Search code examples
c#asp.net-mvcasp.net-core-mvcidentityserver4windows-subsystem-for-linux

Problem with ssl while using wsl and identity server 4

I have developed the simple identity server application with entity framework storage for user credentials and the client app asp.net core MVC with OpenId authentication. It worked properly on the local machine but when I am trying to debug it on a wsl with ubuntu 20 04 installed I get the following error.

AuthenticationException: The remote certificate is invalid according to the validation procedure.

I simply use wsl as a debug target in Visual Studio. Installed .net on a wsl machine, generated the developer certificates, and simply ran 2 projects simultanuosly. Sorry but I don't know what code I should provide to debug the problem here is my client configuration on an Identity server side:

new Client
{
 ClientId = "mvc_client",
 ClientSecrets = { new Secret("mvc_client_secret".ToSha256()) },
 AllowedGrantTypes = GrantTypes.Code,
 RequireConsent = false,
 AllowedScopes =
 {
   "dummy_api",
   IdentityServerConstants.StandardScopes.OpenId,
   IdentityServerConstants.StandardScopes.Profile
 },
RedirectUris = { "https://localhost:5000/signin-oidc" }
},

And the open id on a client-side:

services.AddAuthentication(config =>
{
            config.DefaultScheme = "Cookie";
            config.DefaultChallengeScheme = "oidc";
        })
               .AddCookie("Cookie")
               .AddOpenIdConnect("oidc", config =>
               {
                   config.Authority = "https://localhost:5001/";
                   //config.Authority = "http://192.168.1.11:5004/";

                   //config.RequireHttpsMetadata = false;
                   config.ClientId = "mvc_client";
                   config.ClientSecret = "mvc_client_secret";
                   config.SaveTokens = true; // persist tokens in the cookie
                   config.ResponseType = "code";
});

I am getting this error while trying to login with client app. If I try just to login with Identity server everythin works.

Solution

  • If you can access the oidc config address (in your case it should be: https:/localhost:5001/.well-known/openid-configuration) in Postman or your browser and you are just testing you can set the BackchannelHttpHandler to always return true on certificate validation. Also set SslProtocols to allow different versions. These should be avoided in production environment for security reasons:

    .
.
.AddOpenIdConnect("oidc", config =>
           {
            config.BackchannelHttpHandler = new HttpClientHandler
              {
               SslProtocols = SslProtocols.Tls12 | SslProtocols.Tls11 | SslProtocols.Tls12 | SslProtocols.Tls13,
               ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true
              };
});