-
Notifications
You must be signed in to change notification settings - Fork 1.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IOException: IDX10804: Unable to retrieve document from: http://localhost:5105/administration/.well-known/openid-configuration #228
Comments
@lurumad thank you for your interest in the project. This is happening because the IdentityServer middleware I use to authenticate the administration API requires the address that Ocelot is running on. The code is in OcelotBuilder _services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(o =>
{
**o.Authority = baseSchemeUrlAndPort + adminPath.Path;**
o.ApiName = identityServerConfiguration.ApiName;
o.RequireHttpsMetadata = identityServerConfiguration.RequireHttps;
o.SupportedTokens = SupportedTokens.Both;
o.ApiSecret = identityServerConfiguration.ApiSecret;
}); Have you tried
When using IIS Express or the Azure Web App's address? I might need to change how this works because I haven't had anyone with a problem so far! However I have always known it's a bit crappy. Maybe just a setting in the configuration that tells Ocelot what the URL will be would be OK. Let me know if my proposed work around helps you or if you think it should be changed. |
.UseUrls("http://localhost:29706") only apply to Kestrel or Weblistener, but not for IISExpress or IIS |
I think that the best approach is to give to the developer some mechanisim to plug your Identity Server configuration, because in my case I have my own Identity Server. Regards! |
@lurumad mmmmmmm Ocelot lets you plug into your own IdentityServer for authenticating ReRoutes but not the administration area. This is an interesting suggestion and would improve Ocelot. At the moment it just uses it internally for the admin area with client credential workflow. |
Yeah!!! This should be awesome that the same identity server works with administration too. Another approach is to use something like Hangfire uses in his dashboard: http://docs.hangfire.io/en/latest/configuration/using-dashboard.html#configuring-authorization Regards! |
@lurumad I will take a look at this when I have time but it will take a me a little while. I might just make it so you can use your own identity server tbh that would be easier for me at the moment as I have loads of features to implement! |
@lurumad OK I've quickly got something together that let's you use your own IdentityServer with the admin area. Now you will do something like public virtual void ConfigureServices(IServiceCollection services)
{
Action<IdentityServerAuthenticationOptions> options = o => {
// o.Authority = ;
// o.ApiName = ;
// etc....
};
services
.AddOcelot()
.AddAdministration("/administration", options);
} Of course you can handle adding the IdentityServerAuthenticationOptions with whatever style you want! Another change is that you now have to specify the url Ocelot will be running under as a configuration setting. We no longer have to register the builder which I have always felt was a bit hacky. I think this will work OK for everyone because it can always be passed in as a command line argument. If you do not specify this Ocelot will just assume http://localhost:5000 which is of course Kestrel default. In the example below Ocelot will assume its address is http://mywebapp.azurewebsites.net which is used for some headers find and replace transformation logic (may not be relevant to you). If you do not specify the IdentityServer stuff above it will also be used by the default/internal IdentityServer authentication middleware. .ConfigureAppConfiguration((hostingContext, config) =>
{
config
.SetBasePath(hostingContext.HostingEnvironment.ContentRootPath)
.AddJsonFile("appsettings.json", true, true)
.AddJsonFile($"appsettings.{hostingContext.HostingEnvironment.EnvironmentName}.json", true, true)
.AddJsonFile("configuration.json")
.AddEnvironmentVariables()
.AddOcelotBaseUrl("http://mywebapp.azurewebsites.net");
}) Hope this makes sense and will work for you! |
reopen until nuget package released |
Changes in 3.1.4 |
Awesome @TomPallister I'm going to test in our app and give you feedback as soon as test it! Regards! |
Hi folks,
We are playing with Ocelot, and we have found a strange behavior with the administration area. I'll try to explain as best I could:
With a basic configuration like this:
And Startup:
When we run the web application from IISExpress we always recieve the same error:
InvalidOperationException: IDX10803: Unable to obtain configuration from: http://localhost:29706/administration/.well-known/openid-configuration
If we run the application with kestrel works fine.
Looking for into the code, I've found this class:
The application under IISExpress is running in localhost:5000 but baseSchemeUrlAndPort that is retrieve from _webHostBuilder.GetSetting(WebHostDefaults.ServerUrlsKey) point to different url and this url is use to configure the authority in Identity Server.
If we publish this application in Azure Web App we receive the same error.
¿What I'm missing? ¿Someone with the same problem?
Regards!
The text was updated successfully, but these errors were encountered: