IDX20803: Unable to obtain configuration from: 'System.String'
Closed this issue · 6 comments
Hello,
I have Keycloak configuration in my app, but when i try to get response with Postman, I have this exception:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20807: Unable to retrieve document from: 'System.String'. HttpResponseMessage: 'System.Net.Http.HttpResponseMessage', HttpResponseMessage.Content: 'System.String'.
at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
HEADERS
Accept: /
Accept-Encoding: gzip, deflate, br
Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.e30.P5N---Ziqd650opBDrh_dYqs9Wo_lk-KwIONuj1stCE
Connection: keep-alive
Host: localhost:44338
User-Agent: PostmanRuntime/7.32.2
Postman-Token: c0540d96-dff7-4142-a2db-90ab6703e736
Postman connection.
VS Configuration.
Keycloak.json file.
Thank if i have answer for my question. :)
I encounter the same issue. The problem is most likely that .NET does not trust the certificate which is in use by Keycloak (but HTTP only is not an option to still make the frontend connection work). The exact (part) of the stack-trace is:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'System.String'.
---> System.IO.IOException: IDX20804: Unable to retrieve document from: 'System.String'.
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrorsIn my opinion, there are two options:
- Either we have to install the certificate used by Keycloak so that .NET trusts it. Here the question is how — as this will be different depending on the OS and I remember that I had issues at least in WSL2 that .NET was not using the system certificates but had it's own location.
- We add some kind of option to the library to be able to disable the TLS verification. I think the part verifying the token is here: https://github.com/NikiforovAll/keycloak-authorization-services-dotnet/blob/main/src/Keycloak.AuthServices.Sdk/AuthZ/KeycloakProtectionClient.cs
Does anyone has some more input on this? :)
// flennic
Update
It seems that the SDK of this library is actually not used by the .NET internal code for authentication. Therefore, it is not so easy to swap e.g. the HttpClient or message handler.
I ended up with installing the certificate on the operating system which .NET looks at, then it worked.
// flennic
I have the same issue when running my asp.net application in a container - with visual studio everything works fine. I need to fix this or have a workaround, any tips?
I ran into the same problem too. In my case it was the problem that I was using self signed certificates. In the front end I was able to get passed it by accepting the risk. For the backend that's not an option.
What helps to drill a bit further down into the somewhat cryptic error is adding this line in the startup code of your C# ASP NET rest api:
IdentityModelEventSource.ShowPII = true;
You need to add a using
using Microsoft.IdentityModel.Logging;
If you then run your front app again and reproduce the problem, it will probably state that the backend is not able to resolve the known hosts from keycloak. A bit further down the stacktrace it will complain about being unable to validate the certificate.
What I did, is use keycloak in http when running development, and for production I now use a certificate generated with certbot via letsencrypt. If you run in docker, make sure you are not using the uri to your docker instance of keycloak, but use the public url to reach keycloak. Otherwise dotnet will still complain that you are using the certificate with the wrong url.
Hope this helps
Could you please try upgrading to v2.0.0 and see if the issue remains?
No input from OP