无法从以下位置检索文档:“https://ids.com/.well-known/openid-configuration”

【问题标题】:Unable to retrieve document from: 'https://ids.com/.well-known/openid-configuration'无法从以下位置检索文档:“https://ids.com/.well-known/openid-configuration”
【发布时间】:2019-05-19 06:20:32
【问题描述】:

我一直在开发多个依赖 Identity Server 4(IDS4) 使用 OIDC 进行身份验证的应用程序。一切都很好,直到我使用 SSL 卸载将应用程序放在代理后面。

目标是能够访问网站。当您请求登录时,它应该将您重定向到 IDS4 验证您,然后将您送回。这是标准的..

真正发生的事情。 403错误:

An unhandled exception occurred while processing the request.
HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
IOException: IDX20804: Unable to retrieve document from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Stack Query Cookies Headers 
HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)

    Show raw exception details 
IOException: IDX20804: Unable to retrieve document from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)

Show raw exception details 
InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://ids.com/.well-known/openid-configuration'.
Microsoft.IdentityModel.Protocols.ConfigurationManager<T>.GetConfigurationAsync(CancellationToken cancel)
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationHandler<TOptions>.ChallengeAsync(AuthenticationProperties properties)
Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)
Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeResultAsync(IActionResult result)
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAlwaysRunResultFilters()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeFilterPipelineAsync()
Microsoft.AspNetCore.Mvc.Internal.ResourceInvoker.InvokeAsync()
Microsoft.AspNetCore.Builder.RouterMiddleware.Invoke(HttpContext httpContext)
Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

出于好奇,我关闭了我的 IDS 应用程序并尝试通过我的其他应用程序之一访问它并得到完全相同的错误响应。这让我相信这与使用 openidc 时我的应用程序中的代码或我的 IIS 设置有关。

注意事项: 我正在使用 IIS。 我的代理站点上有一个受信任的 CA 证书。 假设 IDS 正在运行,我可以在我的浏览器中访问“https://ids.com/.well-known/openid-configuration”。你不会的,这是一个假域名。

我尝试过的事情:

  1. OpenIdConnect 内部尝试从 假对真,

  2. app.UseForwardedHeaders();

好的,我在这里肯定是错的,但我认为问题在于我的应用程序(使用 OIDC 时)没有发送 SSL 信息,该信息禁止它们访问“https://ids.com/.well-know”地址。

我应该从哪里开始尝试使用它?

我的一些启动代码:

    services.Configure<ForwardedHeadersOptions>(options =>
            {
                options.ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
                options.RequireHeaderSymmetry = false;
                options.KnownNetworks.Clear();
                options.KnownProxies.Clear();

            });

    .AddOpenIdConnect(AuthorizationConsts.OidcAuthenticationScheme, options =>
     {

         options.SignInScheme = "Cookies";
         options.Authority = "https://ids.com";
         options.RequireHttpsMetadata = true;
         options.ClientId = AuthorizationConsts.OidcClientId;


         options.Scope.Clear();
         options.Scope.Add(AuthorizationConsts.ScopeOpenId);
         options.Scope.Add(AuthorizationConsts.ScopeProfile);
         options.Scope.Add(AuthorizationConsts.ScopeEmail);
         options.Scope.Add(AuthorizationConsts.ScopeRoles);



         options.SaveTokens = true;

         options.TokenValidationParameters = new TokenValidationParameters
         {
             NameClaimType = JwtClaimTypes.Name,
             RoleClaimType = JwtClaimTypes.Role,
         };

         options.Events = new OpenIdConnectEvents
         {
             OnMessageReceived = OnMessageReceived,
             OnRedirectToIdentityProvider = OnRedirectToIdentityProvider

         };
     });

..............


    app.Use(async (Context, next) =>
           {
               if (!string.IsNullOrEmpty(Context.Request.Headers["X-ARR-SSL"]))
               {
                   Context.Request.Scheme = "https";
                   await next.Invoke();

               }
               else
               {
                   Context.Request.Scheme = "http";
                   await next.Invoke();
               }

           });

            app.UseForwardedHeaders();

            // Ensures we can serve static-files that should not be processed by ASP.NET
            app.UseStaticFiles();

            // Enable the authentication middleware so we can protect access to controllers and/or actions
            app.UseAuthentication();

【问题讨论】:

  • 我创建了自签名证书并将它们放在应用程序服务器和反向代理的受信任根目录中。仍然没有喜悦。同样的错误。

标签: c# .net-core identityserver4 openid-connect


【解决方案1】:

对我来说,添加解决了这个问题

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

【讨论】:

    【解决方案2】:

    我终于解决了这个问题。我知道这与证书有关,但我不知道该怎么做。

    我的解决方法是将 options.BackchannelHttpHandler 添加到 

    private readonly HttpClientHandler _handler;

public Startup(IHostingEnvironment env, IConfiguration config,
    ILoggerFactory loggerFactory)
    {
        _env = env;
        _config = config;
        _loggerFactory = loggerFactory;
        Configuration = config;
        _handler = new HttpClientHandler();

        _handler.ClientCertificates.Add(FindClientCertificate());//same x509cert2 that proxy server uses
        _handler.AllowAutoRedirect = true;




    }
.....


AddOpenIdConnect( scheme, options => {
....
options.BackchannelHttpHandler = _handler;
...
}

    【讨论】:

    • 这个解决方案对我有用,但我处理 _handler.ServerCertificateCustomValidationCallback。仅返回 true 用于测试目的。谢谢
    【解决方案3】:

    花了一个不眠之夜来解决这个问题。下面的代码解决了我的问题。

    服务 .AddIdentityServer(选项 => {

                    options.IssuerUri = <Authority Url>; //<== Added this one 
                options.Events.RaiseSuccessEvents = true;
                options.Events.RaiseFailureEvents = true;
                options.Events.RaiseErrorEvents = true;
            })

    【讨论】:

      猜你喜欢
      • 2021-11-17
      • 2021-01-18
      • 2020-07-30
      • 2022-08-11
      • 2016-10-08
      • 2018-05-10
      • 2020-04-02
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode