Unable to get auth config in #9592

19 Answer(s)

• 

  0

  AI-Bot created 2 months ago

  Support Team ABP Agent

  To resolve the "This server only accepts HTTPS requests" error from OpenIddict when running your ABP AuthServer behind Nginx on Linux, you need to explicitly disable the HTTPS requirement in your configuration. By default, OpenIddict enforces HTTPS for security, but in reverse proxy scenarios (like Nginx terminating SSL), your backend app only sees HTTP traffic.

  Solution:

  1. In your appsettings.json, set:

     "AuthServer": {
       "Authority": "https://auth.mysite.it",
       "RequireHttpsMetadata": "false",
       "SwaggerClientId": "WebGateway_Swagger"
     }
     

  2. In your AuthServer module, add the following configuration to disable the transport security requirement when RequireHttpsMetadata is false:

     if (!Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]))
     {
         Configure<OpenIddictServerAspNetCoreOptions>(options =>
         {
             options.DisableTransportSecurityRequirement = true;
         });
     }
     

  3. Ensure your Nginx is correctly forwarding headers (X-Forwarded-Proto) so that ABP/OpenIddict can detect the original HTTPS scheme.

  Note: The Authority should still be set to your public HTTPS URL (https://auth.mysite.it). Disabling the HTTPS requirement only affects backend validation, not the public endpoints.

  Reference Implementation: https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment

  Summary:

  • Set "RequireHttpsMetadata": "false" in your config.
  • Add the DisableTransportSecurityRequirement code in your AuthServer.
  • Make sure Nginx forwards the correct headers.

  This will allow your OpenIddict endpoints (like /.well-known/jwks) to be accessible behind a reverse proxy using HTTPS, even though your backend listens on HTTP.

  Sources:

  • https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  hi

  You can also try to set ctx.Request.Scheme to https if your app is behind an HTTPS reverse proxy.

  public override void OnApplicationInitialization(ApplicationInitializationContext context)
  {
      var app = context.GetApplicationBuilder();
      var env = context.GetEnvironment();
  
      app.Use((ctx, next) =>
      {
          ctx.Request.Scheme = "https";
          return next();
      });
     /...
  

  Thanks.

  Save Cancel
• 

  0

  andmattia created 2 months ago

  If I use

  "AuthServer": {
    "Authority": "https://auth.mysite.it",
    "RequireHttpsMetadata": "false",
    "SwaggerClientId": "WebGateway_Swagger"
  }
  

  It works but angular not work and way in 9,1,3 works in https?

  in Angular I've this issue

  main.e261e1928bc16e78.js:1 error validating authorization_endpoint in discovery document (2) ['https for all urls required. Also for urls received by discovery.', 'Every url in discovery document has to start with …o see property strictDiscoveryDocumentValidation.']
  

  With false flag

  {
    "issuer": "https://auth.mysite.it/",
    "authorization_endpoint": "http://auth.mysite.it/connect/authorize",
    "token_endpoint": "http://auth.mysite.it/connect/token",
    "introspection_endpoint": "http://auth.mysite.it/connect/introspect",
    "end_session_endpoint": "http://auth.mysite.it/connect/logout",
    "revocation_endpoint": "http://auth.mysite.it/connect/revocat",
    "userinfo_endpoint": "http://auth.mysite.it/connect/userinfo",
    "device_authorization_endpoint": "http://auth.mysite.it/device",
    "jwks_uri": "http://auth.mysite.it/.well-known/jwks",
    ...
  

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  hi

  Can you SetIssuer to https website url?

  public override void PreConfigureServices(ServiceConfigurationContext context)
  {
      //...
      PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
      {
          serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
      });
      //...
  }
  

  Save Cancel
• 

  0

  andmattia created 2 months ago

  I've already this row

  if (!hostingEnvironment.IsDevelopment())
          {
              PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
              {
                  options.AddDevelopmentEncryptionAndSigningCertificate = false;
              });
  
              PreConfigure<OpenIddictServerBuilder>(builder =>
              {
                  builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                  builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                  builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
              });
          }
  

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  hi

  Please share the full module code.

  Have you added this code?

  

  liming.ma@volosoft.com

  Thanks.

  Save Cancel
• 

  0

  andmattia created 2 months ago

  I sent to you Auth module, appsetings and nginx configuration

  Save Cancel
• 

  0

  andmattia created 2 months ago

  I do a simple test in service with 9.1.3 a call

  authserver/.well-known/openid-configuration

  If I call from http not exposed port the auth service and do the same in https exposes port.

  The result change

  call from http http://lnx-ngx-app2:5001/.well-known/openid-configuration

  {
    "issuer": "https://uat.auth.myapp9.com/",
    "authorization_endpoint": "http://lnx-ngx-app2:5001/connect/authorize",
    "token_endpoint": "http://lnx-ngx-app2:5001/connect/token",
    "introspection_endpoint": "http://lnx-ngx-app2:5001/connect/introspect",
    "end_session_endpoint": "http://lnx-ngx-app2:5001/connect/endsession",
    "revocation_endpoint": "http://lnx-ngx-app2:5001/connect/revocat",
    "userinfo_endpoint": "http://lnx-ngx-app2:5001/connect/userinfo",
    "device_authorization_endpoint": "http://lnx-ngx-app2:5001/device",
    
  

  https://uat.auth.myapp9.com/.well-known/openid-configuration

  {
    "issuer": "https://uat.auth.myapp9.com/",
    "authorization_endpoint": "https://uat.auth.myapp9.com/connect/authorize",
    "token_endpoint": "https://uat.auth.myapp9.com/connect/token",
    "introspection_endpoint": "https://uat.auth.myapp9.com/connect/introspect",
    "end_session_endpoint": "https://uat.auth.myapp9.com/connect/endsession",
    "revocation_endpoint": "https://uat.auth.myapp9.com/connect/revocat",
    "userinfo_endpoint": "https://uat.auth.myapp9.com/connect/userinfo",
    "device_authorization_endpoint": "https://uat.auth.myapp9.com/device",
    "jwks_uri": "https://uat.auth.myapp9.com/.well-known/jwks",
    "gran
  

  in microservice 9 the appsettings is configured

  
   "AuthServer": {
          "Authority": "https://uat.auth.myapp9.com",
          "RequireHttpsMetadata": true,
          "SwaggerClientId": "SwaggerUI",
          "CertificatePassPhrase": "...."
      },
  

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  hi

  Can you try to always set https ?

  app.Use(async (ctx, next) =>
  {
      ctx.Request.Scheme = "https";
      await next();
  });
  

  If it's not working, please share the debug logs of AuthServer.

  See https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

  
  var loggerConfiguration = new LoggerConfiguration()
      .MinimumLevel.Debug()
      .MinimumLevel.Override("Microsoft.EntityFrameworkCore", LogEventLevel.Warning)
      .MinimumLevel.Override("OpenIddict", LogEventLevel.Verbose)
      .Enrich.FromLogContext()
      .WriteTo.Async(c => c.File("Logs/logs.txt"))
  

  Save Cancel
• 

  0

  andmattia created 2 months ago

  I'll try on machine exposed I've an other auth, version v7.4.5, not microservice but angular with api and auth separeted. and it work with flag https set to true

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  We need to make the below scheme to be https://

  

  Save Cancel
• 

  0

  andmattia created 2 months ago

  Ok, I add this code

  app.Use(async (ctx, next) =>
  {
      ctx.Request.Scheme = "https";
      await next();
  });
  

  In place the original and now the error on oAuth is disapear but on API and APP still not working.

  API say if try to authenticate a single micro service (CORS work)

  http://lnx-ngx-mc01:41367/abp/Swashbuckle/SetCsrfCookie -> 500

  http://lnx-ngx-mc01:41367/api/abp/api-definition?IncludeTypes=false -> 500

  If I try from gateway only auth works but all microservices say mix mode blocked http // https

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  Can you share the all related websites logs for the 500 error?

  See https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems to enable debug logs and share the logs.txt files

  Thanks.

  Save Cancel
• 

  0

  andmattia created 2 months ago

  Now I do another test.

  IdentityService if I try to open http://lnx-ngx-mc1:46388/api/abp/api-definition?IncludeTypes=false whituout autehntication it works

  I do authentication I get this error on Identity logs

  [13:39:30 ERR] Exception occurred while processing message. <s:Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler>
  System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
     at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
     at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
  [13:39:30 ERR] Connection id "0HNDVKS5M639C", Request id "0HNDVKS5M639C:00000001": An unhandled exception was thrown by the application. &lt;s:Microsoft.AspNetCore.Server.Kestrel&gt;
  System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
     at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
     at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
     at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
     at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
     at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
     at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
     at Prometheus.HttpMetrics.HttpRequestDurationMiddleware.Invoke(HttpContext context)
     at Prometheus.HttpMetrics.HttpRequestCountMiddleware.Invoke(HttpContext context)
     at Prometheus.HttpMetrics.HttpInProgressMiddleware.Invoke(HttpContext context)
     at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
     at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
  --- End of stack trace from previous location ---
     at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
     at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
     at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
  --- End of stack trace from previous location ---
     at Volo.Abp.AspNetCore.Tracing.AbpCorrelationIdMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
     at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
  --- End of stack trace from previous location ---
     at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
  [13:40:14 INF] Lock is acquired for TokenCleanupBackgroundWorker <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupBackgroundWorker>
  [13:40:14 INF] Start cleanup. <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupService>
  

  Save Cancel
• 

  0

  andmattia created 2 months ago

  I found the correct path:

  NGinx exposed: ng-01 (auth,api,app) -> reverse to -> mc-01 NGinx internal: mc-01

  I set the host in mc-01 to route traffic to ng-01 beacuse the auth,api,app are configured in this host.

  In the next days I try to change microservice to use local url on mc-01. For ex in idenitity I set the auth server not to auth....com but mc-01:43645 or mc-01:5001 I think it works as well

  Save Cancel
• 

  0

  andmattia created 2 months ago

  The last issue is relate to IP i see all operation came form 127.0.0.1

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  hi

  You can use ForwardedHeaders feature.

  https://abp.io/support/questions/1950/How-to-use-a-custom-HTTP-header-to-get-the-client-remote-IP-address

  Save Cancel
• 

  0

  andmattia created 2 months ago

  And I need to set this only on Host and Gateway or in all microservices?

  Save Cancel
• 

  0

  maliming created 2 months ago

  Support Team Fullstack Developer

  hi

  In all microservice/apps projects.

  Save Cancel