I've publish a Auth server for a microservice with abp 7.4.5 on linux but I get this error
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as rejected by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachErrorParameters. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachCustomErrorParameters. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext, OpenIddict.Server, Version=4.8.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachWwwAuthenticateHeader`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext, OpenIddict.Server, Version=4.8.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 INF] The response was successfully returned as a JSON document: {
"error": "invalid_request",
"error_description": "This server only accepts HTTPS requests.",
"error_uri": "https://documentation.openiddict.com/errors/ID2083"
}. <s:OpenIddict.Server.OpenIddictServerDispatcher>
My configuration is linux ubuntu with Nginx work as reverse proxy, linux machine work as application machine. On application I've a process with auth
/var/www/auth-service/myapp.AuthServer --urls=http://0.0.0.0:5007
If I try to access to auth server all works fine, I'm able to login an get user and log data but if I try to open https://auth.mysite.it/.well-known/jwks or http://lnx-app:5007/.well-known/jwks
I get
{
"error": "invalid_request",
"error_description": "This server only accepts HTTPS requests.",
"error_uri": "https://documentation.openiddict.com/errors/ID2083"
}
If I change my app settings with true to false but I've Issuer in https and other in http
"AuthServer": {
"Authority": "https://auth.mysite.it",
"RequireHttpsMetadata": "false", <--- works bat angular get error
"SwaggerClientId": "WebGateway_Swagger"
},
I've the same schema on abp 9.1.3 and works fine, also same build in 7.4.5. work fine in IIS on windows server
19 Answer(s)
-
0
To resolve the "This server only accepts HTTPS requests" error from OpenIddict when running your ABP AuthServer behind Nginx on Linux, you need to explicitly disable the HTTPS requirement in your configuration. By default, OpenIddict enforces HTTPS for security, but in reverse proxy scenarios (like Nginx terminating SSL), your backend app only sees HTTP traffic.
Solution:
In your
appsettings.json
, set:"AuthServer": { "Authority": "https://auth.mysite.it", "RequireHttpsMetadata": "false", "SwaggerClientId": "WebGateway_Swagger" }
In your AuthServer module, add the following configuration to disable the transport security requirement when
RequireHttpsMetadata
is false:if (!Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"])) { Configure<OpenIddictServerAspNetCoreOptions>(options => { options.DisableTransportSecurityRequirement = true; }); }
Ensure your Nginx is correctly forwarding headers (
X-Forwarded-Proto
) so that ABP/OpenIddict can detect the original HTTPS scheme.
Note: The
Authority
should still be set to your public HTTPS URL (https://auth.mysite.it
). Disabling the HTTPS requirement only affects backend validation, not the public endpoints.Reference Implementation: https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment
Summary:
- Set
"RequireHttpsMetadata": "false"
in your config. - Add the
DisableTransportSecurityRequirement
code in your AuthServer. - Make sure Nginx forwards the correct headers.
This will allow your OpenIddict endpoints (like
/.well-known/jwks
) to be accessible behind a reverse proxy using HTTPS, even though your backend listens on HTTP.Sources:
- https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi
You can also try to set
ctx.Request.Scheme to https
if your app is behind an HTTPS reverse proxy.public override void OnApplicationInitialization(ApplicationInitializationContext context) { var app = context.GetApplicationBuilder(); var env = context.GetEnvironment(); app.Use((ctx, next) => { ctx.Request.Scheme = "https"; return next(); }); /...
Thanks.
-
0
If I use
"AuthServer": { "Authority": "https://auth.mysite.it", "RequireHttpsMetadata": "false", "SwaggerClientId": "WebGateway_Swagger" }
It works but angular not work and way in 9,1,3 works in https?
in Angular I've this issue
main.e261e1928bc16e78.js:1 error validating authorization_endpoint in discovery document (2) ['https for all urls required. Also for urls received by discovery.', 'Every url in discovery document has to start with …o see property strictDiscoveryDocumentValidation.']
With false flag
{ "issuer": "https://auth.mysite.it/", "authorization_endpoint": "http://auth.mysite.it/connect/authorize", "token_endpoint": "http://auth.mysite.it/connect/token", "introspection_endpoint": "http://auth.mysite.it/connect/introspect", "end_session_endpoint": "http://auth.mysite.it/connect/logout", "revocation_endpoint": "http://auth.mysite.it/connect/revocat", "userinfo_endpoint": "http://auth.mysite.it/connect/userinfo", "device_authorization_endpoint": "http://auth.mysite.it/device", "jwks_uri": "http://auth.mysite.it/.well-known/jwks", ...
-
0
hi
Can you
SetIssuer
to https website url?public override void PreConfigureServices(ServiceConfigurationContext context) { //... PreConfigure<OpenIddictServerBuilder>(serverBuilder => { serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); }); //... }
-
0
I've already this row
if (!hostingEnvironment.IsDevelopment()) { PreConfigure<AbpOpenIddictAspNetCoreOptions>(options => { options.AddDevelopmentEncryptionAndSigningCertificate = false; }); PreConfigure<OpenIddictServerBuilder>(builder => { builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration)); builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration)); builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); }); }
-
0
-
0
I sent to you Auth module, appsetings and nginx configuration
-
0
I do a simple test in service with 9.1.3 a call
authserver/.well-known/openid-configuration
If I call from http not exposed port the auth service and do the same in https exposes port.
The result change
call from http http://lnx-ngx-app2:5001/.well-known/openid-configuration
{ "issuer": "https://uat.auth.myapp9.com/", "authorization_endpoint": "http://lnx-ngx-app2:5001/connect/authorize", "token_endpoint": "http://lnx-ngx-app2:5001/connect/token", "introspection_endpoint": "http://lnx-ngx-app2:5001/connect/introspect", "end_session_endpoint": "http://lnx-ngx-app2:5001/connect/endsession", "revocation_endpoint": "http://lnx-ngx-app2:5001/connect/revocat", "userinfo_endpoint": "http://lnx-ngx-app2:5001/connect/userinfo", "device_authorization_endpoint": "http://lnx-ngx-app2:5001/device",
https://uat.auth.myapp9.com/.well-known/openid-configuration
{ "issuer": "https://uat.auth.myapp9.com/", "authorization_endpoint": "https://uat.auth.myapp9.com/connect/authorize", "token_endpoint": "https://uat.auth.myapp9.com/connect/token", "introspection_endpoint": "https://uat.auth.myapp9.com/connect/introspect", "end_session_endpoint": "https://uat.auth.myapp9.com/connect/endsession", "revocation_endpoint": "https://uat.auth.myapp9.com/connect/revocat", "userinfo_endpoint": "https://uat.auth.myapp9.com/connect/userinfo", "device_authorization_endpoint": "https://uat.auth.myapp9.com/device", "jwks_uri": "https://uat.auth.myapp9.com/.well-known/jwks", "gran
in microservice 9 the appsettings is configured
"AuthServer": { "Authority": "https://uat.auth.myapp9.com", "RequireHttpsMetadata": true, "SwaggerClientId": "SwaggerUI", "CertificatePassPhrase": "...." },
-
0
hi
Can you try to always set https ?
app.Use(async (ctx, next) => { ctx.Request.Scheme = "https"; await next(); });
If it's not working, please share the debug logs of AuthServer.
See https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems
var loggerConfiguration = new LoggerConfiguration() .MinimumLevel.Debug() .MinimumLevel.Override("Microsoft.EntityFrameworkCore", LogEventLevel.Warning) .MinimumLevel.Override("OpenIddict", LogEventLevel.Verbose) .Enrich.FromLogContext() .WriteTo.Async(c => c.File("Logs/logs.txt"))
-
0
I'll try on machine exposed I've an other auth, version v7.4.5, not microservice but angular with api and auth separeted. and it work with flag https set to true
-
0
-
0
Ok, I add this code
app.Use(async (ctx, next) => { ctx.Request.Scheme = "https"; await next(); });
In place the original and now the error on oAuth is disapear but on API and APP still not working.
API say if try to authenticate a single micro service (CORS work)
http://lnx-ngx-mc01:41367/abp/Swashbuckle/SetCsrfCookie -> 500
http://lnx-ngx-mc01:41367/api/abp/api-definition?IncludeTypes=false -> 500
If I try from gateway only auth works but all microservices say mix mode blocked http // https
-
0
Can you share the all related websites logs for the 500 error?
See https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems to enable debug logs and share the logs.txt files
Thanks.
-
0
Now I do another test.
IdentityService if I try to open http://lnx-ngx-mc1:46388/api/abp/api-definition?IncludeTypes=false whituout autehntication it works
I do authentication I get this error on Identity logs
[13:39:30 ERR] Exception occurred while processing message. <s:Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler> System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() [13:39:30 ERR] Connection id "0HNDVKS5M639C", Request id "0HNDVKS5M639C:00000001": An unhandled exception was thrown by the application. <s:Microsoft.AspNetCore.Server.Kestrel> System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Prometheus.HttpMetrics.HttpRequestDurationMiddleware.Invoke(HttpContext context) at Prometheus.HttpMetrics.HttpRequestCountMiddleware.Invoke(HttpContext context) at Prometheus.HttpMetrics.HttpInProgressMiddleware.Invoke(HttpContext context) at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at Volo.Abp.AspNetCore.Tracing.AbpCorrelationIdMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application) [13:40:14 INF] Lock is acquired for TokenCleanupBackgroundWorker <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupBackgroundWorker> [13:40:14 INF] Start cleanup. <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupService>
-
0
I found the correct path:
NGinx exposed: ng-01 (auth,api,app) -> reverse to -> mc-01 NGinx internal: mc-01
I set the host in mc-01 to route traffic to ng-01 beacuse the auth,api,app are configured in this host.
In the next days I try to change microservice to use local url on mc-01. For ex in idenitity I set the auth server not to auth....com but mc-01:43645 or mc-01:5001 I think it works as well
-
0
The last issue is relate to IP i see all operation came form 127.0.0.1
-
0
hi
You can use
ForwardedHeaders
feature.https://abp.io/support/questions/1950/How-to-use-a-custom-HTTP-header-to-get-the-client-remote-IP-address
-
0
And I need to set this only on Host and Gateway or in all microservices?
-
0
hi
In all microservice/apps projects.