"InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'"

c# docker asp.net-core identityserver4

94,544

Solution 1

We need to enable viewing of PII logs so we can see more details about the error: Add the following line in ConfigureServices() to Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    IdentityModelEventSource.ShowPII = true; //Add this line
    ....

Solution 2

In my case, this happened while I was developing identity prototype with Identity Server on localhost environment and my authority was configured incorrectly.

I was following an example from Identity Server 4, the issue was that the Quick start example of the Identity Server 4 contain 3 projects:

Identity Server. with endpoint => https://localhost:5001
Api (called Resource Api or Consumer Api).
Client.

In the example that was provided, the Identity Server was set to https with endpoint https://localhost:5001. But the Authority was in Consumer Api was set to http://localhost:5000.

So when client try to connect to Consumer Api, it gets the http://localhost:5000 address and try to look at http://localhost:5000/.well-known/openid-configuration and this does not exist. It exist only on https://localhost:5001/.well-known/openid-configuration.

So far so good.

The solution is to ensure you are using the same endpoint of the identity server on your consumer authority:

options.Authority = "https://localhost:5001";

Solution 3

If anyone is experiencing this during development, I was able to solve this by clearing my developer certs then recreating them.

dotnet dev-certs https --clean
dotnet dev-certs https --trust

Solution 4

If this it's related to a Visual Studio Web Application project using the "Connect to an existing store in the cloud" AKA "Azure Active Directory B2C" the proposed config it's not good.

Its also needed to change the used userflow in Azure like mentioned in the following article: https://github.com/AzureAD/microsoft-identity-web/wiki/Azure-AD-B2C-issuer-claim-support

Change

"AzureAdB2C": {
  "Instance": "https://login.microsoftonline.com/tfp",
  "ClientId": "{clientId}",
  "Domain": "{tenant}.b2clogin.com",
  "SignUpSignInPolicyId": "{policy}"
}

"AzureAdB2C": {
    "Instance": "https://{tenant}.b2clogin.com/",
    "ClientId": "{clientId}",
    "Domain": "{tenant}.onmicrosoft.com",
    "SignUpSignInPolicyId": "{policy}"
}

Solution 5

Enabling TLS 1.2 solved the issue

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

View more solutions

94,544

Author by

Jane Senya

Updated on July 09, 2022

Comments

Jane Senya almost 2 years

I've deployed my API and Client app on Docker, but for the life of me, the web app cannot call the API, I keep getting an exception.

I added the following line suggested in other posts, but it did not work.

IdentityModelEventSource.ShowPII = true;

Exception:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.InvokeCore(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Rajat over 4 years

Same is mentioned in github.com/AzureAD/…
Narayana over 4 years

Don't you need to drop /tfp also?
Shahar Shokrani almost 4 years

This line should be added in the Resource.API project (Not in the IDP project), don't do the same mistake as I did :)
Haroun Hajem almost 4 years

This " dotnet dev-certs https --trust " Does not work on a Linux machine, or on Azure VM
Jason White almost 4 years

@HarounHajem I actually run Linux and it works fine on my machine. You might have to install the tool. nuget.org/packages/dotnet-dev-certs
markus s over 3 years

Thank you sir, this still is true, you spared me a lot of head aches.
Robert Tirta over 3 years

wow this is the answer that works for me! thanks heaps
alcaprar over 3 years

Where did you add this?
Gone Coding over 3 years

Even after 4 decades of coding, still can't see the wood for the trees sometimes :) Thanks
Rajiv about 3 years

can you share what's the authority URL you used?
Jose Ignacio Ochoa about 3 years

Well, we had an IdentityServer project so it was basically the URL of that project... The URL was depending on if it was deployed or It was just localhost:<port>
theonlygusti almost 3 years

How can I find my Kestrel certificate when I am not using docker?
theonlygusti almost 3 years

that doesn't exist (anymore?)
dexter almost 3 years

@alcaprar first line in ConfigureServices
Benxamin over 2 years

using Microsoft.IdentityModel.Logging; will provide the IdentityModelEventSource.
Jeremy Thompson about 2 years

So glad I saw this! Thanks!!
Juanma almost 2 years

This did the trick for me, thanks a lot!