"InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'"

I've deployed my API and Client app on Docker, but for the life of me, the web app cannot call the API, I keep getting an exception.

I added the following line suggested in other posts, but it did not work.

IdentityModelEventSource.ShowPII = true;

Exception:

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII is hidden]'.
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.AuthenticateAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.InvokeCore(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

We need to enable viewing of PII logs so we can see more details about the error: Add the following line in ConfigureServices() to Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    IdentityModelEventSource.ShowPII = true; //Add this line
    ....

In my case, this happened while I was developing identity prototype with Identity Server on localhost environment and my authority was configured incorrectly.

I was following an example from Identity Server 4, the issue was that the Quick start example of the Identity Server 4 contain 3 projects:

• Identity Server. with endpoint => https://localhost:5001
• Api (called Resource Api or Consumer Api).
• Client.

In the example that was provided, the Identity Server was set to https with endpoint https://localhost:5001. But the Authority was in Consumer Api was set to http://localhost:5000.

So when client try to connect to Consumer Api, it gets the http://localhost:5000 address and try to look at http://localhost:5000/.well-known/openid-configuration and this does not exist. It exist only on https://localhost:5001/.well-known/openid-configuration.

So far so good.

The solution is to ensure you are using the same endpoint of the identity server on your consumer authority:

options.Authority = "https://localhost:5001";

If anyone is experiencing this during development, I was able to solve this by clearing my developer certs then recreating them.

dotnet dev-certs https --clean
dotnet dev-certs https --trust

If this it's related to a Visual Studio Web Application project using the "Connect to an existing store in the cloud" AKA "Azure Active Directory B2C" the proposed config it's not good.

Its also needed to change the used userflow in Azure like mentioned in the following article: https://github.com/AzureAD/microsoft-identity-web/wiki/Azure-AD-B2C-issuer-claim-support

Change

"AzureAdB2C": {
  "Instance": "https://login.microsoftonline.com/tfp",
  "ClientId": "{clientId}",
  "Domain": "{tenant}.b2clogin.com",
  "SignUpSignInPolicyId": "{policy}"
}

To

"AzureAdB2C": {
    "Instance": "https://{tenant}.b2clogin.com/",
    "ClientId": "{clientId}",
    "Domain": "{tenant}.onmicrosoft.com",
    "SignUpSignInPolicyId": "{policy}"
}

Enabling TLS 1.2 solved the issue

ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12

This error can also happen when the identity server is not running.

In .NET 6 add code after builder in Program.cs. Example:

using Microsoft.IdentityModel.Logging;

var builder = WebApplication.CreateBuilder(args);

IdentityModelEventSource.ShowPII = true;

For me the error was:

> System.InvalidOperationException: IDX20803: Unable to obtain > configuration from: > 'https://login.microsoftonline.com/\<myAD>.onmicrosoft.com/B2C_1_signupsignin/v2.0/.well-known/openid-configuration';

Solution here:

https://stackoverflow.com/a/70925127/3850405

The solution its quite tricky, I know this is an old issue but I had the exact same issue last week and I spend quite a lot of time solving it. This issue is because the Client app is not trusting the Kestrel certificate of the API app.

On the Dockerfile of the client application, you should add something like this in order to add the certificate used on the API application to the trusted CA of the client.

COPY ["API-KESTREL-CERTIFICATE.crt", "/usr/local/share/ca-certificates/"]
RUN update-ca-certificates

BIG NOTE HERE! (At least on a local environment) you should care about the domain of the API certificate. In my case (Local environment) I had to create a multiple domains certificate because the "localhost" of the API is not the same "localhost" of the client app because they are running on different docker containers. Being said that, for the Kestrel certificate of the API I followed this guide to create multiple-domains self-signed certificates https://www.rpkamp.com/2014/08/25/setting-up-a-multi-domain-self-signed-ssl-certificate/ and on the .cnf file in the DNS section, I did something like this and did the trick.

DNS.1 = localhost
DNS.2 = host.docker.internal

Finally, in the authority of the client application be sure of being addressing the proper domain and should be working.

I hope it helps!

For me, I enabled IdentityModelEventSource.ShowPII and got to know that the well-known url was incorrect. This is really helpful answer by @Mentor

In my case I was using Azure AD Authentication and my internet was not connected, after connecting internet it started working again. PEACE

In Linux I tried all the proposed options and none worked, what I had to do is:

1. generate a free lets Encrypt certificate for the development domain,
2. generate the pfx file and password using the lets encrypt files: openssl pkcs12 -export -out ca-bundle.pfx -inkey private-key.key -in ca-bundle.crt
3. setup Kestrel to use those certificates and password. like this examples: microsoft
4. done

I was getting the same error and it turns out I forgot to add app.UseIdentityServer(); to StartUp.cs. Adding this method to Cofigure() solved the issue for me.

    public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
       //other config
        app.UseIdentityServer();
    }

Just add the following configuration in your appsettings.json file:

  "Instance": "https://login.microsoftonline.com/"

Reference (Github): https://github.com/IdentityServer/IdentityServer4/issues/2337#issuecomment-458772667

I saw this error as a result of my hosts file being corrupted (Docker Desktop added a section but corrupted the original contents of the file). This meant that my instance of Identity Server was effectively not running.

if you are using self-signed cert and imported into Trusted Root, it may be automatically deleted by Microsoft CAPI2 and thus JWT validation failed. Either reimport your cert or add this entry in registry: Key: HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot
Name: DisableRootAutoUpdate Value: 1 Type: REG_DWORD