OpenIddict multiple issuer problem using docker/k8s

[gterdem]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Version

3.x

Question

Hi @kevinchalet,

We have deployment scenarios for our AspNet Core MVC templates where the authentication is done through the browser and the token validation is done inside the internal docker/k8s network.

OpenIdConnect configuration:

.AddAbpOpenIdConnect("oidc", options =>
{
    options.Authority = configuration["AuthServer:Authority"];
    options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;

    options.ClientId = configuration["AuthServer:ClientId"];
    options.ClientSecret = configuration["AuthServer:ClientSecret"];

    options.UsePkce = true;
    options.SaveTokens = true;
    options.GetClaimsFromUserInfoEndpoint = true;

    options.Scope.Add("roles");
    options.Scope.Add("email");
    options.Scope.Add("phone");
    options.Scope.Add("MvcEfCore");
});
/*
* This configuration is used when the AuthServer is running on docker containers at localhost.
* Configuring the redirection URLs for internal network and the web
*/
if (Convert.ToBoolean(configuration["AuthServer:IsContainerizedOnLocalhost"]))
{
    context.Services.Configure<OpenIdConnectOptions>("oidc", options =>
    {
        options.TokenValidationParameters.ValidIssuers = new[]
        {
            configuration["AuthServer:MetaAddress"].EnsureEndsWith('/'), 
            configuration["AuthServer:Authority"].EnsureEndsWith('/')
        };
        
        options.MetadataAddress = configuration["AuthServer:MetaAddress"].EnsureEndsWith('/') +
                                ".well-known/openid-configuration";

        var previousOnRedirectToIdentityProvider = options.Events.OnRedirectToIdentityProvider;
        options.Events.OnRedirectToIdentityProvider = async ctx =>
        {
            // Intercept the redirection so the browser navigates to the right URL in your host
            ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"].EnsureEndsWith('/') + "connect/authorize";

            if (previousOnRedirectToIdentityProvider != null)
            {
                await previousOnRedirectToIdentityProvider(ctx);
            }
        };
        var previousOnRedirectToIdentityProviderForSignOut = options.Events.OnRedirectToIdentityProviderForSignOut;
        options.Events.OnRedirectToIdentityProviderForSignOut = async ctx =>
        {
            // Intercept the redirection for signout so the browser navigates to the right URL in your host
            ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"].EnsureEndsWith('/') + "connect/logout";

            if (previousOnRedirectToIdentityProviderForSignOut != null)
            {
                await previousOnRedirectToIdentityProviderForSignOut(ctx);
            }
        };
    });
}

Override configurations from docker-compose:

...
environment:
...
      - AuthServer__RequireHttpsMetadata=false
      - AuthServer__IsContainerizedOnLocalhost=true
      - AuthServer__Authority=https://localhost:44334/
      - AuthServer__MetaAddress=http://mvcefcore-authserver //the docker/k8s service name
...

After login, results with the error:

[20:24:03 ERR] Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088', status code '400'.
[20:24:03 ERR] Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088'.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
[20:24:03 INF] Error from RemoteAuthentication: Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088'..
[20:24:03 ERR] An unhandled exception has occurred while executing the request.
System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088'.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext()
--- End of stack trace from previous location ---

It seems like the token acquired from the http://mvcefcore-authserver issuer is not valid for the application?

I also thought it might be related to the lack of the permission for client_credentials but application also has that permission:

[ClientId]: MvcEfCore_Web
[ClientSecret]: AQAA**************
[ConsentType]: implicit
[Type]: confidential
[Permissions]: ["rst:code id_token","ept:logout","gt:authorization_code","rst:code","ept:authorization","ept:token","ept:revocation","ept:introspection","gt:implicit","rst:id_token","gt:client_credentials","scp:address","scp:email","scp:phone","scp:profile","scp:roles","scp:MvcEfCore"]

Let me know if any more information is required.

(Sponsorship via https://volosoft.com)

[kevinchalet]

Hey @gterdem,

Hope you and your team are doing well 😃

Here's what's likely happening:

• The configured authority/issuer in the OIDC client is the internal http://mvcefcore-authserver address but you manually override the location of the authorization endpoint to use the public address via the events model.

• When the user is redirected to the authorization endpoint, HttpRequest.Host contains the public address which is used as the iss claim stored in the authorization code created by the OpenIddict server stack.

• When the user is redirected back to the client application, the OIDC client has to redeem the authorization code and for that, it needs to communicate with the token endpoint of the authorization server. In this case, since you're not overriding the address to use the public address, it's accessed via the internal name that will be eventually returned by HttpRequest.Host. When OpenIddict validates the authorization code, it detects the iss claim doesn't match the expected value and returns the error you're seeing.

To confirm it, can you please add a tiny middleware logging the HttpRequest.Host value for all requests?

[gterdem]

Hey @kevinchalet,

Thanks for your kind wishes, I hope you are doing fine as well.

The MVC app http logs is as below:

[03:05:34 INF] Response:
StatusCode: 302
Location: https://localhost:44334/connect/authorize?client_id=MvcEfCore_Web&redirect_uri=https%3A%2F%2Flocalhost%3A44353%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20MvcEfCore&response_mode=form_post&nonce=638058063345507340.NTJjZTkxZmUtMjkzMi00ZGJiLWEyYjYtZGI4YmI2NDliMTZkYjNmZjliMDctNGM3MC00YzViLTliMTctYmVhZTgwZGI1NGQ0&state=CfDJ8DvTwEL9umJLhvcJVaP7pDGB3XSLdiVdVwZoSON3H8R9y-OyhvnDsGk-AyRaPqnaDoS2M1D0zNERr6l-TQcXAJR4XNhTXU2RsJtO3piJ634VHF4sNBGJOibmnkLDXOWr1v7un8-29rQPz8piqhjwjQJRBZySnFvND-RByGk4Mo8XZodtckJMjhj19pjnfo_YiLkb1g76A298oTKLQvvmj1QlnOVA2aj1Y6Xget_tmfwQATNGyXgk-z2DWA6XUh1O4cHEbjB4sqtxNglCPe6qrbVwvR_cu4tX3G_61hCTOvD1&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0
Set-Cookie: [Redacted]
X-Content-Type-Options: [Redacted]
X-XSS-Protection: [Redacted]
X-Frame-Options: [Redacted]
[03:05:34 INF] Request finished HTTP/2 GET https://localhost:44353/Account/Login - - - 302 0 - 537.5329ms
[03:05:41 INF] Request starting HTTP/2 POST https://localhost:44353/signin-oidc application/x-www-form-urlencoded 1539
[03:05:41 INF] Request:
Protocol: HTTP/2
Method: POST
Scheme: https
PathBase:
Path: /signin-oidc
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Host: localhost:44353
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62
:method: [Redacted]
Accept-Encoding: gzip, deflate, br
Accept-Language: tr,en;q=0.9,en-GB;q=0.8,en-US;q=0.7
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Cookie: [Redacted]
Origin: [Redacted]
Referer: [Redacted]
Upgrade-Insecure-Requests: [Redacted]
Content-Length: 1539
sec-ch-ua: [Redacted]
sec-ch-ua-mobile: [Redacted]
sec-ch-ua-platform: [Redacted]
sec-fetch-site: [Redacted]
sec-fetch-mode: [Redacted]
sec-fetch-dest: [Redacted]
[03:05:41 ERR] Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088', status code '400'.
[03:05:41 ERR] Exception occurred while processing message.
Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088'.
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)
   at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
[03:05:41 INF] Error from RemoteAuthentication: Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088'..

Authentication Server logs:

[03:05:40 INF] Executed endpoint '/Account/Login'
[03:05:40 INF] Request finished HTTP/2 POST https://localhost:44334/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient_id%3DMvcEfCore_Web%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A44353%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520MvcEfCore%26response_mode%3Dform_post%26nonce%3D638058063345507340.NTJjZTkxZmUtMjkzMi00ZGJiLWEyYjYtZGI4YmI2NDliMTZkYjNmZjliMDctNGM3MC00YzViLTliMTctYmVhZTgwZGI1NGQ0%26state%3DCfDJ8DvTwEL9umJLhvcJVaP7pDGB3XSLdiVdVwZoSON3H8R9y-OyhvnDsGk-AyRaPqnaDoS2M1D0zNERr6l-TQcXAJR4XNhTXU2RsJtO3piJ634VHF4sNBGJOibmnkLDXOWr1v7un8-29rQPz8piqhjwjQJRBZySnFvND-RByGk4Mo8XZodtckJMjhj19pjnfo_YiLkb1g76A298oTKLQvvmj1QlnOVA2aj1Y6Xget_tmfwQATNGyXgk-z2DWA6XUh1O4cHEbjB4sqtxNglCPe6qrbVwvR_cu4tX3G_61hCTOvD1%26x-client-SKU%3DID_NETSTANDARD2_0%26x-client-ver%3D6.10.0.0 application/x-www-form-urlencoded 291 - 302 0 - 905.7674ms
[03:05:40 INF] Request starting HTTP/2 GET https://localhost:44334/connect/authorize?client_id=MvcEfCore_Web&redirect_uri=https%3A%2F%2Flocalhost%3A44353%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20MvcEfCore&response_mode=form_post&nonce=638058063345507340.NTJjZTkxZmUtMjkzMi00ZGJiLWEyYjYtZGI4YmI2NDliMTZkYjNmZjliMDctNGM3MC00YzViLTliMTctYmVhZTgwZGI1NGQ0&state=CfDJ8DvTwEL9umJLhvcJVaP7pDGB3XSLdiVdVwZoSON3H8R9y-OyhvnDsGk-AyRaPqnaDoS2M1D0zNERr6l-TQcXAJR4XNhTXU2RsJtO3piJ634VHF4sNBGJOibmnkLDXOWr1v7un8-29rQPz8piqhjwjQJRBZySnFvND-RByGk4Mo8XZodtckJMjhj19pjnfo_YiLkb1g76A298oTKLQvvmj1QlnOVA2aj1Y6Xget_tmfwQATNGyXgk-z2DWA6XUh1O4cHEbjB4sqtxNglCPe6qrbVwvR_cu4tX3G_61hCTOvD1&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0 - -
[03:05:40 INF] The request address matched a server endpoint: Authorization.
[03:05:40 INF] The authorization request was successfully extracted: {
  "client_id": "MvcEfCore_Web",
  "redirect_uri": "https://localhost:44353/signin-oidc",
  "response_type": "code id_token",
  "scope": "openid profile roles email phone MvcEfCore",
  "response_mode": "form_post",
  "nonce": "638058063345507340.NTJjZTkxZmUtMjkzMi00ZGJiLWEyYjYtZGI4YmI2NDliMTZkYjNmZjliMDctNGM3MC00YzViLTliMTctYmVhZTgwZGI1NGQ0",
  "state": "CfDJ8DvTwEL9umJLhvcJVaP7pDGB3XSLdiVdVwZoSON3H8R9y-OyhvnDsGk-AyRaPqnaDoS2M1D0zNERr6l-TQcXAJR4XNhTXU2RsJtO3piJ634VHF4sNBGJOibmnkLDXOWr1v7un8-29rQPz8piqhjwjQJRBZySnFvND-RByGk4Mo8XZodtckJMjhj19pjnfo_YiLkb1g76A298oTKLQvvmj1QlnOVA2aj1Y6Xget_tmfwQATNGyXgk-z2DWA6XUh1O4cHEbjB4sqtxNglCPe6qrbVwvR_cu4tX3G_61hCTOvD1",
  "x-client-SKU": "ID_NETSTANDARD2_0",
  "x-client-ver": "6.10.0.0"
}.
[03:05:40 INF] The authorization request was successfully validated.
[03:05:40 INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[03:05:40 INF] Route matched with {action = "Handle", controller = "Authorize", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.AuthorizeController (Volo.Abp.OpenIddict.AspNetCore).
[03:05:40 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy
[03:05:40 INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
[03:05:41 INF] The authorization response was successfully returned to 'https://localhost:44353/signin-oidc' using the form post response mode: {
  "code": "[redacted]",
  "id_token": "[redacted]",
  "state": "CfDJ8DvTwEL9umJLhvcJVaP7pDGB3XSLdiVdVwZoSON3H8R9y-OyhvnDsGk-AyRaPqnaDoS2M1D0zNERr6l-TQcXAJR4XNhTXU2RsJtO3piJ634VHF4sNBGJOibmnkLDXOWr1v7un8-29rQPz8piqhjwjQJRBZySnFvND-RByGk4Mo8XZodtckJMjhj19pjnfo_YiLkb1g76A298oTKLQvvmj1QlnOVA2aj1Y6Xget_tmfwQATNGyXgk-z2DWA6XUh1O4cHEbjB4sqtxNglCPe6qrbVwvR_cu4tX3G_61hCTOvD1"
}.
[03:05:41 INF] Executed action Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 505.2438ms
[03:05:41 INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[03:05:41 INF] Request finished HTTP/2 GET https://localhost:44334/connect/authorize?client_id=MvcEfCore_Web&redirect_uri=https%3A%2F%2Flocalhost%3A44353%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20MvcEfCore&response_mode=form_post&nonce=638058063345507340.NTJjZTkxZmUtMjkzMi00ZGJiLWEyYjYtZGI4YmI2NDliMTZkYjNmZjliMDctNGM3MC00YzViLTliMTctYmVhZTgwZGI1NGQ0&state=CfDJ8DvTwEL9umJLhvcJVaP7pDGB3XSLdiVdVwZoSON3H8R9y-OyhvnDsGk-AyRaPqnaDoS2M1D0zNERr6l-TQcXAJR4XNhTXU2RsJtO3piJ634VHF4sNBGJOibmnkLDXOWr1v7un8-29rQPz8piqhjwjQJRBZySnFvND-RByGk4Mo8XZodtckJMjhj19pjnfo_YiLkb1g76A298oTKLQvvmj1QlnOVA2aj1Y6Xget_tmfwQATNGyXgk-z2DWA6XUh1O4cHEbjB4sqtxNglCPe6qrbVwvR_cu4tX3G_61hCTOvD1&x-client-SKU=ID_NETSTANDARD2_0&x-client-ver=6.10.0.0 - - - 200 1923 text/html;charset=UTF-8 530.2103ms
[03:05:41 INF] Request starting HTTP/1.1 POST http://mvcefcore-authserver/connect/token application/x-www-form-urlencoded 185
[03:05:41 INF] The request address matched a server endpoint: Token.
[03:05:41 INF] The token request was successfully extracted: {
  "client_id": "MvcEfCore_Web",
  "client_secret": "[redacted]",
  "code": "[redacted]",
  "grant_type": "authorization_code",
  "redirect_uri": "https://localhost:44353/signin-oidc"
}.
[03:05:41 INF] The response was successfully returned as a JSON document: {
  "error": "invalid_grant",
  "error_description": "The issuer associated to the specified token is not valid.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2088"
}.
[03:05:41 INF] Request finished HTTP/1.1 POST http://mvcefcore-authserver/connect/token application/x-www-form-urlencoded 185 - 400 184 application/json;charset=UTF-8 80.4205ms

You are correct, HttpRequest.Host is localhost:44353, the public address. But it is expected, isn't it? Otherwise, we'll have to add alias to the host file which we want to avoid.

If I override to use the public address for all the requests, all the interactions with the oidc provider (authentication server) will be done over the internet instead of the internal network (k8s/swarm etc), which is another case we want to avoid.

The common scenario for distributed system authentication deployment we try to provide is, authenticate over public address and leave all the interactions (like token validation) inside the internal network. In microservice scenarios, public address token validation is not an option since microservices are deployed internally.

I hope I was able to express our use cases.

And thank you.

[kevinchalet]

I hope I was able to express our use cases.

Your use cases are very clear, but we're hitting limitations of the OpenID Connect protocol, where an authorization server can only be represented by a single issuer (and when using discovery, the client MUST require that the returned issuer be the same as the address used to retrieve the configuration document: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationValidation, which complicates things even further).

You are correct, HttpRequest.Host is localhost:44353, the public address. But it is expected, isn't it? Otherwise, we'll have to add alias to the host file which we want to avoid.

The problem is not when HttpRequest.Host returns localhost:44353, it's when it returns mvcefcore-authserver, which is a unresolvable and unroutable host on the Internet and thus has no "meaning" outside your private infrastructure. Every ASP.NET Core component - not just OpenIddict, but tons of native ASP.NET Core components, like the cookies middleware or MVC - that relies on HttpRequest.Host to build absolute URIs will end up returning addresses that will be unusable on Internet each time HttpRequest.Host returns mvcefcore-authserver. In this specific case, OpenIddict sees two different values, which are eventually treated as if you had two different authorization servers.

It's essentially the same phenomenon as the one we see with reverse proxies, something we typically solve by using forwarded HTTP headers and ensuring the Host header is preserved between the reverse proxy and the internal HTTP server that will eventually handle the request. The procedure is described here: https://learn.microsoft.com/en-us/aspnet/core/host-and-deploy/proxy-load-balancer?view=aspnetcore-7.0

That said, I'm not sure you're using a reverse proxy in your scenario to forward requests to the Docker app, so a different approach might be needed. Here are some other options:

• Configure the ASP.NET Core OIDC middleware to use a fixed Host: localhost:44353 header when building backchannel HTTP requests so that the server always receives the same Host independently of the address used at the TCP/IP layer (should be doable via options.Backchannel.DefaultRequestHeaders.Host IIRC).

• Add a middleware in the server app that always sets HttpRequest.Host to the "public host" so that OpenIddict will use the same value as the issuer, whether the Host header sent by the client is localhost:44353 or mvcefcore-authserver.

• Configure OpenIddict to use a static issuer via OpenIddictServerBuilder.SetIssuer(...). It should solve the problem for your specific scenario, but any other ASP.NET Core component relying on HttpRequest.Host will still be affected.

It's definitely a complex topic, but I hope it helped a bit 😄

[kevinchalet]

@gterdem did that help?

[gterdem]

@gterdem did that help?

Sorry @kevinchalet, I’ll be testing it this weekend.

[kevinchalet]

@gterdem no problem. I just wanted to make sure no last minute change was needed before Monday's RTM release 😃

[kevinchalet]

Closing for now, but feel free to re-open if necessary 😃