{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 做个烂人 的问题《Identity Server 4 and docker》','https://www.manongdao.com/q-295602.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm trying to configure IdentityServer4 with docker but I cannot make it work. To get started, I took the Client Credential example of the identity server documentation: Protecting an API using Client Credentials
IdentityServer
Hosted on port 5000
WebApi
Hosted on port 5001
In the Configure method of the Startup.cs file of my WebApi I did the following (the problem is probably here):
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
Authority = "http://web:5000",
RequireHttpsMetadata = false,
ApiName = "api1"
});
Client
And the client
// Everything is fine here...
var disco = await DiscoveryClient.GetAsync("http://localhost:5000");
var tokenClient = new TokenClient(disco.TokenEndpoint, "client", "secret");
var tokenResponse = await tokenClient.RequestClientCredentialsAsync("api");
// This does not work
var client = new HttpClient();
client.SetBearerToken(tokenResponse.AccessToken);
var response = await client.GetAsync("http://localhost:5001/identity");
The problem is probably in my WebApi:
1) If I set the authority to localhost:5000, I get an internal server error: "Unable to obtain configuration from: 'http://localhost:5000/.well-known/openid-configuration'" which makes sense since localhost:5000 is unknown in this container
2) If I set the authority to http://web:5000 I get an authorization error: "Issuer validation failed. Issuer: 'http://localhost:5000'. Did not match: validationParameters.ValidIssuer: 'http://web:5000' or validationParameters.ValidIssuers" which also makes sense but I don't know if it's possible to change the authority name? I also tried to set the IssuerUri in the IdentityServer project but it didn't help
Network
Let's suppose you have two physical machines: C1 and C2. Each machine is a docker host.
C1 runs Auth container.
C2 runs WebApi container.
As you expose port 5000 in Auth dockerfile, the address
C1:5000should be accessible from C2 and from WebApi container itself. You could prefer IPs to DNS, it doesn't matter. Moreover you should be able to make a successfull GET request tohttp://C1:5000/.well-known/openid-configurationto be sure.There are a lot of network issues you could face to achieve that. For example: What would prevent code running in a Docker container from connecting to a database on a separate server?
Issuer validation
Your client's authority URL differs from Auth hostname. By default, authority URL should be equal to
issuerproperty value (this property is in Identity Server autodiscovery document response).issuerproperty value depends on your client's web request:Try to set
IssuerUrito a constant for a dev environment:to achieve a constant
issuervalue. This allowes to call Identity Server by any valid URL (using IP, machine name or DNS):DiscoveryClientalso validatesissuervalue. It's a simple equality comparison:You could disable it by:
FYI,
IssuerUrisetting is not recommended for a production environment: