Error IDX10803: Unable to obtain configuration from /.well-known/openid-configuration when using Bearer authentication and hostnames in IIS

I am running into an issue where the .well-known/openid-configuration cannot be reached via my IIS server while my app is running and therefore my UserInfo controller code is not getting hit. This issue only happens when using hostnames in IIS and not when I use IP addresses for my URLs. I am not sure if this is specifically a problem with OpenIddict and the fact that I have both my Web API and Auth Server all running in one project, or if it is a problem with the JWT Bearer code that does the validation or both.

In searching for an answer to this issue, one thing I found was a similar problem with the IdentityServer library when running the web api and auth server all in one process. They provide a setting for that: DelayLoadMetaData as explained here: https://identityserver.github.io/Documentation/docsv2/consuming/options.html

DelayLoadMetadata tells the middleware to not load the metadata at application startup time, but on the first incoming request (defaults to false). This is useful when the discovery endpoint is not available at startup time - e.g. when the consumer is hosted in the same process as the token service.

I am wondering if this possibly could be the same issue that I am getting although I am using OpenIddict.

Here is the full explanation of what I am running into:

I have a Javascript SPA that uses access tokens to talk to a backend API / Auth server. I’m using OpenIddict and JWT Bearer authentication on our combined API / Authorization server. We are using the Implicit flow.

For the time being, I am not using SSL - all requests are just http.

Everything has been configured and works correctly on my dev machine. When I publish these 2 sites to IIS everything still works fine when using an IP addresses for the 2 websites that are set up (there is 1 website for the Javascript SPA, and 1 website for the API / Auth server).

So basically I have 2 websites at the same IP address running on 2 different ports:

1) SPA 192.168.1.50:3000

2) AuthServer 192.168.1.50:5959

Now I want to enable hostnames for these sites. I now have edited the IIS bindings in order to bind these 2 sites to a host name like so:

1) SPA app.mycompany:3000

2) AuthServer app.mycompany:5959

When I do this, I am getting a message about not being able to access the .well-known/openid-configuration endpoint and am getting a JWT Bearer exception when trying to hit the UserInfo endpoint.

I can hit my SPA, get redirected to the Auth Server’s login page and then successfully login. By looking at the web requests in Fiddler I see that I can hit the authorize end point and now have an access_token. As soon as the discovery step happens though things break.
The discovery end point can’t be found and then immediately after that the userinfo endpoint is prevented from being hit because the bearer authentication fails.

By examining my logs I can see that JWT Bearer token fails to validate on the the UserInfo endpoint.

When this discovery endpoint is requested: app.mycompany:5959/.well-known/openid-configuration

This is the error message I am getting: IDX10803: Unable to obtain configuration from: 'http://app.mycompany.com:5959/.well-known/openid-configuration

And in my logs this is what I’m seeing at the point where the UserInfo controller is requested:

2017-11-09 14:12:35.7510|1|INFO|Microsoft.AspNetCore.Hosting.Internal.WebHost|Request starting HTTP/1.1 OPTIONS http://app.mycompany:5959/connect/userinfo 2017-11-09 14:12:35.7510|1|DEBUG|Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware|OPTIONS requests are not supported 2017-11-09 14:12:35.7510|1|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request is a preflight request. 2017-11-09 14:12:35.7510|2|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request has an origin header: 'http://app.mycompany:3000'. 2017-11-09 14:12:35.7510|4|INFO|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|Policy execution successful. 2017-11-09 14:12:35.7510|9|DEBUG|Microsoft.AspNetCore.Server.Kestrel|Connection id "0HL97NQJHQ576" completed keep alive response. 2017-11-09 14:12:35.7510|2|INFO|Microsoft.AspNetCore.Hosting.Internal.WebHost|Request finished in 6.2953ms 204 2017-11-09 14:12:35.7510|1|INFO|Microsoft.AspNetCore.Hosting.Internal.WebHost|Request starting HTTP/1.1 GET http://app.mycompany:5959/connect/userinfo 2017-11-09 14:12:35.7510|4|DEBUG|Microsoft.AspNetCore.StaticFiles.StaticFileMiddleware|The request path /connect/userinfo does not match a supported file type 2017-11-09 14:12:35.7510|2|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request has an origin header: 'http://app.mycompany:3000'. 2017-11-09 14:12:35.7510|4|INFO|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|Policy execution successful. 2017-11-09 14:12:35.7510|0|DEBUG|OpenIddict.OpenIddictHandler|The default userinfo request handling was skipped from user code. 2017-11-09 14:12:35.7664|9|DEBUG|Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler|AuthenticationScheme: Identity.Application was not authenticated. 2017-11-09 14:12:35.7664|1|DEBUG|Microsoft.AspNetCore.Routing.Tree.TreeRouter|Request successfully matched the route with name '(null)' and template 'connect/userinfo'. 2017-11-09 14:12:35.7664|1|DEBUG|Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker|Executing action ApiAuthServer.Controllers.UserinfoController.Userinfo (ApiAuthServer) 2017-11-09 14:12:35.7664|2|DEBUG|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|The request has an origin header: 'http://app.mycompany:3000'. 2017-11-09 14:12:35.7664|4|INFO|Microsoft.AspNetCore.Cors.Infrastructure.CorsService|Policy execution successful. 2017-11-09 14:12:35.7664|3|ERROR|Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler|Exception occurred while processing message. IDX10803: Unable to obtain configuration from: ‘http://app.mycompany:5959/.well-known/openid-configuration’.

If I navigate directly to app.mycompany:5959/.well-known/openid-configuration from outside the server in a browser, I can hit that discovery endpoint and see the json data. It works.

But if I try to access that endpoint from within the IIS server I get the same error message. I can’t seem to access that on the IIS box. But if I remove the host name binding and go back to IP addresses, I can successfully hit the discovery endpoint even on the IIS box and the app works fine.

So I am really at a loss of what the problem is. Not sure if there is some IIS setting I need to tweak, or if this is a bug in the JWT Bearer middleware or if it is something to do with OpenIddict.

Has anyone else run into this issue using OpenIddict?