I'm trying to configure IdentityServer4 with docker but I cannot make it work. To get started, I took the Client Credential example of the identity server documentation: Protecting an API using Client Credentials
IdentityServer
Hosted on port 5000
WebApi
Hosted on port 5001
In the Configure
method of the Startup.cs
file of my WebApi I did the following (the problem is probably here):
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://web:5000",
RequireHttpsMetadata = false,
ApiName = "api1"
});
Client
And the client
// Everything is fine here...
var disco = await DiscoveryClient.GetAsync("http://localhost:5000");
var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret");
var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api");
// This does not work
var client = new HttpClient();
client.SetBearerToken(tokenResponse.AccessToken);
var response = await client.GetAsync("http://localhost:5001/identity");
The problem is probably in my WebApi:
1) If I set the authority to localhost:5000, I get an internal server error: "Unable to obtain configuration from: 'http://localhost:5000/.well-known/openid-configuration'" which makes sense since localhost:5000 is unknown in this container
2) If I set the authority to http://web:5000 I get an authorization error: "Issuer validation failed. Issuer: 'http://localhost:5000'. Did not match: validationParameters.ValidIssuer: 'http://web:5000' or validationParameters.ValidIssuers" which also makes sense but I don't know if it's possible to change the authority name? I also tried to set the IssuerUri
in the IdentityServer project but it didn't help
Docker Official Images impacted by Log4j 2 CVE We recommend that you revisit this section to view the list of affected images and update images to the patched version as soon as possible to remediate the issue. A number of Docker Official Images contain the vulnerable versions of Log4j 2 CVE-2021-44228.
Docker architecture. Docker uses a client-server architecture. The Docker client talks to the Docker daemon, which does the heavy lifting of building, running, and distributing your Docker containers. The Docker client and daemon can run on the same system, or you can connect a Docker client to a remote Docker daemon.
By default, it has an entry with files dns , which means it will first check the /etc/hosts file, and then the DNS server. The Domain Name System (DNS) is a service that translates domain names into IP addresses, and in this article there will be a short overview of how to run a DNS server in a Docker container.
Network
Let's suppose you have two physical machines: C1 and C2. Each machine is a docker host.
C1 runs Auth container.
C2 runs WebApi container.
As you expose port 5000 in Auth dockerfile, the address C1:5000
should be accessible from C2 and from WebApi container itself. You could prefer IPs to DNS, it doesn't matter. Moreover you should be able to make a successfull GET request to http://C1:5000/.well-known/openid-configuration
to be sure.
There are a lot of network issues you could face to achieve that. For example: What would prevent code running in a Docker container from connecting to a database on a separate server?
Issuer validation
Issuer validation failed
Your client's authority URL differs from Auth hostname. By default, authority URL should be equal to issuer
property value (this property is in Identity Server autodiscovery document response).
issuer
property value depends on your client's web request:
GET http://127.0.0.1:6000/.well-known/openid-configuration -> "issuer": "http://127.0.0.1:6000"
GET http://localhost:6000/.well-known/openid-configuration -> "issuer": "localhost:6000"
Try to set IssuerUri
to a constant for a dev environment:
services.AddIdentityServer(x =>
{
x.IssuerUri = "foo";
})
to achieve a constant issuer
value. This allowes to call Identity Server by any valid URL (using IP, machine name or DNS):
GET http://anything/.well-known/openid-configuration -> "issuer": "foo"
DiscoveryClient
also validates issuer
value. It's a simple equality comparison:
public bool ValidateIssuerName(string issuer, string authority)
{
return string.Equals(issuer, authority, StringComparison.Ordinal);
}
You could disable it by:
DiscoveryClient.Policy.ValidateIssuerName = false;
FYI, IssuerUri
setting is not recommended for a production environment:
IssuerUri Set the issuer name that will appear in the discovery document and the issued JWT tokens. It is recommended to not set this property, which infers the issuer name from the host name that is used by the clients.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With