.net core - OpenIddict Token Introspection Returns "active": false – Issuer Mismatch in Docker Environment? -

admin2025-04-20 0

I'm running an application in Docker with two services: an identity service (using OpenIddict to issue tokens) and an api service (using OpenIddict validation middleware). The services are defined in my Docker Compose files as follows:

docker-compose.yml

services:
  api:
    image: ${DOCKER_REGISTRY-}api
    networks:
      - documentmanagement
    build:
      context: .
      dockerfile: Api/Dockerfile

  identity:
    image: ${DOCKER_REGISTRY-}identity
    depends_on:
      - db
    build:
      context: .
      dockerfile: Identity/Dockerfile
    networks:
      - documentmanagement

networks:
  documentmanagement:
    name: documentmanagement

docker-compose.override.yml

services:
  api:
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_HTTP_PORTS=7002
      - ASPNETCORE_HTTPS_PORTS=7001
    ports:
      - "64589:7001"
      - "64590:7002"
    volumes:
      - ${APPDATA}/Microsoft/UserSecrets:/home/app/.microsoft/usersecrets:ro
      - ${APPDATA}/ASP.NET/Https:/home/app/.aspnet/https:ro

  identity:
    container_name: identity
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_HTTP_PORTS=7004
      - ASPNETCORE_HTTPS_PORTS=7003
    ports:
      - "64587:7003"
      - "64588:7004"
    volumes:
      - ${APPDATA}/Microsoft/UserSecrets:/home/app/.microsoft/usersecrets:ro
      - ${APPDATA}/ASP.NET/Https:/home/app/.aspnet/https:ro

Identity Service (OpenIddict Server Configuration)

public static void AddOpenIddictServices(this IServiceCollection services, IConfiguration configuration, IHostEnvironment env)
{
    services.AddOpenIddict()
        .AddCore(options =>
        {
            options.UseEntityFrameworkCore()
                   .UseDbContext<ApplicationDbContext>();
        })
        .AddServer(options =>
        {
            options
                .SetAuthorizationEndpointUris("connect/authorize")
                .SetLogoutEndpointUris("connect/logout")
                .SetTokenEndpointUris("connect/token")
                .SetIntrospectionEndpointUris("introspect")
                .SetUserinfoEndpointUris("connect/userinfo");

            options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles);

            options.AllowAuthorizationCodeFlow()
                   .AllowImplicitFlow()
                   .AllowClientCredentialsFlow();

            options.AddDevelopmentSigningCertificate();
            options.AddDevelopmentEncryptionCertificate();

            options.UseAspNetCore()
                   .DisableTransportSecurityRequirement()
                   .EnableAuthorizationEndpointPassthrough()
                   .EnableTokenEndpointPassthrough()
                   .EnableUserinfoEndpointPassthrough()
                   .EnableLogoutEndpointPassthrough();
        })
        .AddValidation(options =>
        {
            options.UseLocalServer();
            options.UseAspNetCore();
        });
}

Client code

const oidcSettings: VueOidcSettings = {
  authority: "http://localhost:64588",
  scope: "openid profile email api1",
  client_id: "nirvana-cms-spa",
  client_secret: "FCAzGmhIsn3ZbGvpcIvjnstjBSIMW2KU",
  redirect_uri: origin + "/oidc-callback",
  post_logout_redirect_uri: origin + "/signout",
  response_type: "code",
  loadUserInfo: true,
  userStore: new WebStorageStateStore({
    prefix: "vue3-oidc",
    store: window.sessionStorage,
  }),
  automaticSilentRenew: true,
  monitorSession: true,
  silent_redirect_uri: location.origin + "/silent-renew.html",
  onSigninRedirectCallback(user) {
    location.href = unref(state).redirect_uri || "/";
  },
  onBeforeSigninRedirectCallback() {
    setRedirectUri(location.pathname + location.search);
  },
};

API Service (OpenIddict Validation Configuration)

builder.Services.AddOpenIddict()
    .AddValidation(options =>
    {
        options.SetIssuer("http://identity:7004/");
        options.AddAudiences("resource_server_1");

        options.UseIntrospection()
               .SetClientId("resource_server_1")
               .SetClientSecret("846B62D0-DEF9-4215-A99D-86E6B8DAB342");

        options.UseSystemNetHttp();
        options.UseAspNetCore();
    });

The Issue When I call protected API endpoints with a token issued by the identity service, I receive the following error in the API logs:

"error": "invalid_token",
"error_description": "The token was rejected by the remote authentication server.",

The logs indicate that the introspection endpoint is called, and the returned token introspection response is:

{ "active": false }

The log details show different URLs being used:

The identity service issues tokens with issuer "http://localhost:64588" (as per client configuration).
The API’s validation is set with issuer "http://identity:7004/".

It appears there is a mismatch between the issuer URL embedded in the token and the issuer expected by the API validation.

There is a mismatch between the issuer URL embedded in the token and the issuer expected by the API validation.

How should I configure the identity service's issuer so that both internal (Docker service names) and external (mapped ports) communications work correctly?

What is the recommended configuration for setting up OpenIddict in a Docker environment to avoid this token introspection error?

docker-compose.yml

services:
  api:
    image: ${DOCKER_REGISTRY-}api
    networks:
      - documentmanagement
    build:
      context: .
      dockerfile: Api/Dockerfile

  identity:
    image: ${DOCKER_REGISTRY-}identity
    depends_on:
      - db
    build:
      context: .
      dockerfile: Identity/Dockerfile
    networks:
      - documentmanagement

networks:
  documentmanagement:
    name: documentmanagement

docker-compose.override.yml

services:
  api:
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_HTTP_PORTS=7002
      - ASPNETCORE_HTTPS_PORTS=7001
    ports:
      - "64589:7001"
      - "64590:7002"
    volumes:
      - ${APPDATA}/Microsoft/UserSecrets:/home/app/.microsoft/usersecrets:ro
      - ${APPDATA}/ASP.NET/Https:/home/app/.aspnet/https:ro

  identity:
    container_name: identity
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_HTTP_PORTS=7004
      - ASPNETCORE_HTTPS_PORTS=7003
    ports:
      - "64587:7003"
      - "64588:7004"
    volumes:
      - ${APPDATA}/Microsoft/UserSecrets:/home/app/.microsoft/usersecrets:ro
      - ${APPDATA}/ASP.NET/Https:/home/app/.aspnet/https:ro

Identity Service (OpenIddict Server Configuration)

public static void AddOpenIddictServices(this IServiceCollection services, IConfiguration configuration, IHostEnvironment env)
{
    services.AddOpenIddict()
        .AddCore(options =>
        {
            options.UseEntityFrameworkCore()
                   .UseDbContext<ApplicationDbContext>();
        })
        .AddServer(options =>
        {
            options
                .SetAuthorizationEndpointUris("connect/authorize")
                .SetLogoutEndpointUris("connect/logout")
                .SetTokenEndpointUris("connect/token")
                .SetIntrospectionEndpointUris("introspect")
                .SetUserinfoEndpointUris("connect/userinfo");

            options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles);

            options.AllowAuthorizationCodeFlow()
                   .AllowImplicitFlow()
                   .AllowClientCredentialsFlow();

            options.AddDevelopmentSigningCertificate();
            options.AddDevelopmentEncryptionCertificate();

            options.UseAspNetCore()
                   .DisableTransportSecurityRequirement()
                   .EnableAuthorizationEndpointPassthrough()
                   .EnableTokenEndpointPassthrough()
                   .EnableUserinfoEndpointPassthrough()
                   .EnableLogoutEndpointPassthrough();
        })
        .AddValidation(options =>
        {
            options.UseLocalServer();
            options.UseAspNetCore();
        });
}

Client code

const oidcSettings: VueOidcSettings = {
  authority: "http://localhost:64588",
  scope: "openid profile email api1",
  client_id: "nirvana-cms-spa",
  client_secret: "FCAzGmhIsn3ZbGvpcIvjnstjBSIMW2KU",
  redirect_uri: origin + "/oidc-callback",
  post_logout_redirect_uri: origin + "/signout",
  response_type: "code",
  loadUserInfo: true,
  userStore: new WebStorageStateStore({
    prefix: "vue3-oidc",
    store: window.sessionStorage,
  }),
  automaticSilentRenew: true,
  monitorSession: true,
  silent_redirect_uri: location.origin + "/silent-renew.html",
  onSigninRedirectCallback(user) {
    location.href = unref(state).redirect_uri || "/";
  },
  onBeforeSigninRedirectCallback() {
    setRedirectUri(location.pathname + location.search);
  },
};

API Service (OpenIddict Validation Configuration)

builder.Services.AddOpenIddict()
    .AddValidation(options =>
    {
        options.SetIssuer("http://identity:7004/");
        options.AddAudiences("resource_server_1");

        options.UseIntrospection()
               .SetClientId("resource_server_1")
               .SetClientSecret("846B62D0-DEF9-4215-A99D-86E6B8DAB342");

        options.UseSystemNetHttp();
        options.UseAspNetCore();
    });

The Issue When I call protected API endpoints with a token issued by the identity service, I receive the following error in the API logs:

"error": "invalid_token",
"error_description": "The token was rejected by the remote authentication server.",

The logs indicate that the introspection endpoint is called, and the returned token introspection response is:

{ "active": false }

The log details show different URLs being used:

The identity service issues tokens with issuer "http://localhost:64588" (as per client configuration).
The API’s validation is set with issuer "http://identity:7004/".

It appears there is a mismatch between the issuer URL embedded in the token and the issuer expected by the API validation.

There is a mismatch between the issuer URL embedded in the token and the issuer expected by the API validation.

How should I configure the identity service's issuer so that both internal (Docker service names) and external (mapped ports) communications work correctly?

What is the recommended configuration for setting up OpenIddict in a Docker environment to avoid this token introspection error?

Share Improve this question asked Mar 2 at 6:57 User_4373 2971 gold badge4 silver badges20 bronze badges

Perhaps my blog post here can give you some ideas nestenius.se/net/identityserver-in-docker-containers-part-1 – Tore Nestenius Commented Mar 3 at 20:09

Add a comment |

1 Answer 1

Sorted by: Reset to default 0

I am able to work this with some minor changes, I hope this doesn't cause another problem.

Since the Vue client is running outside the Docker network, it needs to access the identity service using http://localhost:64588.

I Changed the oidcSettings to match the external URL: authority: "http://localhost:64588"

Ensured the API Uses the Same Issuer Modify your API validation to match the issuer:

builder.Services.AddOpenIddict()
.AddValidation(options =>
{
    // Match the issuer with the one set in the Identity service
    options.SetIssuer("http://identity:7004/");
    
    options.AddAudiences("resource_server_1");

    options.UseIntrospection()
           .SetClientId("resource_server_1")
           .SetClientSecret("846B62D0-DEF9-4215-A99D-86E6B8DAB342");

    options.UseSystemNetHttp();
    options.UseAspNetCore();
});

Set the Issuer in the Identity Service

Modified the OpenIddict server configuration:

options.SetIssuer(new Uri("http://identity:7004/"));

Updated Identity Service Configuration:

public static void AddOpenIddictServices(this IServiceCollection services, IConfiguration configuration, IHostEnvironment env)
{
    services.AddOpenIddict()
        .AddCore(options =>
        {
            options.UseEntityFrameworkCore()
                   .UseDbContext<ApplicationDbContext>();
        })
        .AddServer(options =>
        {

            options.SetIssuer(new Uri("http://identity:7004/"))
                .SetAuthorizationEndpointUris("connect/authorize")
                .SetLogoutEndpointUris("connect/logout")
                .SetTokenEndpointUris("connect/token")
                .SetIntrospectionEndpointUris("introspect")
                .SetUserinfoEndpointUris("connect/userinfo");

            options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles);

            options.AllowAuthorizationCodeFlow()
                   .AllowImplicitFlow()
                   .AllowClientCredentialsFlow();

            options.AddDevelopmentSigningCertificate();
            options.AddDevelopmentEncryptionCertificate();

            options.UseAspNetCore()
                   .DisableTransportSecurityRequirement()
                   .EnableAuthorizationEndpointPassthrough()
                   .EnableTokenEndpointPassthrough()
                   .EnableUserinfoEndpointPassthrough()
                   .EnableLogoutEndpointPassthrough();
        })
        .AddValidation(options =>
        {
            options.UseLocalServer();
            options.UseAspNetCore();
        });
}

转载请注明原文地址:http://conceptsofalgorithm.com/Algorithm/1745128648a286578.html

最新回复(0)

.net core - OpenIddict Token Introspection Returns &quot;active&quot;: false – Issuer Mismatch in Docker Environment? -

docker-compose.yml

docker-compose.override.yml

Identity Service (OpenIddict Server Configuration)

Client code

API Service (OpenIddict Validation Configuration)

docker-compose.yml

docker-compose.override.yml

Identity Service (OpenIddict Server Configuration)

Client code

API Service (OpenIddict Validation Configuration)

1 Answer 1

Set the Issuer in the Identity Service

Updated Identity Service Configuration:

.net core - OpenIddict Token Introspection Returns "active": false – Issuer Mismatch in Docker Environment? -