I would appreciate some guidance on configuring ABP OpenIddict behind a proxy/api gateway - I'm using krakend in AKS. I have forwarded all endpoints and all endpoints are working (including .well-known/openid-configuration) with one exception: .well-known/jwks is returning a 404:
7/10/2025, 8:48:13 AM xxxx-prod-5d54fb5b97-zd6g6 c91753f6aca3df1a48c67bbc97ac312856c5a43fcad7fbbcc979ff394959e06e [12:48:13 INF] Request finished HTTP/1.1 GET https://REDACTED:44378/.well-known/openid-configuration - 200 2641 application/json;charset=UTF-8 7.8557ms 7/10/2025, 8:48:14 AM xxxx-prod-5d54fb5b97-zd6g6 c91753f6aca3df1a48c67bbc97ac312856c5a43fcad7fbbcc979ff394959e06e [12:48:14 INF] Request starting HTTP/1.1 GET https://REDACTED:44378/.well-known/jwks - null null 7/10/2025, 8:48:14 AM xxxx-prod-5d54fb5b97-zd6g6 c91753f6aca3df1a48c67bbc97ac312856c5a43fcad7fbbcc979ff394959e06e [12:48:14 INF] Request finished HTTP/1.1 GET https://REDACTED:44378/.well-known/jwks - 404 0 null 3.6374ms 7/10/2025, 8:48:14 AM xxxx-prod-5d54fb5b97-zd6g6 c91753f6aca3df1a48c67bbc97ac312856c5a43fcad7fbbcc979ff394959e06e [12:48:14 INF] Request reached the end of the middleware pipeline without being handled by application code. Request path: GET https://REDACTED:44378/.well-known/jwks, Response status code: 404
Exception message and full stack trace: https://REDACTED:44378/.well-known/jwks, Response status code: 404
Steps to reproduce the issue: Access the main application portal and observe all endpoints return 20x except the jwks endpoint.
The log above is from the ABP backend process and so I know that krakend is forwarding the request properly. Any tips or advice would be much appreciated!
4 Answer(s)
-
0
- The
.well-known/jwksendpoint returning 404 in ABP OpenIddict is typically due to missing or misconfigured signing/encryption certificates, or incorrect OpenIddict server setup—especially behind a proxy or API gateway.
Solution Steps:
Certificate Configuration
- Ensure you have configured production certificates for OpenIddict. If no valid signing certificate is loaded, the JWKS endpoint will not be available.
- In your module, use:
PreConfigure<OpenIddictServerBuilder>(serverBuilder => { var flag = X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet; serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "YourCertificatePassword", flag); }); - Make sure the
openiddict.pfxfile is present in your deployment and the password is correct.
Proxy/Forwarded Headers
- When running behind a proxy (like krakend or AKS ingress), configure forwarded headers in your ABP app:
app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto }); - This ensures OpenIddict generates correct URLs and processes requests as expected.
- When running behind a proxy (like krakend or AKS ingress), configure forwarded headers in your ABP app:
Check PathBase and Routing
- If you use
app.UsePathBase("/auth")or similar, ensure your proxy forwards the base path and that all OpenIddict endpoints are accessible under the correct path.
- If you use
Verify Endpoint Exposure
- The JWKS endpoint should be exposed by default if OpenIddict is correctly configured. If you have custom endpoint configuration, ensure
.well-known/jwksis not excluded.
- The JWKS endpoint should be exposed by default if OpenIddict is correctly configured. If you have custom endpoint configuration, ensure
Restart and Logs
- After making changes, restart your service and check logs for certificate loading errors or OpenIddict warnings.
References:
These steps should resolve the 404 on
.well-known/jwksbehind your proxy. If the issue persists, double-check certificate presence and permissions, and ensure your proxy is not stripping or rewriting the path.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
- The
-
0
Based on further testing, I have determined that the JWKS Uri must match the ABP HttpApi host URI in order to be available.
If ABP is running on port 44378 and I set AuthServer.Authority to https://localhost:44378, it works. If I forward port 8443 to 44378 and set the AuthServer.Authority (see below) to https://localhost:8443 the JWKS Uri is NOT available (while all other OpenIddict Uris are available).
options.SetIssuer(new Uri(configuration["AuthServer:Authority"])); options.SetJsonWebKeySetEndpointUris(configuration["AuthServer:Authority"]+"/.well-known/jwks");
I need to set the Issuer to https://localhost:8443 so that the Angular front-end authenticates via the proxy endpoint instead of the backend endpoint (which is not exposed).
How do I configure OpenIddict's JWKS URI to load using a proxied/external Issuer Uri?
Thanks!
-
0
I solved the issue by leaving SetIssuer set to the external URI (:8443) and passing both URIs (8443 and 44378) to the SetJsonWebKey... method: options.SetJsonWebKeySetEndpointUris( configuration["AuthServer:Authority"] + "/.well-known/jwks", configuration["AuthServer:InternalAuthority"] + "/.well-known/jwks" );
FYI - I later.learned that KrakenD CE (opensource) follows redirects and subsequently cannot be used to proxy authentication. Only the Enterprise edition allows you to disable 302 redirects to allow the client (browser) to handle the 302 (not the gateway).
-
0
Thanks for your solution 👍
