Open Closed

Docker Angular Uı Cannot Login #9833


User avatar
0
urugakina created

Hello, while my project is running smoothly through the IDE locally, when it is started with docker-compose it fails at the authentication stage and gives the following error.

docker compose logs -n 200 visaflowapp-api | egrep -i 'OpenIddict|IDX|issuer|aud|metadata|jwks|signature'

visaflowapp-api | Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty. visaflowapp-api | at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) visaflowapp-api | at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) visaflowapp-api | at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed(SecurityToken securityToken, Nullable1 notBefore, Nullable1 expires, IEnumerable`1 audiences, TokenValidationParameters validationParameters, BaseConfiguration configuration) visaflowapp-api | at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) visaflowapp-api | at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) visaflowapp-api | [22:03:50 INF] Bearer was not authenticated. Failure message: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.

visaflowapp-api | [22:03:50 INF] Route matched with {area = "account", controller = "Profile", action = "Get", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Volo.Abp.Account.ProfileDto] GetAsync() on controller Volo.Abp.Account.ProfileController (Volo.Abp.Account.Pro.Public.HttpApi). visaflowapp-api | at Volo.Abp.Auditing.AuditingInterceptor.ProceedByLoggingAsync(IAbpMethodInvocation invocation, AbpAuditingOptions options, IAuditingHelper auditingHelper, IAuditLogScope auditLogScope) visaflowapp-api | at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation)

And This is my YML File

services: visaflowapp-angular: image: code35/visaflowapp-angular:latest container_name: visaflowapp-angular build: context: ../../angular/ dockerfile: Dockerfile.local ports:

  • "4200:80" depends_on:
  • visaflowapp-api volumes:
  • ./dynamic-env.json:/usr/share/nginx/html/dynamic-env.json networks:
  • abp-network restart: on-failure oidc-meta-proxy: image: nginx:alpine container_name: oidc-meta-proxy depends_on:
  • visaflowapp-authserver networks:
  • abp-network volumes:
  • ./nginx.oidc.conf:/etc/nginx/conf.d/default.conf:ro visaflowapp-api: image: code35/visaflowapp-api:latest container_name: visaflowapp-api hostname: visaflowapp-api build: context: ../../src/CODE35.VisaFlowApp.HttpApi.Host/ dockerfile: Dockerfile.local environment:
  • ASPNETCORE_URLS=https://+:8081;http://+:8080;
  • Kestrel__Certificates__Default__Path=/app/certs/localhost.pfx
  • Kestrel__Certificates__Default__Password=faffff5e-cfd2-4d3c-b99c-9bfc3926e7c6
  • App__SelfUrl=https://localhost:44360
  • App__AngularUrl=http://localhost:4200
  • App__CorsOrigins=http://localhost:4200
  • App__HealthCheckUrl=http://visaflowapp-api:8080/health-status
  • AuthServer__SwaggerClientId=VisaFlowApp_Swagger
  • OpenIddict__Validation__Audience=VisaFlowApp
  • OpenIddict__Validation__Issuer=https://localhost:44317/
  • OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configuration
  • OpenIddict__Validation__DisableTransportSecurityRequirement=true
  • ConnectionStrings__Default=Data Source=213.238.169.235;Database=code35_visaflow_devim;User Id=sa;Password=*********;TrustServerCertificate=True;
  • Redis__Configuration=redis
  • Logging__LogLevel__Default=Information
  • Logging__LogLevel__Microsoft.IdentityModel=Debug
  • Logging__LogLevel__OpenIddict=Debug extra_hosts:
  • "localhost:host-gateway"
  • "host.docker.internal:host-gateway" ports:
  • "44360:8081" depends_on: redis: condition: service_healthy healthcheck: test: ["CMD", "wget", "-qO-", "http://localhost:8080/health-status"] interval: 10s timeout: 3s retries: 10 restart: on-failure volumes:
  • ./certs:/app/certs
  • dpkeys:/root/.aspnet/DataProtection-Keys networks:
  • abp-network visaflowapp-authserver: image: code35/visaflowapp-authserver:latest container_name: visaflowapp-authserver build: context: ../../src/CODE35.VisaFlowApp.AuthServer/ dockerfile: Dockerfile.local environment:
  • ASPNETCORE_URLS=https://+:8081;http://+:8080;
  • App__SelfUrl=https://localhost:44317
  • AuthServer__RequireHttpsMetadata=false
  • App__CorsOrigins=http://localhost:4200,https://localhost:44360
  • App__HealthCheckUrl=http://visaflowapp-authserver:8080/health-status
  • AuthServer__Authority=https://localhost:44317/
  • Kestrel__Certificates__Default__Path=/app/certs/localhost.pfx
  • Kestrel__Certificates__Default__Password=faffff5e-cfd2-4d3c-b99c-9bfc3926e7c6
  • ConnectionStrings__Default=Data Source=213.238.169.235;Database=code35_visaflow_devim;User Id=sa;Password=*********;TrustServerCertificate=True;
  • Redis__Configuration=redis
  • OpenIddict__Server__DisableTransportSecurityRequirement=true ports:
  • "44317:8081" depends_on: redis: condition: service_healthy healthcheck: test: ["CMD", "wget", "-qO-", "http://localhost:8080/health-status"] interval: 10s timeout: 3s retries: 10 restart: on-failure volumes:
  • ./certs:/app/certs
  • dpkeys:/root/.aspnet/DataProtection-Keys networks:
  • abp-network db-migrator: image: code35/visaflowapp-db-migrator:latest container_name: db-migrator build: context: ../../src/CODE35.VisaFlowApp.DbMigrator/ dockerfile: Dockerfile.local environment:
  • OpenIddict__Applications__VisaFlowApp_App__RootUrl=http://localhost:4200
  • OpenIddict__Applications__VisaFlowApp_Swagger__RootUrl=https://localhost:44360
  • ConnectionStrings__Default=Data Source=213.238.169.235;Database=code35_visaflow_devim;User Id=sa;Password=*********;TrustServerCertificate=True;
  • Redis__Configuration=redis restart: on-failure networks:
  • abp-network redis: container_name: redis image: redis:alpine ports:
  • "6379:6379" networks:
  • abp-network healthcheck: test: ["CMD", "redis-cli", "ping"] restart: on-failure volumes: dpkeys: name: visaflowapp_dpkeys driver: local networks: abp-network: name: visaflowapp-network driver: bridge

2 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent
    • The error IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty. means your API container cannot validate the issuer of the JWT token because the issuer in the token does not match the expected value, or the expected issuer is not configured.

    • In your docker-compose, you have:

      • OpenIddict__Validation__Issuer=https://localhost:44317/
      • OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configuration
      • AuthServer__Authority=https://localhost:44317/

    Common Issues and Solutions:

    1. Issuer Mismatch:

      • The issuer in the token must exactly match the value set in OpenIddict__Validation__Issuer and the issuer property in the discovery document (/.well-known/openid-configuration).
      • When running in Docker, localhost inside a container is not the same as localhost on your host. The API container will try to reach https://localhost:44317/ and fail, because that points to itself, not the AuthServer.
    2. Correct Issuer and Metadata Address:

      • Use the Docker service name for inter-container communication. For example:
        • OpenIddict__Validation__Issuer=http://visaflowapp-authserver:8080/
        • OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configuration
      • Make sure the AuthServer's App__SelfUrl and AuthServer__Authority are also set to http://visaflowapp-authserver:8080 (for internal Docker network).
    3. HTTPS/HTTP Consistency:

      • If you use HTTP for internal Docker communication, set AuthServer__RequireHttpsMetadata=false and ensure all URLs (issuer, authority, metadata) use HTTP, not HTTPS, inside Docker.
      • Externally, you can expose HTTPS via Nginx or another reverse proxy.
    4. SetIssuer in Code:

      • In your AuthServer module, ensure you set the issuer explicitly:
    PreConfigure<OpenIddictServerBuilder>(builder =>
         {
             builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
         });
    

    Example Docker Compose Internal Configuration:

    environment:
      - App__SelfUrl=http://visaflowapp-authserver:8080
      - AuthServer__Authority=http://visaflowapp-authserver:8080
      - AuthServer__RequireHttpsMetadata=false
      - OpenIddict__Validation__Issuer=http://visaflowapp-authserver:8080/
      - OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configuration
    

    Summary of Steps:

    1. Change all internal URLs to use the Docker service name and HTTP.
    2. Set RequireHttpsMetadata=false for internal Docker use.
    3. Ensure the issuer in the token, the discovery document, and your API config all match exactly.

    References:

    After making these changes, restart your containers. This should resolve the issuer validation error and allow authentication to work in Docker Compose.


    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The error is: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.

    Check this article for more details about Issuer.

    https://abp.io/community/articles/common-errors-in-jwt-bearer-authentication-4u3wrbs5#gsc.tab=0

    Thanks.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 01, 2025, 08:37