IDX20803: Unable to obtain configuration #2623
Comments
Should have searched properly first. Similar issue here. Yet the solution posted by the author is not that clear to me. |
If that's the component that's causing the above error, then it's more of a question for Microsoft, not IdentityServer. |
This issue seems to be related to docker containers and not directly to IdentityServer. |
We are seeing this exception in production at this very moment. Docker is not involved. |
Hi, But if I hit : http://localhost:8082/.well-known/openid-configuration on the browser, it works fine |
I have the same problem. Any solution ? I insert that url into browser and it also works. This is strange because I thought that container can not see the configuration, but it can (checked with curl). It also works when running from Visual Studio on localhost. It just does not work in docker containers, don't know why. Any ideas ? |
is there any solution so far ? i got the same issue |
I had same issue System.IO.IOException: IDX20804 (Unable to retrieve document from: 'http://localhost:/identity/.well-known/openid-configuration) TLDR: what @brockallen mentioned I suppose repeatedly turned out to be true - it wasn't Identityserver related issue but a docker and to be specific container communication. @brockallen - though it's resolved with IssuerUrL at least for local env, curious to how this would work out given we have real services running in kube cluster (aws) behind nginx. Context: identity service is docker container and client api in another local machine and for both local ports mapped to host machine. as many mentioned, could reach respective endpoints from host browser of both services w/o issues including well-known endpoint The Issue: client api running inside the container would result into IDX20804 (socket error) and IDX20803 when required to reach ids4 well-know. This is because docker compose maps container's localhost: to env host port hence reachable but NOT inside container and thereby no way to reach out to id4 disc endpoint. I could validate by ssh into the running container and curl failed to well-known URL. The workaround: after multiple options, finally exposed name (domain)based simple URL (http://identityservice) with IssuerUrl property and in client api, ensure same URL for Authority. just to make sure no cert issues, disable Https in options. so at runtime whenever needed by jwt token endpoint was accessible because both containers spun with same compose config indirectly in same default network was a pleasing surprise to seeing working w/o additional complexity of docker network many suggested. Hope this helps folks as context (docker host) was key in searching for solution and workaround Cheers! |
Hi, @anilraut30 ,@Activesite, @brockallen |
@logcorner I changed IdentityServerUrl to http://10.0.75.1:8080. I still get the error but get 403 Forbidden as well |
@anilraut30 Could you please post canonical sample peaces of code for config, controller & api related code? This headache is months. I spent too much time for this... Need help. |
This worked for me. Thanks! |
I've run into this outside of Docker containers -- I believe it has something to do with application pool recycling. Issue My application uses both (Probable) Cause The Potential Fix
I'd recommend watching resource consumption on the Application Pool in case the lack of recycling causes a memory leak somewhere. I have already applied the first two changes to our IIS app, but still (though less-frequently) encountered the Task Cancelled exception. The default recycling interval was previously set to 1740 minutes, or every 29 hours. Will report back if this fixes my issue long-term. Hopefully this helps someone in the short-run. Proposed Long-term Fix Will report this to MSFT to see if they'll add a metadata loading delay to |
For anyone reading this trying to use integration tests via the I don't know a good fix yet since by the time you have a working client and test server you are long past being able to configure your server. Here is where all the pain begins: https://github.com/aspnet/AspNetCore/blob/master/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs#L88 If you follow your way through you get here eventually: EDIT: If the Googlers find this, I ended up going with this approach: var keyFile = File.ReadAllText("./tempkey.rsa");
var tempKey = JsonConvert.DeserializeObject<TemporaryRsaKey>(keyFile, new JsonSerializerSettings { ContractResolver = new RsaKeyContractResolver() });
var tokenValidationParams = new TokenValidationParameters()
{
ValidIssuer = "http://localhost",
IssuerSigningKey = IdentityServerBuilderExtensionsCrypto.CreateRsaSecurityKey(tempKey.Parameters, tempKey.KeyId),
ValidAudience = IntegrationTestConstants.IntegrationTestProtectedResourceName,
ValidateLifetime = true
};
services
// Set the new default to Integration for testing.
.AddAuthentication(IntegrationTestConstants.IntegrationTestDefaultAuthenticationScheme)
// Register a new handler for Integration
.AddJwtBearer(IntegrationTestConstants.IntegrationTestDefaultAuthenticationScheme, "Integration Testing Auth Scheme", options =>
{
options.TokenValidationParameters = tokenValidationParams;
}); In the end, this circumvents Happy coding. |
I meet the same Issues, I publish the program to server windowserver 2012. and use idsrv3test.pfx
|
This method GetHandler() plus RequireHttpsMetadata = true; did a trick for me thank you |
Hi All, I am using Azure AD Claim based Authentication in my ASP.Net MVC project. Application was running fine for 6 months suddenly intermittently it started throwing below error I put logs in my application and found that when request gets invalidated, then system tries to **Authentication.Challenge for redirection ** (Code Snippet below) to external AD login page, but login page never comes up. When I restart the IIS, it again starts working then same process after 3-4 hours same error start and it stops application for all users. I have been fighting with this error from nearly a month. Please provide any help **var properties = new AuthenticationProperties { RedirectUri = ApplicationRedirectUri };
Inner Exception |
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Issue / Steps to reproduce the problem
Used https://github.com/dotnet-architecture/eShopOnContainers as base, then enabled https redirect and have visual studio auto add https developer certificates.
Testing the location controller in swagger led to the following exception. When I manually navigate to https://localhost:44100/.well-known/openid-configuration in my browser, everything is working fine.
Seems like JwtBearer has some problems with HTTPS.
Relevant parts of the log file
The text was updated successfully, but these errors were encountered: