0

I've two separate .NET core API projects (OpenIDConnect and Features API) and deployed into IIS. OpenIDConnect is to authenticate the users with their credentials and it will issue accessToken if authentication succeeded. Features API will authenticate using the OpenIDConnect API with that accessToken.

services.AddAuthentication(options =>
{
    options.DefaultChallengeScheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
    options.DefaultAuthenticateScheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
    options.DefaultForbidScheme = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme;
});

Everything works fine until enable mTLS in OpenIdConnect. That is, enabled SSL in OpenIdConnect API from IIS and so it requires client to include the certificate on their request.

enter image description here

OpenIdConnect API:

services
    .AddAuthentication(o =>
    {
        o.DefaultScheme = CertificateAuthenticationDefaults.AuthenticationScheme;
    })
    .AddCertificate(options =>
    {
        options.AllowedCertificateTypes = CertificateTypes.All;
        options.Events = new CertificateAuthenticationEvents
        {
            OnCertificateValidated = context =>
            {
                var claims = new[]
                {
                    new Claim(
                        ClaimTypes.NameIdentifier,
                        context.ClientCertificate.Subject,
                        ClaimValueTypes.String, context.Options.ClaimsIssuer),
                    new Claim(
                        ClaimTypes.Name,
                        context.ClientCertificate.Subject,
                        ClaimValueTypes.String, context.Options.ClaimsIssuer)
                };

                context.Principal = new ClaimsPrincipal(new ClaimsIdentity(claims, context.Scheme.Name));
                context.Success();

                return Task.CompletedTask;
            }
        };
    })

Once enabled it, I'm able to get accessToken from OpenIdConnect API by adding certificate in Postman. But unable to access OpenIdConnect API from Features API even though added the client certificate into Features API project like below.

services.AddOpenIddict()
    .AddServer(options =>
    {
        options.SetIssuer(new Uri(tokenServiceBaseUrl));
        options.AddSigningCertificate(signingCertificate);
    })
    .AddValidation(options =>
    {
        options.SetIssuer(tokenServiceBaseUrl);
        options.UseAspNetCore();
        options.UseSystemNetHttp();
        options.AddEncryptionCertificate(signingCertificate);
    });

Getting below exception when trying to request from Postman:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'. ---> System.Text.Json.JsonException: '<' is an invalid start of a value. Path: $ | LineNumber: 0 | BytePositionInLine: 0. ---> System.Text.Json.JsonReaderException: '<' is an invalid start of a value. LineNumber: 0 | BytePositionInLine: 0. at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan1 bytes) at System.Text.Json.Utf8JsonReader.ConsumeValue(Byte marker) at System.Text.Json.Utf8JsonReader.ReadFirstToken(Byte first) at System.Text.Json.Utf8JsonReader.ReadSingleSegment() at System.Text.Json.Utf8JsonReader.Read() at System.Text.Json.Serialization.JsonConverter1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state) --- End of inner exception stack trace --- at System.Text.Json.ThrowHelper.ReThrowWithPath(ReadStack& state, JsonReaderException ex) at System.Text.Json.Serialization.JsonConverter1.ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state) at System.Text.Json.Serialization.JsonConverter1.ReadCoreAsObject(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state) at System.Text.Json.JsonSerializer.ReadCore[TValue](JsonConverter jsonConverter, Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state) at System.Text.Json.JsonSerializer.ReadCore[TValue](JsonReaderState& readerState, Boolean isFinalBlock, ReadOnlySpan1 buffer, JsonSerializerOptions options, ReadStack& state, JsonConverter converterBase) at System.Text.Json.JsonSerializer.ReadAsync[TValue](Stream utf8Json, Type returnType, JsonSerializerOptions options, CancellationToken cancellationToken) at System.Net.Http.Json.HttpContentJsonExtensions.ReadFromJsonAsyncCore[T](HttpContent content, Encoding sourceEncoding, JsonSerializerOptions options, CancellationToken cancellationToken) at OpenIddict.Validation.SystemNetHttp.OpenIddictValidationSystemNetHttpHandlers.ExtractJsonHttpResponse1.HandleAsync(TContext context) at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context) at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context) at OpenIddict.Validation.OpenIddictValidationService.<>c__DisplayClass2_0.<g__ExtractConfigurationResponseAsync|2>d.MoveNext() --- End of stack trace from previous location --- at OpenIddict.Validation.OpenIddictValidationService.GetConfigurationAsync(Uri address, CancellationToken cancellationToken) at OpenIddict.Validation.OpenIddictValidationService.GetConfigurationAsync(Uri address, CancellationToken cancellationToken) at OpenIddict.Validation.OpenIddictValidationRetriever.Microsoft.IdentityModel.Protocols.IConfigurationRetriever<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration>.GetConfigurationAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) at OpenIddict.Validation.OpenIddictValidationHandlers.ValidateIdentityModelToken.HandleAsync(ProcessAuthenticationContext context) at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context) at OpenIddict.Validation.OpenIddictValidationDispatcher.DispatchAsync[TContext](TContext context) at OpenIddict.Validation.AspNetCore.OpenIddictValidationAspNetCoreHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Selvamz
  • 362
  • 3
  • 16
  • The same error you can use as reference: [https://stackoverflow.com/questions/70312323/system-invalidoperationexception-idx20803-unable-to-obtain-configuration-from](https://stackoverflow.com/questions/70312323/system-invalidoperationexception-idx20803-unable-to-obtain-configuration-from). – samwu Apr 19 '22 at 09:05
  • @samwu - Thanks for the reply. I gone through that. But no proper solution posted there. – Selvamz Apr 19 '22 at 10:00
  • It is difficult to reproduce your problem, I suggest you open a case via: https://support.microsoft.com. – samwu Apr 21 '22 at 07:21

0 Answers0