Hello, while my project is running smoothly through the IDE locally, when it is started with docker-compose it fails at the authentication stage and gives the following error.
docker compose logs -n 200 visaflowapp-api | egrep -i 'OpenIddict|IDX|issuer|aud|metadata|jwks|signature'
visaflowapp-api | Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
visaflowapp-api | at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
visaflowapp-api | at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
visaflowapp-api | at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed(SecurityToken securityToken, Nullable1 notBefore, Nullable1 expires, IEnumerable`1 audiences, TokenValidationParameters validationParameters, BaseConfiguration configuration)
visaflowapp-api | at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
visaflowapp-api | at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
visaflowapp-api | [22:03:50 INF] Bearer was not authenticated. Failure message: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
visaflowapp-api | [22:03:50 INF] Route matched with {area = "account", controller = "Profile", action = "Get", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Volo.Abp.Account.ProfileDto] GetAsync() on controller Volo.Abp.Account.ProfileController (Volo.Abp.Account.Pro.Public.HttpApi). visaflowapp-api | at Volo.Abp.Auditing.AuditingInterceptor.ProceedByLoggingAsync(IAbpMethodInvocation invocation, AbpAuditingOptions options, IAuditingHelper auditingHelper, IAuditLogScope auditLogScope) visaflowapp-api | at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
And This is my YML File
services: visaflowapp-angular: image: code35/visaflowapp-angular:latest container_name: visaflowapp-angular build: context: ../../angular/ dockerfile: Dockerfile.local ports:
- "4200:80" depends_on:
- visaflowapp-api volumes:
- ./dynamic-env.json:/usr/share/nginx/html/dynamic-env.json networks:
- abp-network restart: on-failure oidc-meta-proxy: image: nginx:alpine container_name: oidc-meta-proxy depends_on:
- visaflowapp-authserver networks:
- abp-network volumes:
- ./nginx.oidc.conf:/etc/nginx/conf.d/default.conf:ro visaflowapp-api: image: code35/visaflowapp-api:latest container_name: visaflowapp-api hostname: visaflowapp-api build: context: ../../src/CODE35.VisaFlowApp.HttpApi.Host/ dockerfile: Dockerfile.local environment:
- ASPNETCORE_URLS=https://+:8081;http://+:8080;
- Kestrel__Certificates__Default__Path=/app/certs/localhost.pfx
- Kestrel__Certificates__Default__Password=faffff5e-cfd2-4d3c-b99c-9bfc3926e7c6
- App__SelfUrl=https://localhost:44360
- App__AngularUrl=http://localhost:4200
- App__CorsOrigins=http://localhost:4200
- App__HealthCheckUrl=http://visaflowapp-api:8080/health-status
- AuthServer__SwaggerClientId=VisaFlowApp_Swagger
- OpenIddict__Validation__Audience=VisaFlowApp
- OpenIddict__Validation__Issuer=https://localhost:44317/
- OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configuration
- OpenIddict__Validation__DisableTransportSecurityRequirement=true
- ConnectionStrings__Default=Data Source=213.238.169.235;Database=code35_visaflow_devim;User Id=sa;Password=*********;TrustServerCertificate=True;
- Redis__Configuration=redis
- Logging__LogLevel__Default=Information
- Logging__LogLevel__Microsoft.IdentityModel=Debug
- Logging__LogLevel__OpenIddict=Debug extra_hosts:
- "localhost:host-gateway"
- "host.docker.internal:host-gateway" ports:
- "44360:8081" depends_on: redis: condition: service_healthy healthcheck: test: ["CMD", "wget", "-qO-", "http://localhost:8080/health-status"] interval: 10s timeout: 3s retries: 10 restart: on-failure volumes:
- ./certs:/app/certs
- dpkeys:/root/.aspnet/DataProtection-Keys networks:
- abp-network visaflowapp-authserver: image: code35/visaflowapp-authserver:latest container_name: visaflowapp-authserver build: context: ../../src/CODE35.VisaFlowApp.AuthServer/ dockerfile: Dockerfile.local environment:
- ASPNETCORE_URLS=https://+:8081;http://+:8080;
- App__SelfUrl=https://localhost:44317
- AuthServer__RequireHttpsMetadata=false
- App__CorsOrigins=http://localhost:4200,https://localhost:44360
- App__HealthCheckUrl=http://visaflowapp-authserver:8080/health-status
- AuthServer__Authority=https://localhost:44317/
- Kestrel__Certificates__Default__Path=/app/certs/localhost.pfx
- Kestrel__Certificates__Default__Password=faffff5e-cfd2-4d3c-b99c-9bfc3926e7c6
- ConnectionStrings__Default=Data Source=213.238.169.235;Database=code35_visaflow_devim;User Id=sa;Password=*********;TrustServerCertificate=True;
- Redis__Configuration=redis
- OpenIddict__Server__DisableTransportSecurityRequirement=true ports:
- "44317:8081" depends_on: redis: condition: service_healthy healthcheck: test: ["CMD", "wget", "-qO-", "http://localhost:8080/health-status"] interval: 10s timeout: 3s retries: 10 restart: on-failure volumes:
- ./certs:/app/certs
- dpkeys:/root/.aspnet/DataProtection-Keys networks:
- abp-network db-migrator: image: code35/visaflowapp-db-migrator:latest container_name: db-migrator build: context: ../../src/CODE35.VisaFlowApp.DbMigrator/ dockerfile: Dockerfile.local environment:
- OpenIddict__Applications__VisaFlowApp_App__RootUrl=http://localhost:4200
- OpenIddict__Applications__VisaFlowApp_Swagger__RootUrl=https://localhost:44360
- ConnectionStrings__Default=Data Source=213.238.169.235;Database=code35_visaflow_devim;User Id=sa;Password=*********;TrustServerCertificate=True;
- Redis__Configuration=redis restart: on-failure networks:
- abp-network redis: container_name: redis image: redis:alpine ports:
- "6379:6379" networks:
- abp-network healthcheck: test: ["CMD", "redis-cli", "ping"] restart: on-failure volumes: dpkeys: name: visaflowapp_dpkeys driver: local networks: abp-network: name: visaflowapp-network driver: bridge
2 Answer(s)
-
0
The error
IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.means your API container cannot validate the issuer of the JWT token because the issuer in the token does not match the expected value, or the expected issuer is not configured.In your docker-compose, you have:
OpenIddict__Validation__Issuer=https://localhost:44317/OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configurationAuthServer__Authority=https://localhost:44317/
Common Issues and Solutions:
Issuer Mismatch:
- The issuer in the token must exactly match the value set in
OpenIddict__Validation__Issuerand theissuerproperty in the discovery document (/.well-known/openid-configuration). - When running in Docker,
localhostinside a container is not the same aslocalhoston your host. The API container will try to reachhttps://localhost:44317/and fail, because that points to itself, not the AuthServer.
- The issuer in the token must exactly match the value set in
Correct Issuer and Metadata Address:
- Use the Docker service name for inter-container communication. For example:
OpenIddict__Validation__Issuer=http://visaflowapp-authserver:8080/OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configuration
- Make sure the AuthServer's
App__SelfUrlandAuthServer__Authorityare also set tohttp://visaflowapp-authserver:8080(for internal Docker network).
- Use the Docker service name for inter-container communication. For example:
HTTPS/HTTP Consistency:
- If you use HTTP for internal Docker communication, set
AuthServer__RequireHttpsMetadata=falseand ensure all URLs (issuer, authority, metadata) use HTTP, not HTTPS, inside Docker. - Externally, you can expose HTTPS via Nginx or another reverse proxy.
- If you use HTTP for internal Docker communication, set
SetIssuer in Code:
- In your AuthServer module, ensure you set the issuer explicitly:
PreConfigure<OpenIddictServerBuilder>(builder => { builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); });Example Docker Compose Internal Configuration:
environment: - App__SelfUrl=http://visaflowapp-authserver:8080 - AuthServer__Authority=http://visaflowapp-authserver:8080 - AuthServer__RequireHttpsMetadata=false - OpenIddict__Validation__Issuer=http://visaflowapp-authserver:8080/ - OpenIddict__Validation__MetadataAddress=http://visaflowapp-authserver:8080/.well-known/openid-configurationSummary of Steps:
- Change all internal URLs to use the Docker service name and HTTP.
- Set
RequireHttpsMetadata=falsefor internal Docker use. - Ensure the issuer in the token, the discovery document, and your API config all match exactly.
References:
After making these changes, restart your containers. This should resolve the issuer validation error and allow authentication to work in Docker Compose.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi
The error is:
IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.Check this article for more details about
Issuer.https://abp.io/community/articles/common-errors-in-jwt-bearer-authentication-4u3wrbs5#gsc.tab=0
Thanks.
