Login/Register
How to disable ssl certificate validation upon OpenId connect in .Net Core 3.1?
Asked Answered
Solved asp.net-coresslcertificateopenidopenid-connect
M

1

10

I'm trying to connect in a development environment to a open id authority with it's ip address. Obviously in this scenario the ssl validation will fail. I'd like to bypass it, without any luck so far. I've found the following answers regarding this topic:

  • Setting the RequireHttpsMetadata to false in the OpenIdConnectOptions class.
  • Using the code below:

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

When my app tries to access the oidc authority I recieve the same error:

An unhandled exception occurred while processing the request. AuthenticationException: The remote certificate is invalid according to the validation procedure. System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

HttpRequestException: The SSL connection could not be established, see inner exception. System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

IOException: IDX20804: Unable to retrieve document from: 'https://172.11.0.11:1111/MY_APP/.well-known/openid-configuration'. Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://172.11.0.11:1111/MY_APP/.well-known/openid-configuration'. Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)

Merrill answered 20/7, 2020 at 7:25 Comment(1)
There is no way to disable the ssl validation, the ssl handshake is always there.I suggest you could extract the server ssl certificate and install it on develop environment.Mulvaney
N
26

Warning: only use this during development. You need a custom certificate validation routine for your production platform if appropriate.

You might have overridden the wrong HttpClientHandler. Back-channel HttpClient for OpenId Connect can be overridden here:

services
    .AddAuthentication(options =>
    {
        ...
    })
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        ...
        HttpClientHandler handler = new HttpClientHandler();
        handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
        options.BackchannelHttpHandler = handler;
    });
Noemi answered 23/7, 2020 at 11:30 Comment(1)
This turned to be accurate. Please accept it as such to boost confidence in it.Prudy

© 2022 - 2024 — McMap. All rights reserved.