Asp.net core 2.0 RequireHttpsMetadata=false for Development

Question

InvalidOperationException: The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.

Where do I set this?

I've tried in Startup.ConfigureServices()

if (_hostingEnvironment.IsDevelopment())
    services.AddMvc(opts => opts.RequireHttpsPermanent = false);

Still receive the error. Also tried to put it in Web.Config just to let me debug locally.

<RequireHttpsMetadata>false</RequireHttpsMetadata>

Neither work. I can't find any documentation from MS on where to set this!

I'm using jwt bearer authentication.

Answer 1

You need to add JwtBearerOptions.RequireHttpsMetadata to false as ConfigureServices as @kirk Larkin has suggested above.

public void ConfigureServices(IServiceCollection services)
        {
            services.AddAuthentication(options =>
            {
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;

            }).AddJwtBearer(options =>
            {
                options.Authority = Configuration["Auth0:Authority"];
                options.Audience = Configuration["Auth0:Audience"];
                options.RequireHttpsMetadata = false;
            });

            services.AddMvc();
        }

Answer 2

options.Authority needs to be a secured connection. Omitting the protocol will default to http, so be sure to explicitly set this url to https. RequireHttpsMetadata=false should only be used in development scenarios--so you should be checking the hosting env before setting this to false.

Answer 3

I thought I'd add some code to show how to define a check whether the host environment is in "Development" or not. Which makes your code less prone to vulnerabilities since you won't have to change it before going into production. Hope this helps others searching for this issue as well.

public IConfiguration Configuration { get; }

public IHostingEnvironment HostEnvironment { get; }

public Startup(IConfiguration configuration, IWebHostEnvironment hostEnvironment)
{
    Configuration = configuration;
    HostEnvironment = hostEnvironment;
}

public void ConfigureServices(IServiceCollection services)
{
    services.AddMvc();

    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(opt =>
           {
               opt.Audience = Configuration["AAD:ResourceId"]; 
               opt.Authority = $"{Configuration["AAD: Instance"]}{Configuration["AAD:TenantId"]}";
               if (HostEnvironment.IsDevelopment())
               {   // to make sure this is only used during development
                   opt.RequireHttpsMetadata = false; 
               }
           });
}

// rest omitted