Unable to obtain configuration from well-known/openid-configuration

Question

I am using ASP.NET 5, In my solution I have Web API, Identity Server and Angular 2 project and I am authenticating Angular 2 client by using Identity Server, Angular 2 client consumes web api by passing token in http request and web api authenticate token and gives response, for this I have written a custom attribute which checks that user is authenticated or not

When I consume API I am getting following exception and Web API returns 500 internal server error.

System.InvalidOperationException: IDX10803: Unable to obtain configuration from: ' http://xx.xx.xx.x:3926/.well-known/openid-configuration '. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: ' http://xx.xx.xx.x:3926/.well-known/openid-configuration '. ---> System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond xx.xx.xx.x:3926 at System.Net.Sockets.Socket.EndConnect(IAsyncResult asyncResult) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

Answer 1

If identityserver and the access token validation middleware are hosted in the same application there is a race condition at startup.

The validation middleware tries to load the discovery document, which is not yet available.

In these scenarios, set the DelayLoadMetadata flag on the validation middleware to true.

If you disable the discovery endpoint altogether, you need to configure the issuer and key material on the validation options.

Answer 2

I used something like this, and it resolved my issue.

services.AddAuthentication(o => {
            o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
            o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
        })            
        .AddCookie(cfg => cfg.SlidingExpiration = true)
        .AddJwtBearer(cfg =>
        {
            cfg.Audience = "http://localhost:4200/";
            cfg.Authority = "http://localhost:5000/";
            cfg.RequireHttpsMetadata = false;
            cfg.SaveToken = true;
            cfg.TokenValidationParameters = tokenValidationParameters;
            cfg.Configuration = new OpenIdConnectConfiguration();  <-- Most IMP Part
        });

Answer 3

The reason for this error was proxy and was able to resolve it by implementing the code below:

options.BackchannelHttpHandler = new HttpClientHandler()
            {
                ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator,
                Proxy = new WebProxy(Configuration["System:Proxy"])
            };

If you are getting "unable to retrieve document from: '[pii is hidden]'" you need to add below to ConfigureServices:

    public void ConfigureServices(IServiceCollection services)
            {
......
IdentityModelEventSource.ShowPII = true;
    }

I hope this help.

Answer 4

检查您的 appsettings.json 租户 ID，并确保您没有意外复制超出租户 ID 所需的数量。

Answer 5

I've gotten this error message for a couple of reasons. One was solved with @leastprivilege answer. Another was that my certs-files in my Identity Server project had been lost in Version control. So i just replaced the broken files with the originals and then it worked.

Answer 6

Rebuilding my SSO project fixed my problem. Nuget packages were restored as well during rebuilding the project. Hope this helps you.

Answer 7

In case this helps anybody else.

I got this error after upgrading a project to .net core 2.0

the fix.

Change the name of the instance within appsettings.json instead of

" AAD Instance": " https://login.microsoftonline.com/ "

use

"Instance": " https://login.microsoftonline.com/ "

Answer 8

I ran into this issue testing on localhost with the dotnet run command. The call to /.well-known was performed on the wrong port. After adding a line to my startup class it works.

Answer 9

managed to solve it by changing the application pool identity from "Applicationpoolidentity" to "Built-in Account". in built in account service account name and its password is given