Open Closed

Unable to get auth config in #9592


User avatar
0
andmattia created

I've publish a Auth server for a microservice with abp 7.4.5 on linux but I get this error

[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as rejected by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachErrorParameters. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachCustomErrorParameters. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext, OpenIddict.Server, Version=4.8.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. &lt;s:OpenIddict.Server.OpenIddictServerDispatcher&gt;
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachWwwAuthenticateHeader`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext, OpenIddict.Server, Version=4.8.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 INF] The response was successfully returned as a JSON document: {
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}. <s:OpenIddict.Server.OpenIddictServerDispatcher>

My configuration is linux ubuntu with Nginx work as reverse proxy, linux machine work as application machine. On application I've a process with auth

/var/www/auth-service/myapp.AuthServer --urls=http://0.0.0.0:5007

If I try to access to auth server all works fine, I'm able to login an get user and log data but if I try to open https://auth.mysite.it/.well-known/jwks or http://lnx-app:5007/.well-known/jwks

I get

{
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}

If I change my app settings with true to false but I've Issuer in https and other in http

"AuthServer": {
        "Authority": "https://auth.mysite.it",
        "RequireHttpsMetadata": "false", <--- works bat angular get error 
        "SwaggerClientId": "WebGateway_Swagger"
    },

I've the same schema on abp 9.1.3 and works fine, also same build in 7.4.5. work fine in IIS on windows server


19 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To resolve the "This server only accepts HTTPS requests" error from OpenIddict when running your ABP AuthServer behind Nginx on Linux, you need to explicitly disable the HTTPS requirement in your configuration. By default, OpenIddict enforces HTTPS for security, but in reverse proxy scenarios (like Nginx terminating SSL), your backend app only sees HTTP traffic.

    Solution:

    1. In your appsettings.json, set:

      "AuthServer": {
        "Authority": "https://auth.mysite.it",
        "RequireHttpsMetadata": "false",
        "SwaggerClientId": "WebGateway_Swagger"
      }
      
    2. In your AuthServer module, add the following configuration to disable the transport security requirement when RequireHttpsMetadata is false:

      if (!Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]))
      {
          Configure<OpenIddictServerAspNetCoreOptions>(options =>
          {
              options.DisableTransportSecurityRequirement = true;
          });
      }
      
    3. Ensure your Nginx is correctly forwarding headers (X-Forwarded-Proto) so that ABP/OpenIddict can detect the original HTTPS scheme.

    Note: The Authority should still be set to your public HTTPS URL (https://auth.mysite.it). Disabling the HTTPS requirement only affects backend validation, not the public endpoints.

    Reference Implementation: https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment

    Summary:

    • Set "RequireHttpsMetadata": "false" in your config.
    • Add the DisableTransportSecurityRequirement code in your AuthServer.
    • Make sure Nginx forwards the correct headers.

    This will allow your OpenIddict endpoints (like /.well-known/jwks) to be accessible behind a reverse proxy using HTTPS, even though your backend listens on HTTP.

    Sources:

    • https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can also try to set ctx.Request.Scheme to https if your app is behind an HTTPS reverse proxy.

    public override void OnApplicationInitialization(ApplicationInitializationContext context)
    {
        var app = context.GetApplicationBuilder();
        var env = context.GetEnvironment();
    
        app.Use((ctx, next) =>
        {
            ctx.Request.Scheme = "https";
            return next();
        });
       /...
    

    Thanks.

  • User Avatar
    0
    andmattia created

    If I use

    "AuthServer": {
      "Authority": "https://auth.mysite.it",
      "RequireHttpsMetadata": "false",
      "SwaggerClientId": "WebGateway_Swagger"
    }
    

    It works but angular not work and way in 9,1,3 works in https?

    in Angular I've this issue

    main.e261e1928bc16e78.js:1 error validating authorization_endpoint in discovery document (2) ['https for all urls required. Also for urls received by discovery.', 'Every url in discovery document has to start with …o see property strictDiscoveryDocumentValidation.']
    

    With false flag

    {
      "issuer": "https://auth.mysite.it/",
      "authorization_endpoint": "http://auth.mysite.it/connect/authorize",
      "token_endpoint": "http://auth.mysite.it/connect/token",
      "introspection_endpoint": "http://auth.mysite.it/connect/introspect",
      "end_session_endpoint": "http://auth.mysite.it/connect/logout",
      "revocation_endpoint": "http://auth.mysite.it/connect/revocat",
      "userinfo_endpoint": "http://auth.mysite.it/connect/userinfo",
      "device_authorization_endpoint": "http://auth.mysite.it/device",
      "jwks_uri": "http://auth.mysite.it/.well-known/jwks",
      ...
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you SetIssuer to https website url?

    public override void PreConfigureServices(ServiceConfigurationContext context)
    {
        //...
        PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
        {
            serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
        });
        //...
    }
    
  • User Avatar
    0
    andmattia created

    I've already this row

    if (!hostingEnvironment.IsDevelopment())
            {
                PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
                {
                    options.AddDevelopmentEncryptionAndSigningCertificate = false;
                });
    
                PreConfigure<OpenIddictServerBuilder>(builder =>
                {
                    builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                    builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                    builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
                });
            }
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please share the full module code.

    Have you added this code?

    liming.ma@volosoft.com

    Thanks.

  • User Avatar
    0
    andmattia created

    I sent to you Auth module, appsetings and nginx configuration

  • User Avatar
    0
    andmattia created

    I do a simple test in service with 9.1.3 a call

    authserver/.well-known/openid-configuration

    If I call from http not exposed port the auth service and do the same in https exposes port.

    The result change

    call from http http://lnx-ngx-app2:5001/.well-known/openid-configuration

    {
      "issuer": "https://uat.auth.myapp9.com/",
      "authorization_endpoint": "http://lnx-ngx-app2:5001/connect/authorize",
      "token_endpoint": "http://lnx-ngx-app2:5001/connect/token",
      "introspection_endpoint": "http://lnx-ngx-app2:5001/connect/introspect",
      "end_session_endpoint": "http://lnx-ngx-app2:5001/connect/endsession",
      "revocation_endpoint": "http://lnx-ngx-app2:5001/connect/revocat",
      "userinfo_endpoint": "http://lnx-ngx-app2:5001/connect/userinfo",
      "device_authorization_endpoint": "http://lnx-ngx-app2:5001/device",
      
    

    https://uat.auth.myapp9.com/.well-known/openid-configuration

    {
      "issuer": "https://uat.auth.myapp9.com/",
      "authorization_endpoint": "https://uat.auth.myapp9.com/connect/authorize",
      "token_endpoint": "https://uat.auth.myapp9.com/connect/token",
      "introspection_endpoint": "https://uat.auth.myapp9.com/connect/introspect",
      "end_session_endpoint": "https://uat.auth.myapp9.com/connect/endsession",
      "revocation_endpoint": "https://uat.auth.myapp9.com/connect/revocat",
      "userinfo_endpoint": "https://uat.auth.myapp9.com/connect/userinfo",
      "device_authorization_endpoint": "https://uat.auth.myapp9.com/device",
      "jwks_uri": "https://uat.auth.myapp9.com/.well-known/jwks",
      "gran
    

    in microservice 9 the appsettings is configured

    
     "AuthServer": {
            "Authority": "https://uat.auth.myapp9.com",
            "RequireHttpsMetadata": true,
            "SwaggerClientId": "SwaggerUI",
            "CertificatePassPhrase": "...."
        },
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you try to always set https ?

    app.Use(async (ctx, next) =>
    {
        ctx.Request.Scheme = "https";
        await next();
    });
    

    If it's not working, please share the debug logs of AuthServer.

    See https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

    
    var loggerConfiguration = new LoggerConfiguration()
        .MinimumLevel.Debug()
        .MinimumLevel.Override("Microsoft.EntityFrameworkCore", LogEventLevel.Warning)
        .MinimumLevel.Override("OpenIddict", LogEventLevel.Verbose)
        .Enrich.FromLogContext()
        .WriteTo.Async(c => c.File("Logs/logs.txt"))
    
  • User Avatar
    0
    andmattia created

    I'll try on machine exposed I've an other auth, version v7.4.5, not microservice but angular with api and auth separeted. and it work with flag https set to true

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    We need to make the below scheme to be https://

  • User Avatar
    0
    andmattia created

    Ok, I add this code

    app.Use(async (ctx, next) =>
    {
        ctx.Request.Scheme = "https";
        await next();
    });
    

    In place the original and now the error on oAuth is disapear but on API and APP still not working.

    API say if try to authenticate a single micro service (CORS work)

    http://lnx-ngx-mc01:41367/abp/Swashbuckle/SetCsrfCookie -> 500

    http://lnx-ngx-mc01:41367/api/abp/api-definition?IncludeTypes=false -> 500

    If I try from gateway only auth works but all microservices say mix mode blocked http // https

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Can you share the all related websites logs for the 500 error?

    See https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems to enable debug logs and share the logs.txt files

    Thanks.

  • User Avatar
    0
    andmattia created

    Now I do another test.

    IdentityService if I try to open http://lnx-ngx-mc1:46388/api/abp/api-definition?IncludeTypes=false whituout autehntication it works

    I do authentication I get this error on Identity logs

    [13:39:30 ERR] Exception occurred while processing message. <s:Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler>
    System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
       at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
       at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
    [13:39:30 ERR] Connection id "0HNDVKS5M639C", Request id "0HNDVKS5M639C:00000001": An unhandled exception was thrown by the application. &lt;s:Microsoft.AspNetCore.Server.Kestrel&gt;
    System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
       at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
       at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
       at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
       at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
       at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
       at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
       at Prometheus.HttpMetrics.HttpRequestDurationMiddleware.Invoke(HttpContext context)
       at Prometheus.HttpMetrics.HttpRequestCountMiddleware.Invoke(HttpContext context)
       at Prometheus.HttpMetrics.HttpInProgressMiddleware.Invoke(HttpContext context)
       at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
       at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
    --- End of stack trace from previous location ---
       at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
       at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
       at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
    --- End of stack trace from previous location ---
       at Volo.Abp.AspNetCore.Tracing.AbpCorrelationIdMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
       at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
    --- End of stack trace from previous location ---
       at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
    [13:40:14 INF] Lock is acquired for TokenCleanupBackgroundWorker <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupBackgroundWorker>
    [13:40:14 INF] Start cleanup. <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupService>
    
  • User Avatar
    0
    andmattia created

    I found the correct path:

    NGinx exposed: ng-01 (auth,api,app) -> reverse to -> mc-01 NGinx internal: mc-01

    I set the host in mc-01 to route traffic to ng-01 beacuse the auth,api,app are configured in this host.

    In the next days I try to change microservice to use local url on mc-01. For ex in idenitity I set the auth server not to auth....com but mc-01:43645 or mc-01:5001 I think it works as well

  • User Avatar
    0
    andmattia created

    The last issue is relate to IP i see all operation came form 127.0.0.1

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can use ForwardedHeaders feature.

    https://abp.io/support/questions/1950/How-to-use-a-custom-HTTP-header-to-get-the-client-remote-IP-address

  • User Avatar
    0
    andmattia created

    And I need to set this only on Host and Gateway or in all microservices?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    In all microservice/apps projects.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 01, 2025, 08:37