Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

.NET Core JWTBearer skip self-signed certificate validation for local communication with identity server

Tags:

.net-core

asp.net-core-webapi

identityserver4

I have two API projects, one that's based on the .NET Framework 4.6.2 (an old API) and one that's based on .NET Core 2.0. The old API can disable self-signed certificate validation quite simply:

System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

However this code does not work in .NET Core (even though it compiles fine), and it is causing me issues when the API tries to communicate (specifically when it tries to get the discovery document from the identity server, which is behind a reverse proxy which, in this environment, has a self-signed certificate that it uses for https). I've seen similar questions on StackOverflow but all the answers have to do with how the HttpClient is created. The issue for me is that I have no control over how the HttpClient is created (the token validation is middleware and I don't see any way to control how it's creating the HttpClient), so I'm wondering if there is a global way in .NET Core to skip self-signed certificate validation?

EDIT: my issue seems closely related to this issue, however I have taken the self-signed certificated and loaded it into the trusted root of both the container (where the api is running) and my local machine (where the container is running) and I still get the certificate validation errors.

like image 261
riqitang Avatar asked Jan 31 '18 20:01

riqitang

1 Answers

I should have looked more closely at the JwtBearerOptions, turns out I could set options.BackchannelHttpHandler, e.g.: options.BackchannelHttpHandler = new HttpClientHandler { ServerCertificateCustomValidationCallback = delegate { return true; } }; -- now it works as expected.

EDIT: although it is possible to skip certificate validation in .NET Core, I eventually abandoned this approach because it became too cumbersome to find all the components that had an HttpClient and to modify the HttpClient to skip cert validation. The approach I eventually went with was to create a CA using easy-rsa and then to generate certs signed by the CA. Then the only step is to import the CA cert into the containers and they'll trust the other certs. It may sound like a lot but the easy-rsa command interface is fairly straight-forward and it really doesn't end up being that much effort.

like image 155
riqitang Avatar answered Oct 12 '22 07:10

riqitang
Sign in to Comment

Related questions

Referencing mscorlib 4.0.0.0 from .NET Core 1.0 class library
Authorization Policy With Multiple Claims
Pros and cons of Microsoft.AspNetCore.All metapackage [closed]
Docker File - Skipping Project. Because it was not found
Azure function app deploy and release pipeline error
No executable found matching command "dotnet-watch"
C# Dependency Injection Runtime (dynamic) registration
MySQLNumberTypeMapping' does not support value conversions
Two calls on Post request: with http 204 and 200
Create docx word document web api .net core 2.0
Using Dynamics CRM SDK with .NET Core
"The response ended prematurely" when connecting to insecure gRPC channel
.NET core Pass Commandline Args to Startup.cs from Program.cs
.NET Core how to unit test service?
Getting nested properties with System.Text.Json
Unable to publish binaries in .net core
hosting.json available options
ASP.NET Core 3.1 : Shared Localization not working for version 3.1
A non-collectible assembly may not reference a collectible assembly
Travis-CI build failure "The type or namespace name 'Extensions' does not exist in the namespace"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!