Search code examples
c#asp.net-web-apifiddleridentityserver4openid-connect

IdentityServer 4, trying to capture traffic with fiddler?

Console application trying to get discovery 

var disco = await DiscoveryClient.GetAsync("http://localhost:5000");

Works fine, however i'm trying to figure out how this thing works and I cant seem to capture the http traffic.

if i use http://localhost.fiddler to redirect to the local proxy Errors With:

Error connecting to localhost.fiddler:5000/.well-known/openid-configuration: HTTPS required (it's not setup with HTTPS, the error msg is misleading!)

Strangely later in the code when we try to authenticate to web-api with 

var response = await client.GetAsync("http://localhost.fiddler:5001/identity");

localhost.fiddler works fine, now this is running in the same console.app, in program.cs so the same file. This is driving me potty why on earth can't I capture traffic going to 5000 it's HTTP!!! so what mysteries are causing this ? is there another way to view the magic http traffic going to and from Identity Server ?

Added Startup class

public class Startup
{
    public void ConfigureServices(IServiceCollection services)
    {
        // configure identity server with in-memory stores, keys, clients and scopes
        services.AddIdentityServer()
            .AddDeveloperSigningCredential()
            .AddInMemoryApiResources(Config.GetApiResources())
            .AddInMemoryClients(Config.GetClients())
            .AddTestUsers(Config.GetUsers());
    }

    public void Configure(IApplicationBuilder app, IHostingEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
        }

        app.UseIdentityServer();
    }
}

added Blog, will update it and credit if we can resolve this.

Solution

  • As you correctly figured out, you need to use, for example, http://localhost.fiddler, to route localhost traffic through fiddler. However, using DiscoveryClient.GetAsync uses DiscoveryClient with default policy. That default policy has the following settings important for this case:

    • RequireHttps = true
    • AllowHttpOnLoopback = true

    So, it requires https unless you query loopback address. How it knows what is loopback address? There is DiscoveryPolicy.LoopbackAddresses property. By default it contains:

    • "localhost"
    • "127.0.0.1"

    For that reason you have "HTTPS required" error - "localhost.fiddler" is not considered a loopback address, and default policy requires https for non-loopback addresses.

    So to fix, you need to either set RequireHttps to false, or add "localhost.fiddler` to loopback address list:

    var discoClient = new DiscoveryClient("http://localhost.fiddler:5000");
discoClient.Policy.LoopbackAddresses.Add("localhost.fiddler");
//discoClient.Policy.RequireHttps = false;                        
var disco = await discoClient.GetAsync();

    If you do this - you will see disovery request in fiddler, however it will fail (response will contain error), because server will report authority as "http://localhost:5000" and you query "http://localhost.fiddler:5000". So you also need to override authority in your policy:

    var discoClient = new DiscoveryClient("http://localhost.fiddler:5000");
discoClient.Policy.LoopbackAddresses.Add("localhost.fiddler");
discoClient.Policy.Authority = "http://localhost:5000";
var disco = await discoClient.GetAsync();

    Now it will work as expected.