Activities of "andmattia"

I found the correct path:

NGinx exposed: ng-01 (auth,api,app) -> reverse to -> mc-01 NGinx internal: mc-01

I set the host in mc-01 to route traffic to ng-01 beacuse the auth,api,app are configured in this host.

In the next days I try to change microservice to use local url on mc-01. For ex in idenitity I set the auth server not to auth....com but mc-01:43645 or mc-01:5001 I think it works as well

Now I do another test.

IdentityService if I try to open http://lnx-ngx-mc1:46388/api/abp/api-definition?IncludeTypes=false whituout autehntication it works

I do authentication I get this error on Identity logs

[13:39:30 ERR] Exception occurred while processing message. <s:Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler>
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
[13:39:30 ERR] Connection id "0HNDVKS5M639C", Request id "0HNDVKS5M639C:00000001": An unhandled exception was thrown by the application. &lt;s:Microsoft.AspNetCore.Server.Kestrel&gt;
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
   at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Prometheus.HttpMetrics.HttpRequestDurationMiddleware.Invoke(HttpContext context)
   at Prometheus.HttpMetrics.HttpRequestCountMiddleware.Invoke(HttpContext context)
   at Prometheus.HttpMetrics.HttpInProgressMiddleware.Invoke(HttpContext context)
   at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Volo.Abp.AspNetCore.Tracing.AbpCorrelationIdMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.&lt;&gt;c__DisplayClass6_1.&lt;&lt;UseMiddlewareInterface&gt;b__1>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
[13:40:14 INF] Lock is acquired for TokenCleanupBackgroundWorker <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupBackgroundWorker>
[13:40:14 INF] Start cleanup. <s:Volo.Abp.OpenIddict.Tokens.TokenCleanupService>

Ok, I add this code

app.Use(async (ctx, next) =>
{
    ctx.Request.Scheme = "https";
    await next();
});

In place the original and now the error on oAuth is disapear but on API and APP still not working.

API say if try to authenticate a single micro service (CORS work)

http://lnx-ngx-mc01:41367/abp/Swashbuckle/SetCsrfCookie -> 500

http://lnx-ngx-mc01:41367/api/abp/api-definition?IncludeTypes=false -> 500

If I try from gateway only auth works but all microservices say mix mode blocked http // https

I'll try on machine exposed I've an other auth, version v7.4.5, not microservice but angular with api and auth separeted. and it work with flag https set to true

I do a simple test in service with 9.1.3 a call

authserver/.well-known/openid-configuration

If I call from http not exposed port the auth service and do the same in https exposes port.

The result change

call from http http://lnx-ngx-app2:5001/.well-known/openid-configuration

{
  "issuer": "https://uat.auth.myapp9.com/",
  "authorization_endpoint": "http://lnx-ngx-app2:5001/connect/authorize",
  "token_endpoint": "http://lnx-ngx-app2:5001/connect/token",
  "introspection_endpoint": "http://lnx-ngx-app2:5001/connect/introspect",
  "end_session_endpoint": "http://lnx-ngx-app2:5001/connect/endsession",
  "revocation_endpoint": "http://lnx-ngx-app2:5001/connect/revocat",
  "userinfo_endpoint": "http://lnx-ngx-app2:5001/connect/userinfo",
  "device_authorization_endpoint": "http://lnx-ngx-app2:5001/device",
  

https://uat.auth.myapp9.com/.well-known/openid-configuration

{
  "issuer": "https://uat.auth.myapp9.com/",
  "authorization_endpoint": "https://uat.auth.myapp9.com/connect/authorize",
  "token_endpoint": "https://uat.auth.myapp9.com/connect/token",
  "introspection_endpoint": "https://uat.auth.myapp9.com/connect/introspect",
  "end_session_endpoint": "https://uat.auth.myapp9.com/connect/endsession",
  "revocation_endpoint": "https://uat.auth.myapp9.com/connect/revocat",
  "userinfo_endpoint": "https://uat.auth.myapp9.com/connect/userinfo",
  "device_authorization_endpoint": "https://uat.auth.myapp9.com/device",
  "jwks_uri": "https://uat.auth.myapp9.com/.well-known/jwks",
  "gran

in microservice 9 the appsettings is configured

 "AuthServer": {
        "Authority": "https://uat.auth.myapp9.com",
        "RequireHttpsMetadata": true,
        "SwaggerClientId": "SwaggerUI",
        "CertificatePassPhrase": "...."
    },

I sent to you Auth module, appsetings and nginx configuration

I've already this row

if (!hostingEnvironment.IsDevelopment())
        {
            PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
            {
                options.AddDevelopmentEncryptionAndSigningCertificate = false;
            });

            PreConfigure<OpenIddictServerBuilder>(builder =>
            {
                builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
                builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
            });
        }

If I use

"AuthServer": {
  "Authority": "https://auth.mysite.it",
  "RequireHttpsMetadata": "false",
  "SwaggerClientId": "WebGateway_Swagger"
}

It works but angular not work and way in 9,1,3 works in https?

in Angular I've this issue

main.e261e1928bc16e78.js:1 error validating authorization_endpoint in discovery document (2) ['https for all urls required. Also for urls received by discovery.', 'Every url in discovery document has to start with …o see property strictDiscoveryDocumentValidation.']

With false flag

{
  "issuer": "https://auth.mysite.it/",
  "authorization_endpoint": "http://auth.mysite.it/connect/authorize",
  "token_endpoint": "http://auth.mysite.it/connect/token",
  "introspection_endpoint": "http://auth.mysite.it/connect/introspect",
  "end_session_endpoint": "http://auth.mysite.it/connect/logout",
  "revocation_endpoint": "http://auth.mysite.it/connect/revocat",
  "userinfo_endpoint": "http://auth.mysite.it/connect/userinfo",
  "device_authorization_endpoint": "http://auth.mysite.it/device",
  "jwks_uri": "http://auth.mysite.it/.well-known/jwks",
  ...

I've publish a Auth server for a microservice with abp 7.4.5 on linux but I get this error

[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as rejected by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateTransportSecurityRequirement. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachErrorParameters. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachCustomErrorParameters. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext, OpenIddict.Server, Version=4.8.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. &lt;s:OpenIddict.Server.OpenIddictServerDispatcher&gt;
[10:38:13 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachWwwAuthenticateHeader`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyCryptographyResponseContext, OpenIddict.Server, Version=4.8.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. <s:OpenIddict.Server.OpenIddictServerDispatcher>
[10:38:13 INF] The response was successfully returned as a JSON document: {
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}. <s:OpenIddict.Server.OpenIddictServerDispatcher>

My configuration is linux ubuntu with Nginx work as reverse proxy, linux machine work as application machine. On application I've a process with auth

/var/www/auth-service/myapp.AuthServer --urls=http://0.0.0.0:5007

If I try to access to auth server all works fine, I'm able to login an get user and log data but if I try to open https://auth.mysite.it/.well-known/jwks or http://lnx-app:5007/.well-known/jwks

I get

{
  "error": "invalid_request",
  "error_description": "This server only accepts HTTPS requests.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2083"
}

If I change my app settings with true to false but I've Issuer in https and other in http

"AuthServer": {
        "Authority": "https://auth.mysite.it",
        "RequireHttpsMetadata": "false", <--- works bat angular get error 
        "SwaggerClientId": "WebGateway_Swagger"
    },

I've the same schema on abp 9.1.3 and works fine, also same build in 7.4.5. work fine in IIS on windows server

Ok.

I understand that version must be the same but about auth server I need to create a separate server? Are there other operation to do do?