"InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'"
Solution 1
We need to enable viewing of PII logs so we can see more details about the error: Add the following line in ConfigureServices() to Startup.cs
public void ConfigureServices(IServiceCollection services)
{
IdentityModelEventSource.ShowPII = true; //Add this line
....
Solution 2
In my case, this happened while I was developing identity prototype with Identity Server on localhost environment and my authority was configured incorrectly.
I was following an example from Identity Server 4, the issue was that the Quick start example of the Identity Server 4 contain 3 projects:
- Identity Server. with endpoint =>
https://localhost:5001
- Api (called Resource Api or Consumer Api).
- Client.
In the example that was provided, the Identity Server was set to https with endpoint https://localhost:5001. But the Authority was in Consumer Api was set to http://localhost:5000.
So when client try to connect to Consumer Api, it gets the http://localhost:5000 address and try to look at http://localhost:5000/.well-known/openid-configuration and this does not exist. It exist only on https://localhost:5001/.well-known/openid-configuration.
So far so good.
The solution is to ensure you are using the same endpoint of the identity server on your consumer authority:
options.Authority = "https://localhost:5001";
Solution 3
If anyone is experiencing this during development, I was able to solve this by clearing my developer certs then recreating them.
dotnet dev-certs https --clean
dotnet dev-certs https --trust
Solution 4
If this it's related to a Visual Studio Web Application project using the "Connect to an existing store in the cloud" AKA "Azure Active Directory B2C" the proposed config it's not good.
Its also needed to change the used userflow in Azure like mentioned in the following article: https://github.com/AzureAD/microsoft-identity-web/wiki/Azure-AD-B2C-issuer-claim-support
Change
"AzureAdB2C": {
"Instance": "https://login.microsoftonline.com/tfp",
"ClientId": "{clientId}",
"Domain": "{tenant}.b2clogin.com",
"SignUpSignInPolicyId": "{policy}"
}
To
"AzureAdB2C": {
"Instance": "https://{tenant}.b2clogin.com/",
"ClientId": "{clientId}",
"Domain": "{tenant}.onmicrosoft.com",
"SignUpSignInPolicyId": "{policy}"
}
Solution 5
Enabling TLS 1.2 solved the issue
ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12
Jane Senya
Updated on July 09, 2022Comments
-
Jane Senya almost 2 years
I've deployed my API and Client app on Docker, but for the life of me, the web app cannot call the API, I keep getting an exception.
I added the following line suggested in other posts, but it did not work.
IdentityModelEventSource.ShowPII = true;
Exception:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'. at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.InvokeCore(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
-
Rajat over 4 yearsSame is mentioned in github.com/AzureAD/…
-
Narayana over 4 yearsDon't you need to drop /tfp also?
-
Shahar Shokrani almost 4 yearsThis line should be added in the Resource.API project (Not in the IDP project), don't do the same mistake as I did :)
-
Haroun Hajem almost 4 yearsThis " dotnet dev-certs https --trust " Does not work on a Linux machine, or on Azure VM
-
Jason White almost 4 years@HarounHajem I actually run Linux and it works fine on my machine. You might have to install the tool. nuget.org/packages/dotnet-dev-certs
-
markus s over 3 yearsThank you sir, this still is true, you spared me a lot of head aches.
-
Robert Tirta over 3 yearswow this is the answer that works for me! thanks heaps
-
alcaprar over 3 yearsWhere did you add this?
-
Gone Coding over 3 yearsEven after 4 decades of coding, still can't see the wood for the trees sometimes :) Thanks
-
Rajiv about 3 yearscan you share what's the authority URL you used?
-
Jose Ignacio Ochoa about 3 yearsWell, we had an IdentityServer project so it was basically the URL of that project... The URL was depending on if it was deployed or It was just localhost:<port>
-
theonlygusti almost 3 yearsHow can I find my Kestrel certificate when I am not using docker?
-
theonlygusti almost 3 yearsthat doesn't exist (anymore?)
-
dexter almost 3 years@alcaprar first line in
ConfigureServices
-
Benxamin over 2 years
using Microsoft.IdentityModel.Logging;
will provide theIdentityModelEventSource
. -
Jeremy Thompson about 2 yearsSo glad I saw this! Thanks!!
-
Juanma almost 2 yearsThis did the trick for me, thanks a lot!