensions" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Logging.Console" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Logging.Debug" Version="1.1.1" />
<PackageReference Include="Microsoft.Extensions.Options.ConfigurationExtensions" Version="1.1.1" />
<PackageReference Include="Microsoft.EntityFrameworkCore" Version="1.1.1" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer" Version="1.1.1" />
<PackageReference Include="Microsoft.EntityFrameworkCore.SqlServer.Design" Version="1.1.1" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="1.1.0" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="1.1.1" />
<PackageReference Include="Microsoft.AspNetCore.SpaServices" Version="1.1.0" />
<PackageReference Include="Microsoft.NETCore.App" Version="1.1.1" />

Solutions I tried:

leastprivilege commented 7 years ago

That's an HTTPS issue.

Can you browse to the disco doc in the browser without a warning?

VladiGGeorgiev commented 7 years ago

I can browse the discovery document in the browser without any warning. I suppose as a disco doc you mention the discovery document: https://localhost/.well-known/openid-configuration

leastprivilege commented 7 years ago

Which account is running the web app?

VladiGGeorgiev commented 7 years ago

Good question! Thank you very much @leastprivilege! I was using the built-in ApplicationPoolIdentity. I've changed it to administrator (local account) and it works. That leads me to some questions: Is there anything in the code that uses file system or something from the system? What permissions should have the account running the web app? I looked DiscoveryResponseGenerator and ResourceStores and I didn't find anything on the surface of them.

leastprivilege commented 7 years ago

I guess the cert you use is not trusted from the point of the app pool account.

You said you use "localhost" - is that in the trusted cert store for the whole machine?

brockallen commented 7 years ago

Looks like you're all set. Closing.

VladiGGeorgiev commented 7 years ago

@brockallen I resolve my issues. You can close the issue.

activebiz commented 7 years ago

How was this solved? I am having same issue.

jinder commented 7 years ago

@VGGeorgiev how did you resolve this? I'm also getting the same issue after upgrading IdentityServer to a more recent nuget package. Was originally using a self-signed SSL cert for IIS Express without problem.

activebiz commented 7 years ago

Could someone please post how this was fixed. I am about to pull all my hair out :)

VladiGGeorgiev commented 7 years ago

@jinder @activebiz I've changed the account running the application pool to administrator account. There are assumptions in the comments above why the problem happens. You can dive deeply if you want to understand it.

jinder commented 7 years ago

@VGGeorgiev ah. Are you not concerned about the security implications?

VladiGGeorgiev commented 7 years ago

@jinder I am concerned. I was trying to find out what permissions should have the account running the Identity Server app. Do you know that?

jinder commented 7 years ago

@VGGeorgiev The lowest possible permissions to be able to serve your web requests. Absolutely never run it as Administrator as any exploit leveraged against your web server will then have access to just about anything on your machine and/or network.

jinder commented 7 years ago

@VGGeorgiev To add, if that fixed it to for you, it suggests that the SSL certificate is valid for your user. I wonder if you've installed the SSL cert for the current user only, rather than the local machine (I would guess so). I think my issue might be different.

VladiGGeorgiev commented 7 years ago

@jinder you are right. Do you know how to solve it without giving admin permissions? Is there some specific permission needed by Identity Server or should we add in trusted cert store... What do you suggest?

jinder commented 7 years ago

Install the certificate as a root authority using certmgr for your local machine. If it's a self-signed certificate, you should understand the implications of this and ensure your certificates are secured.

activebiz commented 7 years ago

Thanks @jinder . In case anyone need this to do on Azure App Service .. https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal

The self-signed certificate is only for dev/testing environment

itanev commented 7 years ago

Hi,

Is there a way to resolve this using IISExpress? I am getting IDX10803: Unable to obtain configuration from: 'https://localhost/.well-known/openid-configuration' in the VS Output every time I try to access an Action that requires Authorization.

I am using a specific certificate for the signing credentials, but I don't have the option to change the ApplicationPoolIdentity account in IISExpress, also I don't think this should be necessary as, from my understanding, IISExpress runs its ApplicationPoolIdentity under current windows account and mine is the administrator for my machine.

Also, I tried to add the certificate for the signing credentials in the trusted root store from the cert manager. It doesn't seem to fix the issue.

If I use TemporarySigningCredentials I still get the same error.

I tried to access the https://localhost/.well-known/openid-configuration through the browser and it loads fine.

Does anyone have an idea what the problem might be?

jinder commented 7 years ago

@itanev You need to add netsh SSL bindings for the correct port, as well as installing the certificate. Read the steps here: http://wp.sjkp.dk/custom-domains-and-ssl-bindings-with-iis-express/

If you're running the netsh commands in PowerShell, you'll need to do them as separate steps.

itanev commented 7 years ago

Thanks for your response @jinder!

Actually, I don have makecrt for some reason, so I am generating my certificates under Local IIS and I am using again Local IIS to bind the generated self-signed certificate to a specific port and then I am using this port in my applicationhost.config bindings.

I am not sure if this is different from what is described in the article, is it? But I can confirm that it does not solve the issue, at least using the Local IIS self-signed certificate.

However, I managed to patch things up by setting the identity server authority and issuerUri to http. I need this for local testing only for now. At a latter point, I will need to run it under https in production. I will test it with verified certificate at a later point.

Farshidgolkarihagh commented 7 years ago

Hi, I had this issue for over a week and this is how I resolved it:

The problem I had was the fact that I was using the "IIS Express Development Certificate" and for some odd reason it wasn't a trusted certificate on my dev machine hence it was only broken on this particular environment. To fix it, export the IIS Express Development Certificate and import it back in to the "Trusted Root Certification Authorities"->"Certificate".

chchmatt commented 7 years ago

I found the solution to a one line fix: Set options.Configuration:

   services
                .AddAuthentication(options => options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(options =>
                {
                    options.Configuration = new OpenIdConnectConfiguration();  // <----- ADD THIS!
                    ....
                }
alebrozzoSP commented 7 years ago

what @chchmatt posted worked for me, no idea why (nor what I am doing actually)

czioutas commented 7 years ago

@chchmatt should that be removed during production?

chchmatt commented 7 years ago

It works fine in production @drakoumel

Without that line options.Configuration is null - you'll get the error back.

ferreirocm commented 7 years ago

Hi guys, I had the same issue for a long time, and I was able to solved it by creating a certificate with a CN=localhost (or the domain where the IDServer is hosted) and using it to deploy the IDServer. After doing that, I was able to removed the static config I was using since then, thanks to @VGGeorgiev.