"InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'"

Question

I've deployed my API and Client app on Docker, but for the life of me, the web app cannot call the API, I keep getting an exception.

I added the following line suggested in other posts, but it did not work.

IdentityModelEventSource.ShowPII = true;

Exception:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.InvokeCore(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Most likely your authority is configured incorrectly or it is unable to connect to the metadata endpoint. — juunas, Jan 30 '19 at 08:01
@RuardvanElburg, the issue is that my web ui app cannot call the API since the API is throwing that error [PII is hidden], so i added ShowPII=true , but still the error persists — Jane Senya, Jan 30 '19 at 08:19
@JaneSenya In which project? It should be in the IdentityServer startup. But showing the error is not going to solve the problem. It can only help you to find out what the problem is. — , Jan 30 '19 at 08:24
Oh, I'm setting it at the API project, let me try adding it to the IDS project and revert back to you. — Jane Senya, Jan 30 '19 at 08:29
Possible duplicate of [IDX20803: Unable to obtain configuration from](https://stackoverflow.com/questions/50742248/idx20803-unable-to-obtain-configuration-from) — Aspram, Jan 30 '19 at 10:28
@RuardvanElburg after adding 'ShowPII' in IDS project it worked, I could see the actual error in the logs, apparently the API couldn't access the configuration document. I was able to fix the issue from there. Thanks for the help. — Jane Senya, Jan 30 '19 at 11:23
I am facing same issue in .net core 2.1 & When I am tryin to enable ShowPII it says : IdentityModelEventSource does not have a ShowPII property. Please guide how to enable it in .net core 2.1 — Nilesh Gupta, Mar 03 '23 at 05:44
For my case, I had wrong Authority endpoint to the resource API. Thanks @juunas ! — Dimitris, Apr 28 '23 at 04:32

score 102 · Answer 1 · answered Jun 02 '19 at 23:05

102

We need to enable viewing of PII logs so we can see more details about the error: Add the following line in ConfigureServices() to Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    IdentityModelEventSource.ShowPII = true; //Add this line
    ....

answered Jun 02 '19 at 23:05

Mentor

3,058
1
22
27

3

Same is mentioned in https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/wiki/PII – Rajat Oct 10 '19 at 06:14
5

This line should be added in the Resource.API project (Not in the IDP project), don't do the same mistake as I did :) – Shahar Shokrani Jun 17 '20 at 21:15
7

`using Microsoft.IdentityModel.Logging;` will provide the `IdentityModelEventSource`. – Benxamin Oct 29 '21 at 17:48
I am facing same issue in .net core 2.1 & When I am tryin to enable ShowPII it says : IdentityModelEventSource does not have a ShowPII property. Please guide how to enable it in .net core 2.1 – Nilesh Gupta Mar 03 '23 at 05:43

score 34 · Answer 2 · answered Jun 13 '20 at 11:31

In my case, this happened while I was developing identity prototype with Identity Server on localhost environment and my authority was configured incorrectly.

I was following an example from Identity Server 4, the issue was that the Quick start example of the Identity Server 4 contain 3 projects:

Identity Server. with endpoint => https://localhost:5001
Api (called Resource Api or Consumer Api).
Client.

In the example that was provided, the Identity Server was set to https with endpoint https://localhost:5001. But the Authority was in Consumer Api was set to http://localhost:5000.

So when client try to connect to Consumer Api, it gets the http://localhost:5000 address and try to look at http://localhost:5000/.well-known/openid-configuration and this does not exist. It exist only on https://localhost:5001/.well-known/openid-configuration.

So far so good.

The solution is to ensure you are using the same endpoint of the identity server on your consumer authority:

options.Authority = "https://localhost:5001";

Thank you sir, this still is true, you spared me a lot of head aches. — markus s, Sep 04 '20 at 10:22
Even after 4 decades of coding, still can't see the wood for the trees sometimes :) Thanks — iCollect.it Ltd, Dec 11 '20 at 15:25

score 28 · Answer 3 · answered Jun 02 '20 at 16:48

28

If anyone is experiencing this during development, I was able to solve this by clearing my developer certs then recreating them.

dotnet dev-certs https --clean
dotnet dev-certs https --trust

answered Jun 02 '20 at 16:48

Jason White

5,495
1
21
30

This " dotnet dev-certs https --trust " Does not work on a Linux machine, or on Azure VM – Haroun Hajem Jun 25 '20 at 19:03
1

@HarounHajem I actually run Linux and it works fine on my machine. You might have to install the tool. https://www.nuget.org/packages/dotnet-dev-certs – Jason White Jun 25 '20 at 19:54
2

wow this is the answer that works for me! thanks heaps – Robert Tirta Oct 29 '20 at 11:36
1

This did the trick for me, thanks a lot! – Juanma May 20 '22 at 22:23
For me as well. Thank you. – Dennis Dyallo Sep 15 '22 at 15:18

score 16 · Answer 4 · edited Sep 10 '20 at 06:58

16

Enabling TLS 1.2 solved the issue

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

edited Sep 10 '20 at 06:58

Pang

9,564
146
81
122

answered Nov 10 '19 at 00:05

Aypn

309
2
7

7

Where did you add this? – alcaprar Nov 17 '20 at 12:40
@alcaprar first line in `ConfigureServices` – dexter Jul 26 '21 at 17:08
So glad I saw this! Thanks!! – Jeremy Thompson Mar 10 '22 at 00:46

score 16 · Answer 5 · answered Jan 31 '22 at 18:29

In .NET 6 add code after builder in Program.cs. Example:

using Microsoft.IdentityModel.Logging;

var builder = WebApplication.CreateBuilder(args);

IdentityModelEventSource.ShowPII = true;

For me the error was:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://login.microsoftonline.com/<myAD>.onmicrosoft.com/B2C_1_signupsignin/v2.0/.well-known/openid-configuration'

Solution here:

https://stackoverflow.com/a/70925127/3850405

score 9 · Answer 6 · edited May 11 '21 at 18:07

If this it's related to a Visual Studio Web Application project using the "Connect to an existing store in the cloud" AKA "Azure Active Directory B2C" the proposed config it's not good.

Its also needed to change the used userflow in Azure like mentioned in the following article: https://github.com/AzureAD/microsoft-identity-web/wiki/Azure-AD-B2C-issuer-claim-support

Change

"AzureAdB2C": {
  "Instance": "https://login.microsoftonline.com/tfp",
  "ClientId": "{clientId}",
  "Domain": "{tenant}.b2clogin.com",
  "SignUpSignInPolicyId": "{policy}"
}

To

"AzureAdB2C": {
    "Instance": "https://{tenant}.b2clogin.com/",
    "ClientId": "{clientId}",
    "Domain": "{tenant}.onmicrosoft.com",
    "SignUpSignInPolicyId": "{policy}"
}

Don't you need to drop /tfp also? – Narayana Jan 06 '20 at 18:19 — Narayana, Jan 06 '20 at 18:19
I was missing TenantId it turned out. – The Senator Feb 22 '23 at 10:14 — The Senator, Feb 22 '23 at 10:14

score 4 · Answer 7 · answered Jul 01 '20 at 16:03

4

This error can also happen when the identity server is not running.

answered Jul 01 '20 at 16:03

Martin Staufcik

8,295
4
44
63

In my case. Both client and identity server was running, but the client always finishes first. Client is slightly ahead but is still enough for the client to unable to detect the identity server. – Yorro Apr 25 '23 at 05:30

score 3 · Answer 8 · answered Jun 13 '20 at 21:25

The solution its quite tricky, I know this is an old issue but I had the exact same issue last week and I spend quite a lot of time solving it. This issue is because the Client app is not trusting the Kestrel certificate of the API app.

On the Dockerfile of the client application, you should add something like this in order to add the certificate used on the API application to the trusted CA of the client.

COPY ["API-KESTREL-CERTIFICATE.crt", "/usr/local/share/ca-certificates/"]
RUN update-ca-certificates

BIG NOTE HERE! (At least on a local environment) you should care about the domain of the API certificate. In my case (Local environment) I had to create a multiple domains certificate because the "localhost" of the API is not the same "localhost" of the client app because they are running on different docker containers. Being said that, for the Kestrel certificate of the API I followed this guide to create multiple-domains self-signed certificates https://www.rpkamp.com/2014/08/25/setting-up-a-multi-domain-self-signed-ssl-certificate/ and on the .cnf file in the DNS section, I did something like this and did the trick.

DNS.1 = localhost
DNS.2 = host.docker.internal

Finally, in the authority of the client application be sure of being addressing the proper domain and should be working.

I hope it helps!

Well, we had an IdentityServer project so it was basically the URL of that project... The URL was depending on if it was deployed or It was just localhost: — Jose Ignacio Ochoa, Apr 27 '21 at 22:35
How can I find my Kestrel certificate when I am not using docker? — theonlygusti, Jul 16 '21 at 15:05

score 3 · Answer 9 · answered Oct 05 '22 at 06:30

In .Net 6 using Blazor Server, I had to add the ShowPII statement right before app.Run() in program.cs. If I added it up at top of Main, it would not have any effect. I'm sure you could narrow down a more precise location if you cared to, but this worked for me.

app.MapFallbackToPage("/_Host");
IdentityModelEventSource.ShowPII = true;
app.Run();

My issue was a 404 error.

Using OIDC with endpoint hosted on B2C, I would offer this prescriptive advice - identify your custom policy in the B2C portal under Identity Experience Framework, click on it, copy the url for the OpenID Connect discovery endpoint, and add that as your options.MetadataAddress value. You'll need the 'p' querystring value in the url which is just your policy name.

adding directly before `app.Run()` (instead of much earlier in `Program.cs`) also helps on "normal" ASP.Net Core, thanks! — stefan.at.kotlin, Mar 09 '23 at 19:36

score 2 · Answer 10 · answered Dec 17 '22 at 00:32

In my case I had a B2C instance and related application entry pre-created, then created a new web app and let VS take me through the new web app Microsoft Identity Platform authentication type wizard (which actually worked nicely). The default appsettings.json had this:

"AzureAd": {
"Instance": "https://xxxxxx.b2clogin.com/",
"Domain": "xxxxx.onmicrosoft.com",
"TenantId": "xxxxx",
"ClientId": "xxxxx",
"CallbackPath": "/signin-oidc",
"SignUpSignInPolicyId": "b2c_1_signin",
"SignedOutCallbackPath": "/signout/B2C_1_susi",
"ResetPasswordPolicyId": "b2c_1_reset",
"EditProfilePolicyId": "b2c_1_edit_profile",
"EnablePiiLogging": true},

All that was required to fix it was remove the EnablePiiLogging line.

score 1 · Answer 11 · answered Apr 10 '21 at 10:17

1

For me, I enabled IdentityModelEventSource.ShowPII and got to know that the well-known url was incorrect. This is really helpful answer by @Mentor

answered Apr 10 '21 at 10:17

Ashish Deora

179
1
9

score 1 · Answer 12 · answered Jan 29 '22 at 11:07

if you are using self-signed cert and imported into Trusted Root, it may be automatically deleted by Microsoft CAPI2 and thus JWT validation failed. Either reimport your cert or add this entry in registry: Key: HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot
Name: DisableRootAutoUpdate Value: 1 Type: REG_DWORD

score 1 · Answer 13 · answered Feb 28 '22 at 17:12

1

In my case I was using Azure AD Authentication and my internet was not connected, after connecting internet it started working again. PEACE

answered Feb 28 '22 at 17:12

MuhammadHaroon

11
1

I'm facing the same issue but in my case I want to handle this expection so that it shows a readable message to the user if they are facing authentication issues. – faye.babacar78 Apr 15 '22 at 11:14

score 0 · Answer 14 · answered Jun 08 '21 at 23:02

In Linux I tried all the proposed options and none worked, what I had to do is:

generate a free lets Encrypt certificate for the development domain,
generate the pfx file and password using the lets encrypt files: openssl pkcs12 -export -out ca-bundle.pfx -inkey private-key.key -in ca-bundle.crt
setup Kestrel to use those certificates and password. like this examples: microsoft
done

score 0 · Answer 15 · answered Jun 13 '21 at 04:43

0

I was getting the same error and it turns out I forgot to add app.UseIdentityServer(); to StartUp.cs. Adding this method to Cofigure() solved the issue for me.

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
       //other config
        app.UseIdentityServer();
    }

answered Jun 13 '21 at 04:43

Charlie

3,113
3
38
60

1

that doesn't exist (anymore?) – theonlygusti Jul 16 '21 at 15:19

score 0 · Answer 16 · answered Aug 31 '21 at 16:32

0

Just add the following configuration in your appsettings.json file:

  "Instance": "https://login.microsoftonline.com/"

Reference (Github): https://github.com/IdentityServer/IdentityServer4/issues/2337#issuecomment-458772667

answered Aug 31 '21 at 16:32

Willian

3,011
1
15
38

score 0 · Answer 17 · answered Oct 12 '21 at 12:17

0

I saw this error as a result of my hosts file being corrupted (Docker Desktop added a section but corrupted the original contents of the file). This meant that my instance of Identity Server was effectively not running.

answered Oct 12 '21 at 12:17

mft25

417
6
13

Ohan Smit · Answer 18 · 2022-11-15T12:47:38.660

In our case we had a mismatch on one of the microservices configuration in our development environment for the AzureAdB2C's SignUpSignInPolicyId policy property.

All microservices where using this config

"AzureAdB2C": {
    "Instance": "https://ourawesometenant.b2clogin.com",
    "ClientId": "aa2cb23f-d25c-4c34-a7cc-847a2bf36377",
    "Domain": "ourawesometenant.onmicrosoft.com",
    "SignUpSignInPolicyId": "B2C_1_Default",
    "AllowWebApiToBeAuthorizedByACL": true
  }

the one that failed with the above error had this configuration with a different SignUpSignInPolicyId value to the other microservices.

"AzureAdB2C": {
    "Instance": "https://ourawesometenant.b2clogin.com",
    "ClientId": "aa2cb23f-d25c-4c34-a7cc-847a2bf36377",
    "Domain": "ourawesometenant.onmicrosoft.com",
    "SignUpSignInPolicyId": "B2C_1_SignUp",
    "AllowWebApiToBeAuthorizedByACL": true
  }

making sure all microservices had the same AzureAdB2C configuration removed this error.

score 0 · Answer 19 · edited Oct 28 '22 at 11:08

0

Add the following two lines in your CounfigurationAuth method:

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
IdentityModelEventSource.ShowPII = true;

For me its working

edited Oct 28 '22 at 11:08

Suraj Rao

29,388
11
94
103

answered Oct 28 '22 at 10:54

Sudarshan Rathod

1
1

"InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'"

19 Answers19

Linked