Activities of "pei.chen@cpy.com.hk"
Overriding seems okay though.
Can you share the log again after adding
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;and make a new request?It should have detailed information about this log:
[08:30:02 INF] Request starting HTTP/1.1 GET http://mos-st-administration/api/language-management/languages/all - - [08:30:02 ERR] Exception occurred while processing message. System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'. ---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
Thank you for your advice, after add Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
I find out the IDX20803 error caused by the AddAbpOpenIdConnect without ValidIssuers named with https.
add the following code to
context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(options =>);
options.TokenValidationParameters.ValidIssuers = new [] {
"https://mos-st-authserver"
};
It works for me to call API with the token from "https://mos-st-authserver" But the swagger client auth still has the error "mixed content".
swagger-ui-bundle.js:2 Mixed Content: The page at 'https://mos-st-product/swagger/index.html' was loaded over HTTPS, but requested an insecure resource 'http://mos-st-authserver/connect/token'. This content should also be served over HTTPS.
If I change the Chrome secure setting, the error change to
Access to fetch at 'http://mos-st-authserver/connect/token' from origin 'https://mos-st-product' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.
Now I focus on the blazor-server-client https://mos-st-web/ .
When I want to login from https://mos-st-web/
Here is the error log in auth-server
[08:41:35 INF] Request starting HTTP/1.1 GET http://mos-st-authserver/connect/authorize?client_id=MOS_BlazorServer&redirect_uri=http%3A%2F%2Fmos-st-web%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20role%20email%20phone%20AccountService%20IdentityService%20AdministrationService%20SaasService%20ProductService%20ClientService%20NotificationService&response_mode=form_post&nonce=637879416953018402.YTE3YTQyNjgtMTJjNC00NzZjLWFjMmUtYjhiNDYyMDdkZmJiZjdlMjA4NWEtZDAyYi00OTFmLTk1ZWQtY2E5ZDg5OTg0NDk2&state=CfDJ8D0lQb5tKTBFn4uvn3Xu6kTrGlmQ5pIAHO9_xiwDvTtF4TXcIPLylJ5oUw6jKOI3HrO1Wa2DeNoSknjhVjluYVGkT-Ts5ddwQazu-vhuSGcykxdqXiYnFWo0l94A1EUClJBVxx_nwpxgTl31-InEMWgDY9cB5VVa9g0If-JP9_7DZYNqeKKfVGixysAzse3QQaix4BIyfnZarJ4u6ngtGuQrpvUT8Sc1nX72f6g5AEkUVWQBgcKIG_7brkMLL30U3bza7dxohmG4BmoywziAlwynG8kzcsb_1YpklsV1kQj1&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0 - -
[08:41:35 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
[08:41:35 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
[08:41:36 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
[08:41:36 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[08:41:36 INF] Identity.Application was not authenticated. Failure message: Unprotect ticket failed
[08:41:36 ERR] Invalid redirect_uri: http://mos-st-web/signin-oidc
{"ClientId": "MOS_BlazorServer", "ClientName": "MOS_BlazorServer", "RedirectUri": null, "AllowedRedirectUris": ["https://mos-st-web/signin-oidc"], "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"client_id": "MOS_BlazorServer", "redirect_uri": "http://mos-st-web/signin-oidc", "response_type": "code id_token", "scope": "openid profile role email phone AccountService IdentityService AdministrationService SaasService ProductService ClientService NotificationService", "response_mode": "form_post", "nonce": "637879416953018402.YTE3YTQyNjgtMTJjNC00NzZjLWFjMmUtYjhiNDYyMDdkZmJiZjdlMjA4NWEtZDAyYi00OTFmLTk1ZWQtY2E5ZDg5OTg0NDk2", "state": "CfDJ8D0lQb5tKTBFn4uvn3Xu6kTrGlmQ5pIAHO9_xiwDvTtF4TXcIPLylJ5oUw6jKOI3HrO1Wa2DeNoSknjhVjluYVGkT-Ts5ddwQazu-vhuSGcykxdqXiYnFWo0l94A1EUClJBVxx_nwpxgTl31-InEMWgDY9cB5VVa9g0If-JP9_7DZYNqeKKfVGixysAzse3QQaix4BIyfnZarJ4u6ngtGuQrpvUT8Sc1nX72f6g5AEkUVWQBgcKIG_7brkMLL30U3bza7dxohmG4BmoywziAlwynG8kzcsb_1YpklsV1kQj1", "x-client-SKU": "ID_NETSTANDARD2_0", "x-client-ver": "6.10.0.0"}, "$type": "AuthorizeRequestValidationLog"}
[08:41:36 ERR] Request validation failed
I think it's the redirect_uri=http://mos-st-web/signin-oidc should be https://mos-st-web/signin-oidc
How can I change this request, and fix
Identity.Application was not authenticated. Failure message: Unprotect ticket failed
Authserver:
kind: Deployment
apiVersion: apps/v1
metadata:
name: mos-st-authserver
namespace: mos-st
uid: fd70d8ec-d3f9-464c-b5a9-b1be44174758
resourceVersion: '1474532'
generation: 1
creationTimestamp: '2022-05-08T04:43:48Z'
labels:
app.kubernetes.io/managed-by: Helm
annotations:
deployment.kubernetes.io/revision: '2'
meta.helm.sh/release-name: mos-st
meta.helm.sh/release-namespace: mos-st
managedFields:
- manager: helm
operation: Update
apiVersion: apps/v1
time: '2022-05-08T04:43:48Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:spec:
f:progressDeadlineSeconds: {}
f:replicas: {}
f:revisionHistoryLimit: {}
f:selector: {}
f:strategy:
f:rollingUpdate:
.: {}
f:maxSurge: {}
f:maxUnavailable: {}
f:type: {}
f:template:
f:metadata:
f:labels:
.: {}
f:app: {}
f:spec:
f:containers:
k:{"name":"mos-st-authserver"}:
.: {}
f:env:
.: {}
k:{"name":"App__CorsOrigins"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"App__RedirectAllowedUrls"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"App__SelfUrl"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"AuthServer__Authority"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"AuthServer__RequireHttpsMetadata"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"ConnectionStrings__AdministrationService"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"ConnectionStrings__IdentityService"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"ConnectionStrings__SaasService"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"DOTNET_ENVIRONMENT"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"ElasticSearch__Url"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"RabbitMQ__Connections__Default__HostName"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"Redis__Configuration"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"StringEncryption__DefaultPassPhrase"}:
.: {}
f:name: {}
f:value: {}
f:image: {}
f:imagePullPolicy: {}
f:name: {}
f:ports:
.: {}
k:{"containerPort":80,"protocol":"TCP"}:
.: {}
f:containerPort: {}
f:name: {}
f:protocol: {}
k:{"containerPort":443,"protocol":"TCP"}:
.: {}
f:containerPort: {}
f:name: {}
f:protocol: {}
f:resources: {}
f:terminationMessagePath: {}
f:terminationMessagePolicy: {}
f:dnsPolicy: {}
f:imagePullSecrets:
.: {}
k:{"name":"regcred"}: {}
f:restartPolicy: {}
f:schedulerName: {}
f:securityContext: {}
f:terminationGracePeriodSeconds: {}
- manager: kube-controller-manager
operation: Update
apiVersion: apps/v1
time: '2022-05-08T07:38:05Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:deployment.kubernetes.io/revision: {}
f:status:
f:availableReplicas: {}
f:collisionCount: {}
f:conditions:
.: {}
k:{"type":"Available"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
k:{"type":"Progressing"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
f:observedGeneration: {}
f:readyReplicas: {}
f:replicas: {}
f:updatedReplicas: {}
subresource: status
spec:
replicas: 1
selector:
matchLabels:
app: mos-st-authserver
template:
metadata:
creationTimestamp: null
labels:
app: mos-st-authserver
spec:
containers:
- name: mos-st-authserver
image: >-
359134898311.dkr.ecr.ap-east-1.amazonaws.com/mos-app-authserver:latest
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
env:
- name: App__SelfUrl
value: https://mos-st-authserver
- name: App__CorsOrigins
value: >-
https://mos-st-gateway-web,https://mos-st-gateway-web-public,https://mos-st-identity,https://mos-st-administration,https://mos-st-saas,https://mos-st-product,https://mos-st-client,https://mos-st-notification
- name: App__RedirectAllowedUrls
value: https://mos-st-web
- name: ConnectionStrings__IdentityService
value: >-
Server=mos-st-sqldb,1433;Database=MOS_Identity;User
Id=sa;password=myPassw@rd
- name: ConnectionStrings__AdministrationService
value: >-
Server=mos-st-sqldb,1433;Database=MOS_Administration;User
Id=sa;password=myPassw@rd
- name: ConnectionStrings__SaasService
value: >-
Server=mos-st-sqldb,1433;Database=MOS_Saas;User
Id=sa;password=myPassw@rd
- name: AuthServer__Authority
value: http://mos-st-authserver
- name: AuthServer__RequireHttpsMetadata
value: 'false'
- name: DOTNET_ENVIRONMENT
value: Staging
- name: Redis__Configuration
value: mos-st-redis
- name: StringEncryption__DefaultPassPhrase
value: gsKnGZ041HLL4IM8
- name: RabbitMQ__Connections__Default__HostName
value: mos-st-rabbitmq
- name: ElasticSearch__Url
value: http://mos-st-elasticsearch
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
imagePullSecrets:
- name: regcred
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
status:
observedGeneration: 1
replicas: 1
updatedReplicas: 1
readyReplicas: 1
availableReplicas: 1
conditions:
- type: Available
status: 'True'
lastUpdateTime: '2022-05-08T04:44:24Z'
lastTransitionTime: '2022-05-08T04:44:24Z'
reason: MinimumReplicasAvailable
message: Deployment has minimum availability.
- type: Progressing
status: 'True'
lastUpdateTime: '2022-05-08T07:38:05Z'
lastTransitionTime: '2022-05-08T04:43:48Z'
reason: NewReplicaSetAvailable
message: ReplicaSet "mos-st-authserver-786b955d9" has successfully progressed.
collisionCount: 1
kind: Service
apiVersion: v1
metadata:
name: mos-st-authserver
namespace: mos-st
uid: d697633c-6212-4866-9629-957b79b182e5
resourceVersion: '1474383'
creationTimestamp: '2022-05-08T04:43:48Z'
labels:
app.kubernetes.io/managed-by: Helm
name: mos-st-authserver
annotations:
meta.helm.sh/release-name: mos-st
meta.helm.sh/release-namespace: mos-st
managedFields:
- manager: helm
operation: Update
apiVersion: v1
time: '2022-05-08T04:43:48Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:name: {}
f:spec:
f:internalTrafficPolicy: {}
f:ports:
.: {}
k:{"port":80,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
f:selector: {}
f:sessionAffinity: {}
f:type: {}
spec:
ports:
- name: '80'
protocol: TCP
port: 80
targetPort: 80
selector:
app: mos-st-authserver
clusterIP: 10.107.232.76
clusterIPs:
- 10.107.232.76
type: ClusterIP
sessionAffinity: None
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster
status:
loadBalancer: {}
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: mos-st-authserver-ingress
namespace: mos-st
uid: 1f83db9c-77d5-42e0-87b2-04c380eb2152
resourceVersion: '1458727'
generation: 1
creationTimestamp: '2022-05-08T04:43:48Z'
labels:
app.kubernetes.io/managed-by: Helm
annotations:
meta.helm.sh/release-name: mos-st
meta.helm.sh/release-namespace: mos-st
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_input_headers "from-ingress: true";
nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-buffer-size: 32k
nginx.ingress.kubernetes.io/proxy-buffers-number: '8'
nginx.ingress.kubernetes.io/rewrite-target: /
managedFields:
- manager: helm
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-08T04:43:48Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:nginx.ingress.kubernetes.io/configuration-snippet: {}
f:nginx.ingress.kubernetes.io/force-ssl-redirect: {}
f:nginx.ingress.kubernetes.io/proxy-buffer-size: {}
f:nginx.ingress.kubernetes.io/proxy-buffers-number: {}
f:nginx.ingress.kubernetes.io/rewrite-target: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:spec:
f:ingressClassName: {}
f:rules: {}
f:tls: {}
- manager: nginx-ingress-controller
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-08T04:44:13Z'
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
subresource: status
spec:
ingressClassName: nginx
tls:
- hosts:
- mos-st-authserver
secretName: mos-tls
rules:
- host: mos-st-authserver
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mos-st-authserver
port:
number: 80
status:
loadBalancer:
ingress:
- hostname: localhost
There may be a problem with overriding the configuration in your kubernetes values files.
Do you deploy as a single helm chart and be sure that the
Values.yamlhas the correct configuration? If you are deploying applications individually, you need to update related helm chartValues.yaml.Can you also add the related code to show detailed OpenId error and rebuild/redeploy your application? There might be a clue.
Here is the yamls I copy from kubernetes dashboard. administration:
kind: Deployment
apiVersion: apps/v1
metadata:
name: mos-st-administration
namespace: mos-st
uid: 5e6f7465-f220-4e47-bc88-e8ef0f0b31c0
resourceVersion: '1475368'
generation: 2
creationTimestamp: '2022-05-08T04:43:48Z'
labels:
app.kubernetes.io/managed-by: Helm
annotations:
deployment.kubernetes.io/revision: '2'
meta.helm.sh/release-name: mos-st
meta.helm.sh/release-namespace: mos-st
managedFields:
- manager: helm
operation: Update
apiVersion: apps/v1
time: '2022-05-08T04:43:48Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:spec:
f:progressDeadlineSeconds: {}
f:replicas: {}
f:revisionHistoryLimit: {}
f:selector: {}
f:strategy:
f:rollingUpdate:
.: {}
f:maxSurge: {}
f:maxUnavailable: {}
f:type: {}
f:template:
f:metadata:
f:labels:
.: {}
f:app: {}
f:spec:
f:containers:
k:{"name":"mos-st-administration"}:
.: {}
f:env:
.: {}
k:{"name":"App__CorsOrigins"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"App__SelfUrl"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"AuthServer__Authority"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"AuthServer__RequireHttpsMetadata"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"ConnectionStrings__AdministrationService"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"ConnectionStrings__SaasService"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"DOTNET_ENVIRONMENT"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"ElasticSearch__Url"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"IdentityClients__Default__Authority"}:
.: {}
f:name: {}
k:{"name":"RabbitMQ__Connections__Default__HostName"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"Redis__Configuration"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"RemoteServices__Default__BaseUrl"}:
.: {}
f:name: {}
f:value: {}
k:{"name":"StringEncryption__DefaultPassPhrase"}:
.: {}
f:name: {}
f:value: {}
f:image: {}
f:imagePullPolicy: {}
f:name: {}
f:ports:
.: {}
k:{"containerPort":80,"protocol":"TCP"}:
.: {}
f:containerPort: {}
f:name: {}
f:protocol: {}
k:{"containerPort":443,"protocol":"TCP"}:
.: {}
f:containerPort: {}
f:name: {}
f:protocol: {}
f:resources: {}
f:terminationMessagePath: {}
f:terminationMessagePolicy: {}
f:dnsPolicy: {}
f:imagePullSecrets:
.: {}
k:{"name":"regcred"}: {}
f:restartPolicy: {}
f:schedulerName: {}
f:securityContext: {}
f:terminationGracePeriodSeconds: {}
- manager: dashboard
operation: Update
apiVersion: apps/v1
time: '2022-05-08T07:46:42Z'
fieldsType: FieldsV1
fieldsV1:
f:spec:
f:template:
f:spec:
f:containers:
k:{"name":"mos-st-administration"}:
f:env:
k:{"name":"IdentityClients__Default__Authority"}:
f:value: {}
- manager: kube-controller-manager
operation: Update
apiVersion: apps/v1
time: '2022-05-08T07:46:44Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
f:deployment.kubernetes.io/revision: {}
f:status:
f:availableReplicas: {}
f:conditions:
.: {}
k:{"type":"Available"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
k:{"type":"Progressing"}:
.: {}
f:lastTransitionTime: {}
f:lastUpdateTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
f:observedGeneration: {}
f:readyReplicas: {}
f:replicas: {}
f:updatedReplicas: {}
subresource: status
spec:
replicas: 1
selector:
matchLabels:
app: mos-st-administration
template:
metadata:
creationTimestamp: null
labels:
app: mos-st-administration
spec:
containers:
- name: mos-st-administration
image: >-
359134898311.dkr.ecr.ap-east-1.amazonaws.com/mos-service-administration:latest
ports:
- name: http
containerPort: 80
protocol: TCP
- name: https
containerPort: 443
protocol: TCP
env:
- name: App__SelfUrl
value: https://mos-st-administration
- name: RemoteServices__Default__BaseUrl
value: http://mos-st-gateway-web
- name: App__CorsOrigins
value: https://mos-st-gateway-web,https://mos-st-gateway-web-public
- name: IdentityClients__Default__Authority
value: http://mos-st-authserver
- name: ConnectionStrings__AdministrationService
value: >-
Server=mos-st-sqldb,1433;Database=MOS_Administration;User
Id=sa;password=myPassw@rd
- name: ConnectionStrings__SaasService
value: >-
Server=mos-st-sqldb,1433;Database=MOS_Saas;User
Id=sa;password=myPassw@rd
- name: DOTNET_ENVIRONMENT
value: Staging
- name: Redis__Configuration
value: mos-st-redis
- name: AuthServer__Authority
value: http://mos-st-authserver
- name: AuthServer__RequireHttpsMetadata
value: 'false'
- name: StringEncryption__DefaultPassPhrase
value: gsKnGZ041HLL4IM8
- name: RabbitMQ__Connections__Default__HostName
value: mos-st-rabbitmq
- name: ElasticSearch__Url
value: http://mos-st-elasticsearch
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
imagePullPolicy: IfNotPresent
restartPolicy: Always
terminationGracePeriodSeconds: 30
dnsPolicy: ClusterFirst
securityContext: {}
imagePullSecrets:
- name: regcred
schedulerName: default-scheduler
strategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 25%
maxSurge: 25%
revisionHistoryLimit: 10
progressDeadlineSeconds: 600
status:
observedGeneration: 2
replicas: 1
updatedReplicas: 1
readyReplicas: 1
availableReplicas: 1
conditions:
- type: Available
status: 'True'
lastUpdateTime: '2022-05-08T04:44:27Z'
lastTransitionTime: '2022-05-08T04:44:27Z'
reason: MinimumReplicasAvailable
message: Deployment has minimum availability.
- type: Progressing
status: 'True'
lastUpdateTime: '2022-05-08T07:46:44Z'
lastTransitionTime: '2022-05-08T04:43:48Z'
reason: NewReplicaSetAvailable
message: >-
ReplicaSet "mos-st-administration-5bc6f6fc68" has successfully
progressed.
kind: Service
apiVersion: v1
metadata:
name: mos-st-administration
namespace: mos-st
uid: 4596aec0-241f-4024-98d7-836037649eb0
resourceVersion: '1458270'
creationTimestamp: '2022-05-08T04:43:48Z'
labels:
app.kubernetes.io/managed-by: Helm
name: mos-st-administration
annotations:
meta.helm.sh/release-name: mos-st
meta.helm.sh/release-namespace: mos-st
managedFields:
- manager: helm
operation: Update
apiVersion: v1
time: '2022-05-08T04:43:48Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:name: {}
f:spec:
f:internalTrafficPolicy: {}
f:ports:
.: {}
k:{"port":80,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
k:{"port":443,"protocol":"TCP"}:
.: {}
f:name: {}
f:port: {}
f:protocol: {}
f:targetPort: {}
f:selector: {}
f:sessionAffinity: {}
f:type: {}
spec:
ports:
- name: '80'
protocol: TCP
port: 80
targetPort: 80
- name: '443'
protocol: TCP
port: 443
targetPort: 443
selector:
app: mos-st-administration
clusterIP: 10.101.5.16
clusterIPs:
- 10.101.5.16
type: ClusterIP
sessionAffinity: None
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
internalTrafficPolicy: Cluster
status:
loadBalancer: {}
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: mos-st-administration-ingress
namespace: mos-st
uid: b4eb866f-e020-4bee-9a53-05a46b5f4185
resourceVersion: '1458741'
generation: 1
creationTimestamp: '2022-05-08T04:43:48Z'
labels:
app.kubernetes.io/managed-by: Helm
annotations:
meta.helm.sh/release-name: mos-st
meta.helm.sh/release-namespace: mos-st
nginx.ingress.kubernetes.io/force-ssl-redirect: 'true'
nginx.ingress.kubernetes.io/proxy-buffer-size: 32k
nginx.ingress.kubernetes.io/proxy-buffers-number: '8'
nginx.ingress.kubernetes.io/rewrite-target: /
managedFields:
- manager: helm
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-08T04:43:48Z'
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:meta.helm.sh/release-name: {}
f:meta.helm.sh/release-namespace: {}
f:nginx.ingress.kubernetes.io/force-ssl-redirect: {}
f:nginx.ingress.kubernetes.io/proxy-buffer-size: {}
f:nginx.ingress.kubernetes.io/proxy-buffers-number: {}
f:nginx.ingress.kubernetes.io/rewrite-target: {}
f:labels:
.: {}
f:app.kubernetes.io/managed-by: {}
f:spec:
f:ingressClassName: {}
f:rules: {}
f:tls: {}
- manager: nginx-ingress-controller
operation: Update
apiVersion: networking.k8s.io/v1
time: '2022-05-08T04:44:14Z'
fieldsType: FieldsV1
fieldsV1:
f:status:
f:loadBalancer:
f:ingress: {}
subresource: status
spec:
ingressClassName: nginx
tls:
- hosts:
- mos-st-administration
secretName: mos-tls
rules:
- host: mos-st-administration
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: mos-st-administration
port:
number: 80
status:
loadBalancer:
ingress:
- hostname: localhost
And the .net code I still use the default template.
It is not related with the token.
Add the code below to AdministrationServiceModule
ConfigureServicesmethod to see detailed information about the OpenId error:Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;It can be a problem with swagger authorization. When you are making a request from the browser to login, you are redirected to
http://mos-st-authserver(AuthServer:Authority) however it is served under https on the browser.Maybe you can try sending a header from WebGateway Ingress and write a midware at AuthServer to redirect to https if the request is coming from the browser:
app.Use(async (ctx, next) => { if (ctx.Request.Headers.ContainsKey("from-ingress")) { ctx.Request.Scheme = "https"; return next(); } return next(); });This way, when you are making a login request from swagger, you should be redirected to
https://mos-st-authserverand the token validation Issuer will still navigate tohttp://mos-st-authserverinside the internal kubernetes network.
The default template contains the logic just like what you said. And I change it to "ctx.Request.Scheme = "https" and it shows the same error log.
app.Use(async (ctx, next) =>
{
if (ctx.Request.Headers.ContainsKey("from-ingress"))
{
ctx.SetIdentityServerOrigin(configuration["App:SelfUrl"]);
}
await next();
});
I use Postman to get token success and request the API in http://mos-st-administration/api/language-management/languages/all To avoid the swagger redirect, just use REST-API only. I have set all the yaml
- name: AuthServer__Authority
value: http://mos-st-authserver
- name: AuthServer__RequireHttpsMetadata
value: 'false'
but it still show the error: ---> System.Net.Http.HttpRequestException: Connection refused (mos-st-authserver:443) I have no idea why it redirect to 443
Letsencrypt won't work since you are not using real domains. Is your authserver (already accountservice) running on https?
Do you get Not secure/trusted error? Internal request to issuer endpoint can fail because of returning a not secure page.
Is that a way to let service call authserver with https, because all the question is base on it
This is a exception from Administration Service.
[08:30:02 INF] Request starting HTTP/1.1 GET http://mos-st-administration/api/language-management/languages/all - -
[08:30:02 ERR] Exception occurred while processing message.
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
---> System.Net.Http.HttpRequestException: Connection refused (mos-st-authserver:443)
---> System.Net.Sockets.SocketException (111): Connection refused
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.ThrowException(SocketError error, CancellationToken cancellationToken)
at System.Net.Sockets.Socket.AwaitableSocketAsyncEventArgs.System.Threading.Tasks.Sources.IValueTaskSource.GetResult(Int16 token)
at System.Net.Sockets.Socket.<ConnectAsync>g__WaitForConnectWithCancellation|277_0(AwaitableSocketAsyncEventArgs saea, ValueTask connectTask, CancellationToken cancellationToken)
at System.Net.Http.HttpConnectionPool.ConnectToTcpHostAsync(String host, Int32 port, HttpRequestMessage initialRequest, Boolean async, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
This exception cause by I try to use postman get token from https://mos-st-authserver/ and use token to get service : https://mos-st-administration/api/language-management/languages/all
This is the payload in token:
{
"nbf": 1651826063,
"exp": 1683362063,
"iss": "https://mos-st-authserver",
"aud": "AdministrationService",
"client_id": "WebGateway_Swagger",
"sub": "414da19f-8697-7bc7-089e-3a03aa97ec05",
"auth_time": 1651826063,
"idp": "local",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname": "admin",
"unique_name": "admin",
"preferred_username": "admin",
"given_name": "admin",
"role": "admin",
"phone_number_verified": "False",
"email": "admin@abp.io",
"email_verified": "False",
"name": "admin",
"sid": "0112997F344EA7D0B1C09B7AB815FBE2",
"iat": 1651826063,
"scope": [
"AdministrationService"
],
"amr": [
"pwd"
]
}
accountservice
It works well in https://mos-st-authserver/Account/Login
But if I authorize from https://mos-st-administration/swagger/index.html , the first time it will show:
I have nothing change about the authserver project, build it with docker build (/build-images.ps1) and add the TLS secret follow this document : https://github.com/abpframework/eShopOnAbp/tree/main/etc
Is this docker for desktop local kubernetes cluster you are trying to run? This seems to be related to swagger authentication. I will try to reproduce the problem. Do you have any custom configurations on ingress.yaml files?
It's very helpful to deploy an abp.io microservice template to a Helm hub for reference... Please consider that.
Thank you for the suggestion. I will create an internal issue for this.
Yes, I use the docker desktop for testing. No change with the ingress file, just installed the NGINX Ingress Controller according to the description.
kubernetes.io/ingress.class: "nginx"
Only install the "cert-manager" in k8s but do nothing, because I just tested in the local network. Should I do something about the letsencrypt?
cert-manager.io/cluster-issuer: letsencrypt
It's very helpful to deploy an abp.io microservice template to a Helm hub for reference... Please consider that.
Gateway Web auth error: https://mos-st-gateway-web/swagger/index.html After auth: Show
I am assuming it is AccountService since web-gateway swagger just shows the microservice swagger endpoints it redirects at API definitions.
The error indicates that the client is trying to reach the issuer at
mos-st-authserver:443however it should use http instead of https inside the internal network.Does this occur on web-gateway, AccountService only? Can you try other microservices over the web-gateway? Can you also try directly the microservice swagger endpoint?
After Auth: Console show 'https://mos-st-administration/swagger/index.html' was loaded over HTTPS, but requested an insecure resource 'http://mos-st-authserver/connect/token'.
the swagger is https, but we set the authserver to http...
Actually, this issue is the same as QA #3009 https://support.abp.io/QA/Questions/3009, but it closed.
Showing 1 to 10 of 12 entries