All geek questions in one place

Identity Server 4 and Docker

I am trying to configure IdentityServer4 using docker, but I cannot get it to work. To get started, I took the Client Credential example for documentation of the authentication server: Protecting APIs using client credentials

IdentityServer
Port Hosting 5000

Webapi
Port Hosting 5001

In the Configure method of the Startup.cs file of my WebApi, I did the following (the problem is probably here):

  app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions { Authority = "http://web:5000", RequireHttpsMetadata = false, ApiName = "api1" });

Client
And customer

  // Everything is fine here... var disco = await DiscoveryClient.GetAsync("http://localhost:5000"); var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret"); var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api"); // This does not work var client = new HttpClient(); client.SetBearerToken(tokenResponse.AccessToken); var response = await client.GetAsync("http://localhost:5001/identity");

The problem is probably in my WebApi:

1) If I set permissions on localhost: 5000, I get an internal server error: "Unable to get configuration from: http: // localhost: 5000 / .well-known / openid-configuration '", which makes sense, since localhost: 5000 unknown in this container

2) If I set the permissions http: // web: 5000 , I get an authorization error: "Error checking by the issuer. Issuer:" http: // localhost: 5000 '. Do not match: validationParameters.ValidIssuer: ' http: // web: 5000 ' or validationParameters.ValidIssuers ", which also makes sense, but I don’t know if the name of the control can be changed? I also tried setting IssuerUri in the IdentityServer project, but it did not help

+5
source share
1 answer

Network

Suppose you have two physical machines: C1 and C2. Each machine is a docker host.

C1 starts the Auth container.

C2 launches the WebApi container.

When you expose port 5000 in the Auth docker file, the address C1:5000 must be accessible from C2 and from the WebApi container itself. You may prefer DNS IP addresses, it doesn't matter. In addition, you should be able to make a successful GET request to http://C1:5000/.well-known/openid-configuration .

There are many network problems you may encounter in order to achieve this. For example: What would prevent code running in the Docker container from connecting to the database on a separate server?

Issuer Validation

Issuer authorization error

Your client URL is different from the Auth host name. By default, the credential URL should be equal to the value of the issuer property (this property is in response to Autodiscover Identity Server).

issuer The value of the property depends on your client web request:

 GET http://127.0.0.1:6000/.well-known/openid-configuration -> "issuer": "http://127.0.0.1:6000" GET http://localhost:6000/.well-known/openid-configuration -> "issuer": "localhost:6000"

Try setting the IssuerUri constant for the dev environment:

 services.AddIdentityServer(x => { x.IssuerUri = "foo"; })

to achieve a constant issuer value. This allows you to call Identity Server at any valid URL (using IP, computer name, or DNS):

 GET http://anything/.well-known/openid-configuration -> "issuer": "foo"

DiscoveryClient also checks the issuer value. This is a simple equality comparison :

 public bool ValidateIssuerName(string issuer, string authority) { return string.Equals(issuer, authority, StringComparison.Ordinal); }

You can disable it:

 DiscoveryClient.Policy.ValidateIssuerName = false;

FYI, IssuerUri setup is not recommended for the work environment:

IssuerUri Indicate the name of the issuer that appears in the opening document and the issued JWT tokens. It is recommended that you do not set this property, which indicates the name of the issuer on behalf of the host used by clients.

+5
source

Source: https://habr.com/ru/post/1268744/

More articles:


All Articles