Open Closed

Mircoservice k8s deploy , /Account/Login show IDX20803 error #3027


User avatar
0
pei.chen@cpy.com.hk created
  • ABP Framework version: v5.2.1
  • UI type: Blazor
  • DB provider: EF Core
  • k8s deploy

k8 deploy, only follow the abp.io suite template (v5.2.1), and change some necessary Env settings. Add the TLS secret follow this document : https://github.com/abpframework/eShopOnAbp/tree/main/etc

Error Info:

  1. After click [Login] the log show:
[03:43:53 INF] Executing endpoint 'MOS.Blazor.Controllers.AccountController.Login (MOS.Blazor)'
[03:43:53 INF] Route matched with {action = "Login", controller = "Account", area = "", page = ""}. Executing controller action with signature Microsoft.AspNetCore.Mvc.ActionResult Login(System.String, System.String) on controller MOS.Blazor.Controllers.AccountController (MOS.Blazor).
[03:43:53 INF] Executing ChallengeResult with authentication schemes (["oidc"]).
[03:43:58 INF] Executed action MOS.Blazor.Controllers.AccountController.Login (MOS.Blazor) in 5219.8724ms
[03:43:58 INF] Executed endpoint 'MOS.Blazor.Controllers.AccountController.Login (MOS.Blazor)'
[03:43:58 ERR] An unhandled exception has occurred while executing the request.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
 ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
 ---> System.Net.Http.HttpRequestException: Connection refused (mos-st-authserver:443)
 ---> System.Net.Sockets.SocketException (111): Connection refused
  1. Gateway Web auth error: https://mos-st-gateway-web/swagger/index.html After auth: Show
  • Auth ErrorTypeError: Failed to fetch

Here is my Values.yaml

# auth-server sub-chart override
authserver:
  config:
    selfUrl: https://mos-st-authserver
    corsOrigins: https://mos-st-gateway-web,https://mos-st-gateway-web-public,https://mos-st-identity,https://mos-st-administration,https://mos-st-saas,https://mos-st-product
    allowedRedirectUrls: https://mos-st-angular
    identityService:
      connString: "Server=mos-st-sqldb,1433;Database=MOS_Identity;User Id=sa;password=myPassw@rd"
    administrationService:
      connString: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
    saasService:
      connString: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  ingress:
    host: mos-st-authserver
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-app-authserver
    tag: latest

# identity-service sub-chart override
identity:
  config:
    selfUrl: https://mos-st-identity
    corsOrigins: https://mos-st-gateway-web, https://mos-st-gateway-web-public
    connectionStrings:
      identityService: "Server=mos-st-sqldb,1433;Database=MOS_Identity;User Id=sa;password=myPassw@rd"
      administrationService: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
      saasService: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
    identityServerClients:
      blazorServerRootUrl: https://mos-st-web/
      publicWebRootUrl: https://mos-st-publicweb/
      webGatewayRootUrl: https://mos-st-gateway-web/
      publicWebGatewayRootUrl: https://mos-st-gateway-web-public/
    identityServerResources:
      accountServiceRootUrl: https://mos-st-authserver/
      identityServiceRootUrl: https://mos-st-identity/
      administrationServiceRootUrl: https://mos-st-administration/
      saasServiceRootUrl: https://mos-st-saas/
      productServiceRootUrl: https://mos-st-product/
      clientServiceRootUrl: https://mos-st-client/
      notificationServiceRootUrl: https://mos-st-notification/
  ingress:
    host: mos-st-identity
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-service-identity
    tag: latest

# administration-service sub-chart override
administration:
  config:
    selfUrl: https://mos-st-administration
    gatewayUrl: http://mos-st-gateway-web
    corsOrigins: https://mos-st-gateway-web,https://mos-st-gateway-web-public
    connectionStrings:
      administrationService: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
      saasService: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"    
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  synchedCommunication: # Used for server-to-server (client-credentials) communication with identityService for user permissions
    authority: https://mos-st-authserver
  ingress:
    host: mos-st-administration
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-service-administration
    tag: latest

# saas-service sub-chart override
saas:
  config:
    selfUrl: https://mos-st-saas
    corsOrigins: https://mos-st-gateway-web
    connectionStrings:
      administrationService: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
      saasService: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  ingress:
    host: mos-st-saas
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-service-saas
    tag: latest  

# product-service sub-chart override
product:
  config:
    selfUrl: https://mos-st-product
    corsOrigins: https://mos-st-gateway-web,https://mos-st-gateway-web-public
    connectionStrings:
      productService: "Server=mos-st-sqldb,1433;Database=MOS_ProductService;User Id=sa;password=myPassw@rd"
      administrationService: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
      saasService: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  ingress:
    host: mos-st-product    
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-service-product
    tag: latest

# notification-service sub-chart override
notification:
  config:
    selfUrl: https://mos-st-notification
    corsOrigins: https://mos-st-gateway-web,https://mos-st-gateway-web-public
    connectionStrings:
      notificationService: "Server=mos-st-sqldb,1433;Database=MOS_NotificationService;User Id=sa;password=myPassw@rd"
      administrationService: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
      saasService: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  ingress:
    host: mos-st-notification
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-service-notification
    tag: latest

# client-service sub-chart override
client:
  config:
    selfUrl: https://mos-st-client
    corsOrigins: https://mos-st-gateway-web,https://mos-st-gateway-web-public
    connectionStrings:
      clientService: "Server=mos-st-sqldb,1433;Database=MOS_ClientService;User Id=sa;password=myPassw@rd"
      administrationService: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
      saasService: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  ingress:
    host: mos-st-client
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-service-client
    tag: latest

# gateway-web sub-chart override
gateway-web:
  config:
    selfUrl: https://mos-st-gateway-web
    corsOrigins: https://mos-st-web
    globalConfigurationBaseUrl: http://mos-st-gateway-web
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"  
    dotnetEnv: Staging
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  reRoutes:
    authserver:
      schema: http
      host: mos-st-authserver
      port: 80
    identityService:
      schema: # http
      host: mos-st-identity
      port: 80
    administrationService:
      schema: http
      host: mos-st-administration
      port: 80
    saasService:
      schema: # http
      host: mos-st-saas
      port: 80
    productService:
      schema: http
      host: mos-st-saas
      port: 80  
  ingress:
    host: mos-st-gateway-web
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-gateway-web
    tag: latest
    pullPolicy: IfNotPresent

# gateway-web-public sub-chart override
gateway-web-public:
  config:
    selfUrl: https://mos-st-gateway-web-public
    globalConfigurationBaseUrl: http://mos-st-gateway-web-public
    corsOrigins: https://mos-st-publicweb
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"  
    dotnetEnv: Staging 
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  reRoutes:
    identityService:
      schema: http
      host: mos-st-identity
      port: 80
    administrationService:
      schema: http
      host: mos-st-administration
      port: 80
    productService:
      schema: http
      host: mos-st-product
      port: 80  
  ingress:
    host: mos-st-gateway-web-public
    tlsSecret: mos-tls
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-gateway-web-public
    tag: latest
    pullPolicy: IfNotPresent

kibana:
  config:
    elasticsearchUrl: http://mos-st-elasticsearch:9200

# dbmigrator sub-chart override
dbmigrator:
  config:
    connectionStrings:
      identityService: "Server=mos-st-sqldb,1433;Database=MOS_Identity;User Id=sa;password=myPassw@rd"
      administrationService: "Server=mos-st-sqldb,1433;Database=MOS_Administration;User Id=sa;password=myPassw@rd"
      saasService: "Server=mos-st-sqldb,1433;Database=MOS_Saas;User Id=sa;password=myPassw@rd"
      productService: "Server=mos-st-sqldb,1433;Database=MOS_ProductService;User Id=sa;password=myPassw@rd"
      clientService: "Server=mos-st-sqldb,1433;Database=MOS_ClientService;User Id=sa;password=myPassw@rd"
      notificationService: "Server=mos-st-sqldb,1433;Database=MOS_NotificationService;User Id=sa;password=myPassw@rd"
    dotnetEnv: Staging
  identityServerClients:
    blazorServerRootUrl: https://mos-st-web/
    publicWebRootUrl: https://mos-st-publicweb/
    webGatewayRootUrl: https://mos-st-gateway-web/
    publicWebGatewayRootUrl: https://mos-st-gateway-web-public/
  identityServerResources:
    accountServiceRootUrl: https://mos-st-authserver/
    identityServiceRootUrl: https://mos-st-identity/
    administrationServiceRootUrl: https://mos-st-administration/
    saasServiceRootUrl: https://mos-st-saas/
    productServiceRootUrl: https://mos-st-product/
    clientServiceRootUrl: https://mos-st-client/
    notificationServiceRootUrl: https://mos-st-notification/
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-db-migrator
    tag: latest
    pullPolicy: IfNotPresent  

# Public Web application sub-chart override
publicweb:
  config:
    selfUrl: https://mos-st-publicweb
    gatewayUrl: http://mos-st-gateway-web-public
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging 
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  ingress:
    host: mos-st-publicweb
    tlsSecret: mos-tls
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-app-publicweb
    tag: latest
    pullPolicy: IfNotPresent

# Web(Blazor-Server) backoffice application sub-chart override
web:
  config:
    selfUrl: https://mos-st-web
    gatewayUrl: http://mos-st-gateway-web
    authServer:
      authority: http://mos-st-authserver
      requireHttpsMetadata: "false"
    dotnetEnv: Staging 
    redisHost: mos-st-redis
    rabbitmqHost: mos-st-rabbitmq
    elasticsearchUrl: http://mos-st-elasticsearch
  ingress:
    host: mos-st-web
    tlsSecret: mos-tls
  image:
    imagePullSecretName: regcred
    repository: 123123123.dkr.ecr.ap-east-1.amazonaws.com/mos-app-blazor-server
    tag: latest
    pullPolicy: IfNotPresent



# Default values for MOS.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

replicaCount: 1

image:
  repository: nginx
  pullPolicy: IfNotPresent
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  port: 80

ingress:
  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

nodeSelector: {}

tolerations: []

affinity: {}



18 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Gateway Web auth error: https://mos-st-gateway-web/swagger/index.html After auth: Show

    I am assuming it is AccountService since web-gateway swagger just shows the microservice swagger endpoints it redirects at API definitions.

    The error indicates that the client is trying to reach the issuer at mos-st-authserver:443 however it should use http instead of https inside the internal network.

    Does this occur on web-gateway, AccountService only? Can you try other microservices over the web-gateway? Can you also try directly the microservice swagger endpoint?

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    It's very hard to figure out which env setting is HTTPS or HTTP. I have double-checked the template many times, but it does not work.

    Any wrong setting will cause show "Not secure Page" and the log exception: 443 refused.

    Does anyone have a workable sample run in k8s with abp.io v5.2.1?

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    Actually, this issue is the same as QA #3009 https://support.abp.io/QA/Questions/3009, but it closed.

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    Gateway Web auth error: https://mos-st-gateway-web/swagger/index.html After auth: Show

    I am assuming it is AccountService since web-gateway swagger just shows the microservice swagger endpoints it redirects at API definitions.

    The error indicates that the client is trying to reach the issuer at mos-st-authserver:443 however it should use http instead of https inside the internal network.

    Does this occur on web-gateway, AccountService only? Can you try other microservices over the web-gateway? Can you also try directly the microservice swagger endpoint?

    After Auth: Console show 'https://mos-st-administration/swagger/index.html' was loaded over HTTPS, but requested an insecure resource 'http://mos-st-authserver/connect/token'.

    the swagger is https, but we set the authserver to http...

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    It's very helpful to deploy an abp.io microservice template to a Helm hub for reference... Please consider that.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Is this docker for desktop local kubernetes cluster you are trying to run? This seems to be related to swagger authentication. I will try to reproduce the problem. Do you have any custom configurations on ingress.yaml files?

    It's very helpful to deploy an abp.io microservice template to a Helm hub for reference... Please consider that.

    Thank you for the suggestion. I will create an internal issue for this.

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    Is this docker for desktop local kubernetes cluster you are trying to run? This seems to be related to swagger authentication. I will try to reproduce the problem. Do you have any custom configurations on ingress.yaml files?

    It's very helpful to deploy an abp.io microservice template to a Helm hub for reference... Please consider that.

    Thank you for the suggestion. I will create an internal issue for this.

    Yes, I use the docker desktop for testing. No change with the ingress file, just installed the NGINX Ingress Controller according to the description.

    kubernetes.io/ingress.class: "nginx"

    Only install the "cert-manager" in k8s but do nothing, because I just tested in the local network. Should I do something about the letsencrypt?

    cert-manager.io/cluster-issuer: letsencrypt

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Letsencrypt won't work since you are not using real domains. Is your authserver (already accountservice) running on https?

    Do you get Not secure/trusted error? Internal request to issuer endpoint can fail because of returning a not secure page.

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    accountservice

    It works well in https://mos-st-authserver/Account/Login

    But if I authorize from https://mos-st-administration/swagger/index.html , the first time it will show:

    I have nothing change about the authserver project, build it with docker build (/build-images.ps1) and add the TLS secret follow this document : https://github.com/abpframework/eShopOnAbp/tree/main/etc

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    Letsencrypt won't work since you are not using real domains. Is your authserver (already accountservice) running on https?

    Do you get Not secure/trusted error? Internal request to issuer endpoint can fail because of returning a not secure page.

    Is that a way to let service call authserver with https, because all the question is base on it

    This is a exception from Administration Service.

    [08:30:02 INF] Request starting HTTP/1.1 GET http://mos-st-administration/api/language-management/languages/all - -
    [08:30:02 ERR] Exception occurred while processing message.
    System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
     ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
     ---> System.Net.Http.HttpRequestException: Connection refused (mos-st-authserver:443)
     ---> System.Net.Sockets.SocketException (111): Connection refused
       at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
       at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
       at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
       at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
       --- End of inner exception stack trace ---
    

    This exception cause by I try to use postman get token from https://mos-st-authserver/ and use token to get service : https://mos-st-administration/api/language-management/languages/all

    This is the payload in token:

    {
      "nbf": 1651826063,
      "exp": 1683362063,
      "iss": "https://mos-st-authserver",
      "aud": "AdministrationService",
      "client_id": "WebGateway_Swagger",
      "sub": "414da19f-8697-7bc7-089e-3a03aa97ec05",
      "auth_time": 1651826063,
      "idp": "local",
      "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "admin",
      "unique_name": "admin",
      "preferred_username": "admin",
      "given_name": "admin",
      "role": "admin",
      "phone_number_verified": "False",
      "email": "admin@abp.io",
      "email_verified": "False",
      "name": "admin",
      "sid": "0112997F344EA7D0B1C09B7AB815FBE2",
      "iat": 1651826063,
      "scope": [
        "AdministrationService"
      ],
      "amr": [
        "pwd"
      ]
    }
    
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    It is not related with the token.

    Add the code below to AdministrationServiceModule ConfigureServices method to see detailed information about the OpenId error:

    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
    

    It can be a problem with swagger authorization. When you are making a request from the browser to login, you are redirected to http://mos-st-authserver (AuthServer:Authority) however it is served under https on the browser.

    Maybe you can try sending a header from WebGateway Ingress and write a midware at AuthServer to redirect to https if the request is coming from the browser:

    app.Use(async (ctx, next) =>
    {
        if (ctx.Request.Headers.ContainsKey("from-ingress"))
        {
            ctx.Request.Scheme = "https";
            return next();
        }
    
        return next();
    });
    
    

    This way, when you are making a login request from swagger, you should be redirected to https://mos-st-authserver and the token validation Issuer will still navigate to http://mos-st-authserver inside the internal kubernetes network.

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    It is not related with the token.

    Add the code below to AdministrationServiceModule ConfigureServices method to see detailed information about the OpenId error:

    Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true; 
    

    It can be a problem with swagger authorization. When you are making a request from the browser to login, you are redirected to http://mos-st-authserver (AuthServer:Authority) however it is served under https on the browser.

    Maybe you can try sending a header from WebGateway Ingress and write a midware at AuthServer to redirect to https if the request is coming from the browser:

    app.Use(async (ctx, next) => 
    { 
        if (ctx.Request.Headers.ContainsKey("from-ingress")) 
        { 
            ctx.Request.Scheme = "https"; 
            return next(); 
        } 
     
        return next(); 
    }); 
     
    

    This way, when you are making a login request from swagger, you should be redirected to https://mos-st-authserver and the token validation Issuer will still navigate to http://mos-st-authserver inside the internal kubernetes network.

    The default template contains the logic just like what you said. And I change it to "ctx.Request.Scheme = "https" and it shows the same error log.

    app.Use(async (ctx, next) =>
    {
        if (ctx.Request.Headers.ContainsKey("from-ingress"))
        {
            ctx.SetIdentityServerOrigin(configuration["App:SelfUrl"]);
        }
    
        await next();
    });
    

    I use Postman to get token success and request the API in http://mos-st-administration/api/language-management/languages/all To avoid the swagger redirect, just use REST-API only. I have set all the yaml

                - name: AuthServer__Authority
                  value: http://mos-st-authserver
                - name: AuthServer__RequireHttpsMetadata
                  value: 'false'
    

    but it still show the error: ---> System.Net.Http.HttpRequestException: Connection refused (mos-st-authserver:443) I have no idea why it redirect to 443

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    There may be a problem with overriding the configuration in your kubernetes values files.

    Do you deploy as a single helm chart and be sure that the Values.yaml has the correct configuration? If you are deploying applications individually, you need to update related helm chart Values.yaml.

    Can you also add the related code to show detailed OpenId error and rebuild/redeploy your application? There might be a clue.

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    There may be a problem with overriding the configuration in your kubernetes values files.

    Do you deploy as a single helm chart and be sure that the Values.yaml has the correct configuration? If you are deploying applications individually, you need to update related helm chart Values.yaml.

    Can you also add the related code to show detailed OpenId error and rebuild/redeploy your application? There might be a clue.

    Here is the yamls I copy from kubernetes dashboard. administration:

    kind: Deployment
    apiVersion: apps/v1
    metadata:
      name: mos-st-administration
      namespace: mos-st
      uid: 5e6f7465-f220-4e47-bc88-e8ef0f0b31c0
      resourceVersion: '1475368'
      generation: 2
      creationTimestamp: '2022-05-08T04:43:48Z'
      labels:
        app.kubernetes.io/managed-by: Helm
      annotations:
        deployment.kubernetes.io/revision: '2'
        meta.helm.sh/release-name: mos-st
        meta.helm.sh/release-namespace: mos-st
      managedFields:
        - manager: helm
          operation: Update
          apiVersion: apps/v1
          time: '2022-05-08T04:43:48Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .: {}
                f:meta.helm.sh/release-name: {}
                f:meta.helm.sh/release-namespace: {}
              f:labels:
                .: {}
                f:app.kubernetes.io/managed-by: {}
            f:spec:
              f:progressDeadlineSeconds: {}
              f:replicas: {}
              f:revisionHistoryLimit: {}
              f:selector: {}
              f:strategy:
                f:rollingUpdate:
                  .: {}
                  f:maxSurge: {}
                  f:maxUnavailable: {}
                f:type: {}
              f:template:
                f:metadata:
                  f:labels:
                    .: {}
                    f:app: {}
                f:spec:
                  f:containers:
                    k:{"name":"mos-st-administration"}:
                      .: {}
                      f:env:
                        .: {}
                        k:{"name":"App__CorsOrigins"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"App__SelfUrl"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"AuthServer__Authority"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"AuthServer__RequireHttpsMetadata"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"ConnectionStrings__AdministrationService"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"ConnectionStrings__SaasService"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"DOTNET_ENVIRONMENT"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"ElasticSearch__Url"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"IdentityClients__Default__Authority"}:
                          .: {}
                          f:name: {}
                        k:{"name":"RabbitMQ__Connections__Default__HostName"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"Redis__Configuration"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"RemoteServices__Default__BaseUrl"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"StringEncryption__DefaultPassPhrase"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                      f:image: {}
                      f:imagePullPolicy: {}
                      f:name: {}
                      f:ports:
                        .: {}
                        k:{"containerPort":80,"protocol":"TCP"}:
                          .: {}
                          f:containerPort: {}
                          f:name: {}
                          f:protocol: {}
                        k:{"containerPort":443,"protocol":"TCP"}:
                          .: {}
                          f:containerPort: {}
                          f:name: {}
                          f:protocol: {}
                      f:resources: {}
                      f:terminationMessagePath: {}
                      f:terminationMessagePolicy: {}
                  f:dnsPolicy: {}
                  f:imagePullSecrets:
                    .: {}
                    k:{"name":"regcred"}: {}
                  f:restartPolicy: {}
                  f:schedulerName: {}
                  f:securityContext: {}
                  f:terminationGracePeriodSeconds: {}
        - manager: dashboard
          operation: Update
          apiVersion: apps/v1
          time: '2022-05-08T07:46:42Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:spec:
              f:template:
                f:spec:
                  f:containers:
                    k:{"name":"mos-st-administration"}:
                      f:env:
                        k:{"name":"IdentityClients__Default__Authority"}:
                          f:value: {}
        - manager: kube-controller-manager
          operation: Update
          apiVersion: apps/v1
          time: '2022-05-08T07:46:44Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                f:deployment.kubernetes.io/revision: {}
            f:status:
              f:availableReplicas: {}
              f:conditions:
                .: {}
                k:{"type":"Available"}:
                  .: {}
                  f:lastTransitionTime: {}
                  f:lastUpdateTime: {}
                  f:message: {}
                  f:reason: {}
                  f:status: {}
                  f:type: {}
                k:{"type":"Progressing"}:
                  .: {}
                  f:lastTransitionTime: {}
                  f:lastUpdateTime: {}
                  f:message: {}
                  f:reason: {}
                  f:status: {}
                  f:type: {}
              f:observedGeneration: {}
              f:readyReplicas: {}
              f:replicas: {}
              f:updatedReplicas: {}
          subresource: status
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: mos-st-administration
      template:
        metadata:
          creationTimestamp: null
          labels:
            app: mos-st-administration
        spec:
          containers:
            - name: mos-st-administration
              image: >-
                359134898311.dkr.ecr.ap-east-1.amazonaws.com/mos-service-administration:latest
              ports:
                - name: http
                  containerPort: 80
                  protocol: TCP
                - name: https
                  containerPort: 443
                  protocol: TCP
              env:
                - name: App__SelfUrl
                  value: https://mos-st-administration
                - name: RemoteServices__Default__BaseUrl
                  value: http://mos-st-gateway-web
                - name: App__CorsOrigins
                  value: https://mos-st-gateway-web,https://mos-st-gateway-web-public
                - name: IdentityClients__Default__Authority
                  value: http://mos-st-authserver
                - name: ConnectionStrings__AdministrationService
                  value: >-
                    Server=mos-st-sqldb,1433;Database=MOS_Administration;User
                    Id=sa;password=myPassw@rd
                - name: ConnectionStrings__SaasService
                  value: >-
                    Server=mos-st-sqldb,1433;Database=MOS_Saas;User
                    Id=sa;password=myPassw@rd
                - name: DOTNET_ENVIRONMENT
                  value: Staging
                - name: Redis__Configuration
                  value: mos-st-redis
                - name: AuthServer__Authority
                  value: http://mos-st-authserver
                - name: AuthServer__RequireHttpsMetadata
                  value: 'false'
                - name: StringEncryption__DefaultPassPhrase
                  value: gsKnGZ041HLL4IM8
                - name: RabbitMQ__Connections__Default__HostName
                  value: mos-st-rabbitmq
                - name: ElasticSearch__Url
                  value: http://mos-st-elasticsearch
              resources: {}
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
              imagePullPolicy: IfNotPresent
          restartPolicy: Always
          terminationGracePeriodSeconds: 30
          dnsPolicy: ClusterFirst
          securityContext: {}
          imagePullSecrets:
            - name: regcred
          schedulerName: default-scheduler
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxUnavailable: 25%
          maxSurge: 25%
      revisionHistoryLimit: 10
      progressDeadlineSeconds: 600
    status:
      observedGeneration: 2
      replicas: 1
      updatedReplicas: 1
      readyReplicas: 1
      availableReplicas: 1
      conditions:
        - type: Available
          status: 'True'
          lastUpdateTime: '2022-05-08T04:44:27Z'
          lastTransitionTime: '2022-05-08T04:44:27Z'
          reason: MinimumReplicasAvailable
          message: Deployment has minimum availability.
        - type: Progressing
          status: 'True'
          lastUpdateTime: '2022-05-08T07:46:44Z'
          lastTransitionTime: '2022-05-08T04:43:48Z'
          reason: NewReplicaSetAvailable
          message: >-
            ReplicaSet "mos-st-administration-5bc6f6fc68" has successfully
            progressed.
    
    
    
    kind: Service
    apiVersion: v1
    metadata:
      name: mos-st-administration
      namespace: mos-st
      uid: 4596aec0-241f-4024-98d7-836037649eb0
      resourceVersion: '1458270'
      creationTimestamp: '2022-05-08T04:43:48Z'
      labels:
        app.kubernetes.io/managed-by: Helm
        name: mos-st-administration
      annotations:
        meta.helm.sh/release-name: mos-st
        meta.helm.sh/release-namespace: mos-st
      managedFields:
        - manager: helm
          operation: Update
          apiVersion: v1
          time: '2022-05-08T04:43:48Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .: {}
                f:meta.helm.sh/release-name: {}
                f:meta.helm.sh/release-namespace: {}
              f:labels:
                .: {}
                f:app.kubernetes.io/managed-by: {}
                f:name: {}
            f:spec:
              f:internalTrafficPolicy: {}
              f:ports:
                .: {}
                k:{"port":80,"protocol":"TCP"}:
                  .: {}
                  f:name: {}
                  f:port: {}
                  f:protocol: {}
                  f:targetPort: {}
                k:{"port":443,"protocol":"TCP"}:
                  .: {}
                  f:name: {}
                  f:port: {}
                  f:protocol: {}
                  f:targetPort: {}
              f:selector: {}
              f:sessionAffinity: {}
              f:type: {}
    spec:
      ports:
        - name: '80'
          protocol: TCP
          port: 80
          targetPort: 80
        - name: '443'
          protocol: TCP
          port: 443
          targetPort: 443
      selector:
        app: mos-st-administration
      clusterIP: 10.101.5.16
      clusterIPs:
        - 10.101.5.16
      type: ClusterIP
      sessionAffinity: None
      ipFamilies:
        - IPv4
      ipFamilyPolicy: SingleStack
      internalTrafficPolicy: Cluster
    status:
      loadBalancer: {}
    
    
    kind: Ingress
    apiVersion: networking.k8s.io/v1
    metadata:
      name: mos-st-administration-ingress
      namespace: mos-st
      uid: b4eb866f-e020-4bee-9a53-05a46b5f4185
      resourceVersion: '1458741'
      generation: 1
      creationTimestamp: '2022-05-08T04:43:48Z'
      labels:
        app.kubernetes.io/managed-by: Helm
      annotations:
        meta.helm.sh/release-name: mos-st
        meta.helm.sh/release-namespace: mos-st
        nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
        nginx.ingress.kubernetes.io/proxy-buffer-size: 32k
        nginx.ingress.kubernetes.io/proxy-buffers-number: '8'
        nginx.ingress.kubernetes.io/rewrite-target: /
      managedFields:
        - manager: helm
          operation: Update
          apiVersion: networking.k8s.io/v1
          time: '2022-05-08T04:43:48Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .: {}
                f:meta.helm.sh/release-name: {}
                f:meta.helm.sh/release-namespace: {}
                f:nginx.ingress.kubernetes.io/force-ssl-redirect: {}
                f:nginx.ingress.kubernetes.io/proxy-buffer-size: {}
                f:nginx.ingress.kubernetes.io/proxy-buffers-number: {}
                f:nginx.ingress.kubernetes.io/rewrite-target: {}
              f:labels:
                .: {}
                f:app.kubernetes.io/managed-by: {}
            f:spec:
              f:ingressClassName: {}
              f:rules: {}
              f:tls: {}
        - manager: nginx-ingress-controller
          operation: Update
          apiVersion: networking.k8s.io/v1
          time: '2022-05-08T04:44:14Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:status:
              f:loadBalancer:
                f:ingress: {}
          subresource: status
    spec:
      ingressClassName: nginx
      tls:
        - hosts:
            - mos-st-administration
          secretName: mos-tls
      rules:
        - host: mos-st-administration
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: mos-st-administration
                    port:
                      number: 80
    status:
      loadBalancer:
        ingress:
          - hostname: localhost
    

    And the .net code I still use the default template.

  • User Avatar
    0
    pei.chen@cpy.com.hk created

    Authserver:

    kind: Deployment
    apiVersion: apps/v1
    metadata:
      name: mos-st-authserver
      namespace: mos-st
      uid: fd70d8ec-d3f9-464c-b5a9-b1be44174758
      resourceVersion: '1474532'
      generation: 1
      creationTimestamp: '2022-05-08T04:43:48Z'
      labels:
        app.kubernetes.io/managed-by: Helm
      annotations:
        deployment.kubernetes.io/revision: '2'
        meta.helm.sh/release-name: mos-st
        meta.helm.sh/release-namespace: mos-st
      managedFields:
        - manager: helm
          operation: Update
          apiVersion: apps/v1
          time: '2022-05-08T04:43:48Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .: {}
                f:meta.helm.sh/release-name: {}
                f:meta.helm.sh/release-namespace: {}
              f:labels:
                .: {}
                f:app.kubernetes.io/managed-by: {}
            f:spec:
              f:progressDeadlineSeconds: {}
              f:replicas: {}
              f:revisionHistoryLimit: {}
              f:selector: {}
              f:strategy:
                f:rollingUpdate:
                  .: {}
                  f:maxSurge: {}
                  f:maxUnavailable: {}
                f:type: {}
              f:template:
                f:metadata:
                  f:labels:
                    .: {}
                    f:app: {}
                f:spec:
                  f:containers:
                    k:{"name":"mos-st-authserver"}:
                      .: {}
                      f:env:
                        .: {}
                        k:{"name":"App__CorsOrigins"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"App__RedirectAllowedUrls"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"App__SelfUrl"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"AuthServer__Authority"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"AuthServer__RequireHttpsMetadata"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"ConnectionStrings__AdministrationService"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"ConnectionStrings__IdentityService"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"ConnectionStrings__SaasService"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"DOTNET_ENVIRONMENT"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"ElasticSearch__Url"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"RabbitMQ__Connections__Default__HostName"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"Redis__Configuration"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                        k:{"name":"StringEncryption__DefaultPassPhrase"}:
                          .: {}
                          f:name: {}
                          f:value: {}
                      f:image: {}
                      f:imagePullPolicy: {}
                      f:name: {}
                      f:ports:
                        .: {}
                        k:{"containerPort":80,"protocol":"TCP"}:
                          .: {}
                          f:containerPort: {}
                          f:name: {}
                          f:protocol: {}
                        k:{"containerPort":443,"protocol":"TCP"}:
                          .: {}
                          f:containerPort: {}
                          f:name: {}
                          f:protocol: {}
                      f:resources: {}
                      f:terminationMessagePath: {}
                      f:terminationMessagePolicy: {}
                  f:dnsPolicy: {}
                  f:imagePullSecrets:
                    .: {}
                    k:{"name":"regcred"}: {}
                  f:restartPolicy: {}
                  f:schedulerName: {}
                  f:securityContext: {}
                  f:terminationGracePeriodSeconds: {}
        - manager: kube-controller-manager
          operation: Update
          apiVersion: apps/v1
          time: '2022-05-08T07:38:05Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                f:deployment.kubernetes.io/revision: {}
            f:status:
              f:availableReplicas: {}
              f:collisionCount: {}
              f:conditions:
                .: {}
                k:{"type":"Available"}:
                  .: {}
                  f:lastTransitionTime: {}
                  f:lastUpdateTime: {}
                  f:message: {}
                  f:reason: {}
                  f:status: {}
                  f:type: {}
                k:{"type":"Progressing"}:
                  .: {}
                  f:lastTransitionTime: {}
                  f:lastUpdateTime: {}
                  f:message: {}
                  f:reason: {}
                  f:status: {}
                  f:type: {}
              f:observedGeneration: {}
              f:readyReplicas: {}
              f:replicas: {}
              f:updatedReplicas: {}
          subresource: status
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: mos-st-authserver
      template:
        metadata:
          creationTimestamp: null
          labels:
            app: mos-st-authserver
        spec:
          containers:
            - name: mos-st-authserver
              image: >-
                359134898311.dkr.ecr.ap-east-1.amazonaws.com/mos-app-authserver:latest
              ports:
                - name: http
                  containerPort: 80
                  protocol: TCP
                - name: https
                  containerPort: 443
                  protocol: TCP
              env:
                - name: App__SelfUrl
                  value: https://mos-st-authserver
                - name: App__CorsOrigins
                  value: >-
                    https://mos-st-gateway-web,https://mos-st-gateway-web-public,https://mos-st-identity,https://mos-st-administration,https://mos-st-saas,https://mos-st-product,https://mos-st-client,https://mos-st-notification
                - name: App__RedirectAllowedUrls
                  value: https://mos-st-web
                - name: ConnectionStrings__IdentityService
                  value: >-
                    Server=mos-st-sqldb,1433;Database=MOS_Identity;User
                    Id=sa;password=myPassw@rd
                - name: ConnectionStrings__AdministrationService
                  value: >-
                    Server=mos-st-sqldb,1433;Database=MOS_Administration;User
                    Id=sa;password=myPassw@rd
                - name: ConnectionStrings__SaasService
                  value: >-
                    Server=mos-st-sqldb,1433;Database=MOS_Saas;User
                    Id=sa;password=myPassw@rd
                - name: AuthServer__Authority
                  value: http://mos-st-authserver
                - name: AuthServer__RequireHttpsMetadata
                  value: 'false'
                - name: DOTNET_ENVIRONMENT
                  value: Staging
                - name: Redis__Configuration
                  value: mos-st-redis
                - name: StringEncryption__DefaultPassPhrase
                  value: gsKnGZ041HLL4IM8
                - name: RabbitMQ__Connections__Default__HostName
                  value: mos-st-rabbitmq
                - name: ElasticSearch__Url
                  value: http://mos-st-elasticsearch
              resources: {}
              terminationMessagePath: /dev/termination-log
              terminationMessagePolicy: File
              imagePullPolicy: IfNotPresent
          restartPolicy: Always
          terminationGracePeriodSeconds: 30
          dnsPolicy: ClusterFirst
          securityContext: {}
          imagePullSecrets:
            - name: regcred
          schedulerName: default-scheduler
      strategy:
        type: RollingUpdate
        rollingUpdate:
          maxUnavailable: 25%
          maxSurge: 25%
      revisionHistoryLimit: 10
      progressDeadlineSeconds: 600
    status:
      observedGeneration: 1
      replicas: 1
      updatedReplicas: 1
      readyReplicas: 1
      availableReplicas: 1
      conditions:
        - type: Available
          status: 'True'
          lastUpdateTime: '2022-05-08T04:44:24Z'
          lastTransitionTime: '2022-05-08T04:44:24Z'
          reason: MinimumReplicasAvailable
          message: Deployment has minimum availability.
        - type: Progressing
          status: 'True'
          lastUpdateTime: '2022-05-08T07:38:05Z'
          lastTransitionTime: '2022-05-08T04:43:48Z'
          reason: NewReplicaSetAvailable
          message: ReplicaSet "mos-st-authserver-786b955d9" has successfully progressed.
      collisionCount: 1
    
    
    kind: Service
    apiVersion: v1
    metadata:
      name: mos-st-authserver
      namespace: mos-st
      uid: d697633c-6212-4866-9629-957b79b182e5
      resourceVersion: '1474383'
      creationTimestamp: '2022-05-08T04:43:48Z'
      labels:
        app.kubernetes.io/managed-by: Helm
        name: mos-st-authserver
      annotations:
        meta.helm.sh/release-name: mos-st
        meta.helm.sh/release-namespace: mos-st
      managedFields:
        - manager: helm
          operation: Update
          apiVersion: v1
          time: '2022-05-08T04:43:48Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .: {}
                f:meta.helm.sh/release-name: {}
                f:meta.helm.sh/release-namespace: {}
              f:labels:
                .: {}
                f:app.kubernetes.io/managed-by: {}
                f:name: {}
            f:spec:
              f:internalTrafficPolicy: {}
              f:ports:
                .: {}
                k:{"port":80,"protocol":"TCP"}:
                  .: {}
                  f:name: {}
                  f:port: {}
                  f:protocol: {}
                  f:targetPort: {}
              f:selector: {}
              f:sessionAffinity: {}
              f:type: {}
    spec:
      ports:
        - name: '80'
          protocol: TCP
          port: 80
          targetPort: 80
      selector:
        app: mos-st-authserver
      clusterIP: 10.107.232.76
      clusterIPs:
        - 10.107.232.76
      type: ClusterIP
      sessionAffinity: None
      ipFamilies:
        - IPv4
      ipFamilyPolicy: SingleStack
      internalTrafficPolicy: Cluster
    status:
      loadBalancer: {}
    
    
    kind: Ingress
    apiVersion: networking.k8s.io/v1
    metadata:
      name: mos-st-authserver-ingress
      namespace: mos-st
      uid: 1f83db9c-77d5-42e0-87b2-04c380eb2152
      resourceVersion: '1458727'
      generation: 1
      creationTimestamp: '2022-05-08T04:43:48Z'
      labels:
        app.kubernetes.io/managed-by: Helm
      annotations:
        meta.helm.sh/release-name: mos-st
        meta.helm.sh/release-namespace: mos-st
        nginx.ingress.kubernetes.io/configuration-snippet: |
          more_set_input_headers "from-ingress: true";
        nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
        nginx.ingress.kubernetes.io/proxy-buffer-size: 32k
        nginx.ingress.kubernetes.io/proxy-buffers-number: '8'
        nginx.ingress.kubernetes.io/rewrite-target: /
      managedFields:
        - manager: helm
          operation: Update
          apiVersion: networking.k8s.io/v1
          time: '2022-05-08T04:43:48Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:metadata:
              f:annotations:
                .: {}
                f:meta.helm.sh/release-name: {}
                f:meta.helm.sh/release-namespace: {}
                f:nginx.ingress.kubernetes.io/configuration-snippet: {}
                f:nginx.ingress.kubernetes.io/force-ssl-redirect: {}
                f:nginx.ingress.kubernetes.io/proxy-buffer-size: {}
                f:nginx.ingress.kubernetes.io/proxy-buffers-number: {}
                f:nginx.ingress.kubernetes.io/rewrite-target: {}
              f:labels:
                .: {}
                f:app.kubernetes.io/managed-by: {}
            f:spec:
              f:ingressClassName: {}
              f:rules: {}
              f:tls: {}
        - manager: nginx-ingress-controller
          operation: Update
          apiVersion: networking.k8s.io/v1
          time: '2022-05-08T04:44:13Z'
          fieldsType: FieldsV1
          fieldsV1:
            f:status:
              f:loadBalancer:
                f:ingress: {}
          subresource: status
    spec:
      ingressClassName: nginx
      tls:
        - hosts:
            - mos-st-authserver
          secretName: mos-tls
      rules:
        - host: mos-st-authserver
          http:
            paths:
              - path: /
                pathType: Prefix
                backend:
                  service:
                    name: mos-st-authserver
                    port:
                      number: 80
    status:
      loadBalancer:
        ingress:
          - hostname: localhost
    
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Overriding seems okay though.

    Can you share the log again after adding Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true; and make a new request?

    It should have detailed information about this log:

    [08:30:02 INF] Request starting HTTP/1.1 GET http://mos-st-administration/api/language-management/languages/all - -
    [08:30:02 ERR] Exception occurred while processing message.
    System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
     ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
    
  • User Avatar
    0
    pei.chen@cpy.com.hk created

    Overriding seems okay though.

    Can you share the log again after adding Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true; and make a new request?

    It should have detailed information about this log:

    [08:30:02 INF] Request starting HTTP/1.1 GET http://mos-st-administration/api/language-management/languages/all - - 
    [08:30:02 ERR] Exception occurred while processing message. 
    System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'. 
     ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'. 
    

    Thank you for your advice, after add Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true; I find out the IDX20803 error caused by the AddAbpOpenIdConnect without ValidIssuers named with https. add the following code to context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>);

                    options.TokenValidationParameters.ValidIssuers = new [] {
                        "https://mos-st-authserver"
                    };
    

    It works for me to call API with the token from "https://mos-st-authserver" But the swagger client auth still has the error "mixed content".

    swagger-ui-bundle.js:2 Mixed Content: The page at 'https://mos-st-product/swagger/index.html' was loaded over HTTPS, but requested an insecure resource 'http://mos-st-authserver/connect/token'. This content should also be served over HTTPS.
    

    If I change the Chrome secure setting, the error change to

    Access to fetch at 'http://mos-st-authserver/connect/token' from origin 'https://mos-st-product' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
    

    Now I focus on the blazor-server-client https://mos-st-web/ . When I want to login from https://mos-st-web/ Here is the error log in auth-server

    [08:41:35 INF] Request starting HTTP/1.1 GET http://mos-st-authserver/connect/authorize?client_id=MOS_BlazorServer&redirect_uri=http%3A%2F%2Fmos-st-web%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20role%20email%20phone%20AccountService%20IdentityService%20AdministrationService%20SaasService%20ProductService%20ClientService%20NotificationService&response_mode=form_post&nonce=637879416953018402.YTE3YTQyNjgtMTJjNC00NzZjLWFjMmUtYjhiNDYyMDdkZmJiZjdlMjA4NWEtZDAyYi00OTFmLTk1ZWQtY2E5ZDg5OTg0NDk2&state=CfDJ8D0lQb5tKTBFn4uvn3Xu6kTrGlmQ5pIAHO9_xiwDvTtF4TXcIPLylJ5oUw6jKOI3HrO1Wa2DeNoSknjhVjluYVGkT-Ts5ddwQazu-vhuSGcykxdqXiYnFWo0l94A1EUClJBVxx_nwpxgTl31-InEMWgDY9cB5VVa9g0If-JP9_7DZYNqeKKfVGixysAzse3QQaix4BIyfnZarJ4u6ngtGuQrpvUT8Sc1nX72f6g5AEkUVWQBgcKIG_7brkMLL30U3bza7dxohmG4BmoywziAlwynG8kzcsb_1YpklsV1kQj1&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0 - -
    [08:41:35 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
    [08:41:35 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
    [08:41:36 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
    [08:41:36 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
    [08:41:36 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
    [08:41:36 ERR] Invalid redirect_uri: http://mos-st-web/signin-oidc
    {"ClientId": "MOS_BlazorServer", "ClientName": "MOS_BlazorServer", "RedirectUri": null, "AllowedRedirectUris": ["https://mos-st-web/signin-oidc"], "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"client_id": "MOS_BlazorServer", "redirect_uri": "http://mos-st-web/signin-oidc", "response_type": "code id_token", "scope": "openid profile role email phone AccountService IdentityService AdministrationService SaasService ProductService ClientService NotificationService", "response_mode": "form_post", "nonce": "637879416953018402.YTE3YTQyNjgtMTJjNC00NzZjLWFjMmUtYjhiNDYyMDdkZmJiZjdlMjA4NWEtZDAyYi00OTFmLTk1ZWQtY2E5ZDg5OTg0NDk2", "state": "CfDJ8D0lQb5tKTBFn4uvn3Xu6kTrGlmQ5pIAHO9_xiwDvTtF4TXcIPLylJ5oUw6jKOI3HrO1Wa2DeNoSknjhVjluYVGkT-Ts5ddwQazu-vhuSGcykxdqXiYnFWo0l94A1EUClJBVxx_nwpxgTl31-InEMWgDY9cB5VVa9g0If-JP9_7DZYNqeKKfVGixysAzse3QQaix4BIyfnZarJ4u6ngtGuQrpvUT8Sc1nX72f6g5AEkUVWQBgcKIG_7brkMLL30U3bza7dxohmG4BmoywziAlwynG8kzcsb_1YpklsV1kQj1", "x-client-SKU": "ID_NETSTANDARD2_0", "x-client-ver": "6.10.0.0"}, "$type": "AuthorizeRequestValidationLog"}
    [08:41:36 ERR] Request validation failed
    

    I think it's the redirect_uri=http://mos-st-web/signin-oidc should be https://mos-st-web/signin-oidc How can I change this request, and fix Identity.Application was not authenticated. Failure message: Unprotect ticket failed

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    I think it's the redirect_uri=http://mos-st-web/signin-oidc should be https://mos-st-web/signin-oidc

    Yes, you are right. Redirect URI must match with OpenId Connect options and the one saved in the database when creating the client.

    You can update it from the database manually or from the IdentityServerDataSeeder and re-create DB and re-seed.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09