Open Closed

Synchronous Communication between Microservices #6506


User avatar
0
abp4@feelaware.com created
  • ABP Framework version: v7.3.2
  • UI Type: MVC
  • Database System: EF Core (PostgreSQ)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

When deploying to Docker When calling another microservie using "Synchronous Communication between Microservices", the error below occurs.

I need help.

[03:41:42 INF] Sending HTTP request GET https://1.1.1.1:55555/.well-known/openid-configuration [03:41:42 ERR] ---------- RemoteServiceErrorInfo ---------- { "code": null, "message": "An internal error occurred during your request!", "details": null, "data": {}, "validationErrors": null }

[03:41:42 ERR] Could not retrieve the OpenId Connect discovery document! ErrorType: Exception. Error: Error connecting to https://1.1.1.1:55555/.well-known/openid-configuration. The SSL connection could not be established, see inner exception.. Volo.Abp.AbpException: Could not retrieve the OpenId Connect discovery document! ErrorType: Exception. Error: Error connecting to https://1.1.1.1:55555/.well-known/openid-configuration. The SSL connection could not be established, see inner exception.. at Volo.Abp.IdentityModel.IdentityModelAuthenticationService.GetDiscoveryResponse(IdentityClientConfiguration configuration) at Volo.Abp.IdentityModel.IdentityModelAuthenticationService.CreateClientCredentialsTokenRequestAsync(IdentityClientConfiguration configuration) at Volo.Abp.IdentityModel.IdentityModelAuthenticationService.GetTokenResponse(IdentityClientConfiguration configuration) at Volo.Abp.IdentityModel.IdentityModelAuthenticationService.GetAccessTokenAsync(IdentityClientConfiguration configuration) at Volo.Abp.IdentityModel.IdentityModelAuthenticationService.GetAccessTokenOrNullAsync(String identityClientName) at Volo.Abp.IdentityModel.IdentityModelAuthenticationService.TryAuthenticateAsync(HttpClient client, String identityClientName) at Volo.Abp.Http.Client.IdentityModel.IdentityModelRemoteServiceHttpClientAuthenticator.Authenticate(RemoteServiceHttpClientAuthenticateContext context) at Volo.Abp.Http.Client.ClientProxying.ClientProxyBase1.RequestAsync(ClientProxyRequestContext requestContext) at Volo.Abp.Http.Client.ClientProxying.ClientProxyBase1.RequestAsync[T](ClientProxyRequestContext requestContext) at Volo.Abp.Http.Client.ClientProxying.ClientProxyBase1.RequestAsync[T](String methodName, ClientProxyRequestTypeValue arguments) at SCH.AdminPortalService.Projects.ProjectClientProxy.GetListAsync(GetProjectsInput input) in /var/lib/jenkins/workspace/SmartCloudHub-Docker/services/adminPortal/src/SCH.AdminPortalService.HttpApi.Client/ClientProxies/SCH/AdminPortalService/Projects/ProjectClientProxy.Generated.cs:line 22 at lambda_method1500(Closure, Object) at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(ActionContext actionContext, IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeActionMethodAsync>g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask1 actionResultValueTask) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeNextActionFilterAsync>g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.<InvokeInnerFilterAsync>g__Awaited|13_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) [03:41:42 INF] Executing ObjectResult, writing value of type 'Volo.Abp.Http.RemoteServiceErrorResponse'.


4 Answer(s)
  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    Hi,

    please check this similar issue https://support.abp.io/QA/Questions/4558/The-SSL-connection-could-not-be-established-see-inner-exception--BLAZOR-SERVER

    also check this discussion https://github.com/abpframework/abp/issues/11844

    thanks

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    In the MVC/BlazorServer apps, you can see a configuration as below under the OpenIdConnect configuration:

    if (Convert.ToBoolean(configuration["AuthServer:IsOnK8s"]))
        {
            context.Services.Configure<OpenIdConnectOptions>("oidc", options =>
            {
                options.MetadataAddress = configuration["AuthServer:MetaAddress"]!.EnsureEndsWith('/') +
                                          ".well-known/openid-configuration";
    
                var previousOnRedirectToIdentityProvider = options.Events.OnRedirectToIdentityProvider;
                options.Events.OnRedirectToIdentityProvider = async ctx =>
                {
                    // Intercept the redirection so the browser navigates to the right URL in your host
                    ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"]!.EnsureEndsWith('/') + "connect/authorize";
    
                    if (previousOnRedirectToIdentityProvider != null)
                    {
                        await previousOnRedirectToIdentityProvider(ctx);
                    }
                };
                var previousOnRedirectToIdentityProviderForSignOut = options.Events.OnRedirectToIdentityProviderForSignOut;
                options.Events.OnRedirectToIdentityProviderForSignOut = async ctx =>
                {
                    // Intercept the redirection for signout so the browser navigates to the right URL in your host
                    ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"]!.EnsureEndsWith('/') + "connect/logout";
    
                    if (previousOnRedirectToIdentityProviderForSignOut != null)
                    {
                        await previousOnRedirectToIdentityProviderForSignOut(ctx);
                    }
                };
            });
    

    You should be setting [AuthServer:IsOnK8s] to true since you are running it on containers; which means you will be logging in through the browser but obtaining/validating the tokens through the internal network. Set the [AuthServerMetaAddress] to real DNS. Set the [AuthServerMetaAddress] to internal docker service address.

  • User Avatar
    0
    abp4@feelaware.com created

    Hi,

    please check this similar issue https://support.abp.io/QA/Questions/4558/The-SSL-connection-could-not-be-established-see-inner-exception--BLAZOR-SERVER

    also check this discussion https://github.com/abpframework/abp/issues/11844

    thanks

    thank you for your help.

    I checked it and The general web - gateway - service route works well, but this phenomenon only occurs in communication between microservices.

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Okay, now I understand.

    First, for microservice-to-microservice calls, we introduced Integration Services. We strongly recomment using integration services for this kind of usage.

    If you want to keep using existing authorized endpoints, you probably have IdentityClient configuration as below:

    "IdentityClients": {
        "Default": {
          "GrantType": "client_credentials", 
          "ClientId": "BookStore_OrderService",
          "ClientSecret": "1q2w3e*",
          "Authority": "https://localhost:44322", -> On production this must be the internal service name
          "Scope": "ProductService"
        }
      }
    

    Instead of using https://10.200.40.25:44322 try using docker service name something like http://myauthservice.

    The token validation etc should be (will be) done through the internal network.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35