tiwari-abhishek
commented
6 years ago Which flow are you using? Is authentication local or with Azure AD?
Closed roeb closed 6 years ago
tiwari-abhishek
commented
6 years ago Which flow are you using? Is authentication local or with Azure AD?
roeb
commented
6 years ago I‘m using only local auth with username and password. The authentication from User with login/password works fine. The Issue comes later, when the API try to validate the Token by the IdentityServer.
scottbrady91
commented
6 years ago This error is caused by your API being unable to load the OpenID Discovery Document (/.well-known/openid-configuration)
brockallen
commented
6 years ago All set on this issue -- can we close?
ghost
commented
6 years ago No. You can't close it. I have the exact same issue in the exact same scenario, except I'm not using a Docker Container. Application works just great on a dev server running the Azure simulator, but fails when published.
You say the error is caused by the API not being able to load an OpenID Discovery document, like I'm supposed to understand what that is or how to fix it. Please provide some more detail.
ghost
commented
6 years ago If I dig a little further into the Exception information that's returned to the client, I get this as the root cause:
Could not load type 'System.FormattableString' from assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'.
roeb
commented
6 years ago Here, too, the problem still exists. Local docker environment everything fine. Once it runs in Azure Container Instances there is the problem. I wanted to try it today in AKS and see how it behaves there. Unfortunately I have no starting point for a solution. The configuration endpoint of the IdentityServer is publicly available. I can only imagine that Azure Container Instances does not allow routes that contains a dot 🤔
skartknet
commented
6 years ago Same issue here :( Has anyone found a solution? It looks like the endpoint using the Identity Server Authentication doesn't find the configuration. Any workarounds?
ghost
commented
6 years ago Same problem here without any Docker or Azure. I get this error with IdSrv4 using secured Web.API to retrieve its configuration data from database during introspection. At first I thought it was a blocking issue due to using async methods inside API and inside the resource store implementation. After removing all async coding to determine if that was the problem I now find in my log files the error message in the title of this issue. I am using IdentityServerTools to get access token for accessing the API. I had no trouble with implementing IClientStore and IUserProfile interfaces using calls to API. I one thing I have found in debugging this over the past couple days is the the IResourceStore implementation gets hammered during introspection in this scenario - sounds like some caching is needed. Using IdSrv4 2.3.0 and ASP.NET Core 2.1.300 Full error message and code location: InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]' Microsoft.IdentityModel.Protocols.ConfigurationManager<>.GetConfigurationAsync(CancellationToken cancel) in "C:\agent2_work\15\s\src\Microsoft.IdentityModel.Protocols\Configuration\ConfigurationManager.cs", line 211
MeatDuckXp
commented
6 years ago Same here. I was working through the quickstarts sections, was about to test the MVC Client and I got the same error.
InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'. Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel) Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties) Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.ChallengeAsync(AuthenticationProperties properties) Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties) Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context) Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeResultAsync(IActionResult result) Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAlwaysRunResultFilters() Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync() Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync() Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext) Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context) Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
kieronlanning
commented
6 years ago I've got this exact issue running in Docker in Azure too (Azure App Services - Linux Containers).
I've disabled the PII masking, so I can see exactly what the URL. What's interesting here is that the URL it says it's 'Unable to object configuration from', when copied into a browser, works just fine.
scottbrady91
commented
6 years ago It's a routing issue. Otherwise, the other likely culprit is an https requirement.
kieronlanning
commented
6 years ago I've just noticed, when running in Docker the responses from the .well-known/openid-configuration endpoint are all http, but the entire app is setup to be https.
I've no idea how to turn that on.
forlayo
commented
5 years ago Are you setting the Authority as raw domain without https? then that's the issue, change it and it's going to work.
Not sure why but this was the issue for me.
tparikka
commented
5 years ago Same as @forlayo here. In the Startup.cs of my ASP.NET Core 2.1 client application I was configured to use HTTP to reach the authority but in the Debug properties of my IdentityServer project I was set to use HTTPS. Updating the authority to HTTPS resolved the issue.
nguyenhongphu
commented
5 years ago In my case, I was debugging in my local computer and needed to open the local Port, e.g., 5100-5105 to the IdentityServer. Then it worked well!
VictorUUsoro
commented
5 years ago Am having the same issue here trying to debug on my local, is there any solution to this yet? @tparikka the scheme on mine is already on HTTPS yet it's not working
IDX20803: Unable to obtain configuration from: '[PII is hidden]'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found). at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.ConfigurationManager
1.GetConfigurationAsync(CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
tparikka
commented
5 years ago @victorud In the project settings for my STS I was set to host on HTTPS, but in Startup.cs of the client application my Authority was set to http://localhost:5050 instead of https://localhost:5050. It's part of the ConfigureServices method:
services.AddAuthentication("Bearer")
.AddIdentityServerAuthentication(options =>
{
options.Authority = "https://localhost:50500";
options.RequireHttpsMetadata = false;
options.ApiName = "api1";
});
Jebarson
commented
5 years ago Use the login.microsoftonline.com for the instance in appsettings.json
"Instance" : "https://login.microsoftonline.com/"
VictorUUsoro
commented
5 years ago Am having the same issue here trying to debug on my local, is there any solution to this yet? @tparikka the scheme on mine is already on HTTPS yet it's not working
IDX20803: Unable to obtain configuration from: '[PII is hidden]'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found). at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode() at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.ConfigurationManager
1.GetConfigurationAsync(CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
I later realised it has to do with the route. The issue has been resolved
josepoma
commented
5 years ago @victorud How was it solved?
Jebarson
commented
5 years ago @josepoma Doesn't changing your Instance as i mentioned above work for you?
vjarora
commented
5 years ago I am facing the same issue, environment is deployed in IIS in 3 different site -Angular App -IdentityServer4 -WebAPI - ASP.Net Core 2.1 and working fine on localhost and in Intranet, but when I am exposing it to Internet then it is giving the following issue. { "Code": 123, "HttpCode": 500, "Message": "Error", "Description": "IDX20803: Unable to obtain configuration from: 'https://[publicIP]/.well-known/openid-configuration'.
inner exception : System.IO.IOException: IDX20804: Unable to retrieve document from: 'https://[publicIP]/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond\r\n at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)\r\n --- End of inner exception stack trace ---\r\n at System.Net.Http.ConnectHelper.ConnectAsync(String host, Int32 port, CancellationToken cancellationToken)\r\n at System.Threading.Tasks.ValueTask1.get_Result()\r\n at System.Net.Http.HttpConnectionPool.CreateConnectionAsync(HttpRequestMessage request, CancellationToken cancellationToken)\r\n at System.Threading.Tasks.ValueTask1.get_Result()\r\n at System.Net.Http.HttpConnectionPool.WaitForCreatedConnectionAsync(ValueTask1 creationTask)\r\n at System.Threading.Tasks.ValueTask1.get_Result()\r\n at System.Net.Http.HttpConnectionPool.SendWithRetryAsync(HttpRequestMessage request, Boolean doRequestAuth, CancellationToken cancellationToken)\r\n at System.Net.Http.RedirectHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)\r\n at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)\r\n at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)\r\n --- End of inner exception stack trace ---\r\n at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)\r\n at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)\r\n at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel)
stack trace : at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel)\r\n at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()\r\n at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()\r\n at Microsoft.AspNetCore.Authentication.AuthenticationHandler1.AuthenticateAsync()\r\n at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)\r\n at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()\r\n at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()\r\n at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)\r\n at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)\r\n at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.Invoke(HttpContext context)\r\n at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIIndexMiddleware.Invoke(HttpContext httpContext)\r\n at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext)\r\n at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.Invoke(HttpContext context)"
}
manuelpandom
commented
5 years ago I was getting the same error when configuring a MVC web app to use OpenID Connect authentitication agains Identity Server V3.
I solved this setting the property "MetadataAddress" to the openid configuration, something like
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
MetadataAddress = "http[s]://{IdentityServer_IP}:{PORT}/.well-known/openid-configuration"
...
});Hope this helps somebody.
laball
commented
5 years ago I got the error info too.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII is hidden]'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
--- End of inner exception stack trace ---
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
An unhandled exception has occurred while executing the request.It takes me 3 days to solve. Here is what I do.
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(options =>
{
options.Authority = Configuration[AppConfigConsts.AuthorizationSection];
options.RequireHttpsMetadata = false;
options.ApiName = AppConfigConsts.DefaultApiName;
});config the nginx :
location /connect {
proxy_pass http://ip:port;
}
location /.well-known {
proxy_pass http://ip:port;
}You should not use the upstream , use ip and port directly.
Hope this helps somebody.
D252874
commented
5 years ago i changed it from http to https and now i have the isue that i can't start my iis server anymore the error that i have is can't connect to iis server.
i found it online and it fixed but adding https to all of them didn't work for me
DonaldRecord
commented
5 years ago Just throwing this out there for anyone else who has been using ID4 successfully and then runs into this issue. I was connected to my NordVPN when I got it. Disconnected from the VPN, restarted ID4, went back to working fine.
VictorUUsoro
commented
5 years ago @victorud How was it solved?
the route was not correct
AKlaus
commented
5 years ago My 2¢. Started having the same problem from time to time in 1 out of 4 environments I have (all Windows VMs). The only related change I made is upgrading identityServer4.AccessTokenValidation from v2.4 to v2.7 and .NET Core from v2.1 to v2.2.
My exception :
IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
System.InvalidOperationException:
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1+<GetConfigurationAsync>d__24.MoveNext (Microsoft.IdentityModel.Protocols, Version=5.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler+<HandleAuthenticateAsync>d__6.MoveNext (Microsoft.AspNetCore.Authentication.JwtBearer, Version=2.2.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60)Versions:
identityServer4.AccessTokenValidation v2.7IdentityServer4.AspNetIdentity v2.1 Microsoft.IdentityModel.Tokens v5.4 System.IdentityModel.Tokens.Jwt v5.4
mattsmall1972
commented
5 years ago I ran into this same issue when running a customer's application with the authorization information removed, so I needed to replace it with my own . I am not using IdentityServer, but I am thinking my experience might help:
1) In order to see the location that it was using for the document and get past the PII message, I put this in my code to disable the PII message:
IdentityModelEventSource.ShowPII = true;
I found this by following the link which was in the exception message: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/PII
Once I used this property, I could see the location where it was looking to find the OpenID Discovery Document.
2) As Scott Brady says above, there is an OpenID Discovery Document (/.well-known/openid-configuration) that must exist somewhere for your authorization provider. I am a Microsoft Employee using AAD and found this:
I used the value https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration for the location of the document and got past the issue.
I think that for anyone seeing a value of "https::/localhost...", then you must find the proper value of your document and configure your application to use that.
If it starts failing when uploaded to a remote server, it may be helpful to determine if that server can reach the document url without issue. Remove all of the code and run a simple http request from your server to the endpoint to determine if that's the problem.
If this does not help with this problem on this project, please feel free to delete this message.
liminany
commented
5 years ago I also has this issues(only enable https has this issues), my sln is(Asp.Net Core 2.2,Deploy to Azure App Service):
IdentityModelEventSource.ShowPII = true;
options.RequireHttpsMetadata = true;
services.Configure<ForwardedHeadersOptions>(options =>
{
options.ForwardedHeaders = ForwardedHeaders.XForwardedFor |
ForwardedHeaders.XForwardedProto;
// Only loopback proxies are allowed by default.
// Clear that restriction because forwarders are enabled by explicit
// configuration.
options.KnownNetworks.Clear();
options.KnownProxies.Clear();
});app.UseForwardedHeaders();invoke the url to check the urls:
https://[host-url]/.well-known/openid-configuration
https://github.com/IdentityServer/IdentityServer4/issues/2672 https://github.com/IdentityServer/IdentityServer4/issues/1331 https://github.com/IdentityModel/oidc-client-js/issues/901
garyfawcett
commented
5 years ago I was also getting this error while using Azure B2C and fixed it by correctly setting the Authority in the JWT options, in the startup class ConfigureServices method: services.AddAuthentication(options => { options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(jwtOptions => { //jwtOptions.Authority = "https://login.microsoftonline.com/{myb2ctenant}.onmicrosoft.com/v2.0"; //I then tweaked it to: jwtOptions.Authority = $"https://[myb2ctenant}.b2clogin.com/{Configuration["AzureAdB2C:Tenant"]}/{Configuration["AzureAdB2C:Policy"]}/v2.0";
jwtOptions.Audience = Configuration["AzureAdB2C:ClientId"];
jwtOptions.Events = new JwtBearerEvents
{
//OnAuthenticationFailed = AuthenticationFailed,
};}); Where {myb2ctenant} is your Azure B2C tenant.
tisquip
commented
5 years ago Well, I think for me the reason was that I had pending database migration. After trying all sorts of things to no avail, I just updated my database, then it worked (I just really don't know, maybe something else happened, but when I updated, all I know is that the error message went away)
ana-sher
commented
5 years ago Same issue
jayeshdshah
commented
4 years ago I was getting the same error when configuring a MVC web app to use OpenID Connect authentitication agains Identity Server V3.
I solved this setting the property "MetadataAddress" to the openid configuration, something like
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions { MetadataAddress = "http[s]://{IdentityServer_IP}:{PORT}/.well-known/openid-configuration" ... });Hope this helps somebody.
Thank you for saving my day... I have stack of Angular 8 + IdentityServer4 + MVC Core Web Api 3.0 on Windows10. As per your suggestion I made below change and it worked like a charm...
services.AddAuthentication("Bearer") .AddJwtBearer("Bearer", options => { options.Authority = "http://localhost/4242"; options.Audience = "my-coreapi"; options.RequireHttpsMetadata = false; options.MetadataAddress = "http://localhost:4242/.well-known/openid-configuration"; });
robnelder
commented
4 years ago I just had this issue while using IdentityServer4 v2.3.0 running locally with an ASP.NET MVC5 client also running locally. The client connects to the production IdentityServer fine but not the localhost.
I think there is a conflict between the expected TLS protocol being used by the client and Idsvr. I Didn't get to the bottom of it but worked around (hacked around) it by adding the following to the MVC client's Application_Start() in Global.asax.cs:
#if DEBUG
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
#endif
pinyo-rungoral
commented
4 years ago In my case error about "JwtBearerOptions.Authority" property incorrect because when developing i am use https but when deploy at IIS I am use http protocal
lock[bot]
commented
4 years ago This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
Hi,
I have a problem with IdentityServer4 and my API running as an Azure container instance. My IdentityServer4 and the the secured API runs locally in a Docker container without problems.
As soon as I run the Docker Container as an Azure Container instance I get the following error. Authentication works without problems (Login). But as soon as I call my Web API with a valid Bearer Token I get the following error.
Runtime: .NET Core 2.1-rc1 IdentityServer4-2.2.0
As I said, Local in Docker works without any problems. Has anyone ever had the following problem or does anyone know a solution?
Regards & Thanks Robert