New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IOException: IDX10804: Unable to retrieve document from: http://localhost:5105/administration/.well-known/openid-configuration #228

Closed
lurumad opened this Issue Feb 13, 2018 · 10 comments

Comments

Projects
None yet
2 participants
@lurumad

lurumad commented Feb 13, 2018

Hi folks,

We are playing with Ocelot, and we have found a strange behavior with the administration area. I'll try to explain as best I could:

With a basic configuration like this:

        public static void Main(string[] args)
        {
            IWebHostBuilder builder = new WebHostBuilder();
            builder.ConfigureServices(s => {
                s.AddSingleton(builder);
            });
            builder
                .UseUrls("http://localhost:5000")
                .UseKestrel()
                .UseContentRoot(Directory.GetCurrentDirectory())
                .ConfigureAppConfiguration((hostingContext, config) =>
                {
                    config.SetBasePath(hostingContext.HostingEnvironment.ContentRootPath);
                    var env = hostingContext.HostingEnvironment;
                    config.AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
                        .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true, reloadOnChange: true);
                    config.AddJsonFile("configuration.json");
                    config.AddEnvironmentVariables();
                })
                .ConfigureLogging((hostingContext, logging) =>
                {
                    logging.AddConfiguration(hostingContext.Configuration.GetSection("Logging"));
                    logging.AddConsole();
                })
                .UseIISIntegration()
                .UseStartup<Startup>();
            var host = builder.Build();
            host.Run();
        }

And Startup:

    public class Startup
    {
        public IConfiguration Configuration { get; }

        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public void ConfigureServices(IServiceCollection services)
        {
            services
                .AddOcelot(Configuration)
                .AddAdministration("/administration", "secret");
        }

        public void Configure(IApplicationBuilder app)
        {
            app
                .UseDeveloperExceptionPage()
                .UseOcelot().Wait();
        }
    }

When we run the web application from IISExpress we always recieve the same error:

InvalidOperationException: IDX10803: Unable to obtain configuration from: http://localhost:29706/administration/.well-known/openid-configuration

If we run the application with kestrel works fine.

Looking for into the code, I've found this class:

ocelot

The application under IISExpress is running in localhost:5000 but baseSchemeUrlAndPort that is retrieve from _webHostBuilder.GetSetting(WebHostDefaults.ServerUrlsKey) point to different url and this url is use to configure the authority in Identity Server.

If we publish this application in Azure Web App we receive the same error.

¿What I'm missing? ¿Someone with the same problem?

Regards!

@TomPallister

This comment has been minimized.

Member

TomPallister commented Feb 13, 2018

@lurumad thank you for your interest in the project.

This is happening because the IdentityServer middleware I use to authenticate the administration API requires the address that Ocelot is running on.

The code is in OcelotBuilder

_services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
                .AddIdentityServerAuthentication(o =>
                {
                    **o.Authority = baseSchemeUrlAndPort + adminPath.Path;**
                    o.ApiName = identityServerConfiguration.ApiName;
                    o.RequireHttpsMetadata = identityServerConfiguration.RequireHttps;
                    o.SupportedTokens = SupportedTokens.Both;
                    o.ApiSecret = identityServerConfiguration.ApiSecret;
                });

Have you tried

.UseUrls("http://localhost:29706")

When using IIS Express or the Azure Web App's address?

I might need to change how this works because I haven't had anyone with a problem so far! However I have always known it's a bit crappy. Maybe just a setting in the configuration that tells Ocelot what the URL will be would be OK.

Let me know if my proposed work around helps you or if you think it should be changed.

@lurumad

This comment has been minimized.

lurumad commented Feb 13, 2018

Hi @TomPallister

.UseUrls("http://localhost:29706")

only apply to Kestrel or Weblistener, but not for IISExpress or IIS

@lurumad

This comment has been minimized.

lurumad commented Feb 13, 2018

Hi @TomPallister

I think that the best approach is to give to the developer some mechanisim to plug your Identity Server configuration, because in my case I have my own Identity Server.

Regards!

@TomPallister

This comment has been minimized.

Member

TomPallister commented Feb 13, 2018

@lurumad mmmmmmm Ocelot lets you plug into your own IdentityServer for authenticating ReRoutes but not the administration area. This is an interesting suggestion and would improve Ocelot. At the moment it just uses it internally for the admin area with client credential workflow.

@lurumad

This comment has been minimized.

lurumad commented Feb 13, 2018

Hi @TomPallister

Yeah!!! This should be awesome that the same identity server works with administration too.

Another approach is to use something like Hangfire uses in his dashboard:

http://docs.hangfire.io/en/latest/configuration/using-dashboard.html#configuring-authorization

Regards!

@TomPallister

This comment has been minimized.

Member

TomPallister commented Feb 13, 2018

@lurumad I will take a look at this when I have time but it will take a me a little while. I might just make it so you can use your own identity server tbh that would be easier for me at the moment as I have loads of features to implement!

@TomPallister

This comment has been minimized.

Member

TomPallister commented Feb 14, 2018

@lurumad OK I've quickly got something together that let's you use your own IdentityServer with the admin area.

Now you will do something like

   public virtual void ConfigureServices(IServiceCollection services)
    {
        Action<IdentityServerAuthenticationOptions> options = o => {
                // o.Authority = ;
                // o.ApiName = ;
                // etc....
            };

        services
            .AddOcelot()
            .AddAdministration("/administration", options);
    }

Of course you can handle adding the IdentityServerAuthenticationOptions with whatever style you want!

Another change is that you now have to specify the url Ocelot will be running under as a configuration setting. We no longer have to register the builder which I have always felt was a bit hacky. I think this will work OK for everyone because it can always be passed in as a command line argument. If you do not specify this Ocelot will just assume http://localhost:5000 which is of course Kestrel default.

In the example below Ocelot will assume its address is http://mywebapp.azurewebsites.net which is used for some headers find and replace transformation logic (may not be relevant to you). If you do not specify the IdentityServer stuff above it will also be used by the default/internal IdentityServer authentication middleware.

.ConfigureAppConfiguration((hostingContext, config) =>
                {
                    config
                        .SetBasePath(hostingContext.HostingEnvironment.ContentRootPath)
                        .AddJsonFile("appsettings.json", true, true)
                        .AddJsonFile($"appsettings.{hostingContext.HostingEnvironment.EnvironmentName}.json", true, true)
                        .AddJsonFile("configuration.json")
                        .AddEnvironmentVariables()
                        .AddOcelotBaseUrl("http://mywebapp.azurewebsites.net");
                })

Hope this makes sense and will work for you!

@TomPallister

This comment has been minimized.

Member

TomPallister commented Feb 14, 2018

reopen until nuget package released

@TomPallister TomPallister reopened this Feb 14, 2018

@TomPallister

This comment has been minimized.

Member

TomPallister commented Feb 14, 2018

Changes in 3.1.4

@lurumad

This comment has been minimized.

lurumad commented Feb 15, 2018

Awesome @TomPallister

I'm going to test in our app and give you feedback as soon as test it!

Regards!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment