5

I have an ASP.Net Core application configured to issue and authenticate JWT bearer tokens. Clients are able to successfully retrieve bearer tokens and authenticate with the token when the site is hosted in Kestrel.

I also have a suite of integration tests which use Microsoft.AspNetCore.TestHost.TestServer. Prior to adding authentication, the tests were able to successfully make requests against the application. After adding authentication, I started getting errors pertaining to accessing open id configuration. The specific exception I'm seeing is this:

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]
      Request starting HTTP/1.1 GET http://  
fail: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[3]
      Exception occurred while processing message.
System.InvalidOperationException: IDX10803: Unable to obtain configuration from: 'http://localhost/.well-known/openid-configuration'. ---> System.IO.IOException: IDX10804: Unable to retrieve document from: 'http://localhost/.well-known/openid-configuration'. ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 404 (Not Found).

Based on my research, this is sometimes triggered when the Authority is set to a different host than the hosting server. For instance, Kestrel runs at http://localhost:5000 by default which is what I had my Authority set to initially, but upon setting it to what the TestServer is emulating (http://localhost), it still gives the same error. Here is my authentication configuration:

    app.UseJwtBearerAuthentication(new JwtBearerOptions
    {
        AutomaticAuthenticate = true,
        AutomaticChallenge = true,
        RequireHttpsMetadata = false,
        TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = signingKey,
            ValidateAudience = true
        },
        Audience = "Anything",
        Authority = "http://localhost"
    });

What is odd is that attempting to hit the URL directly from the Integration test works fine:

enter image description here

So how do you configure the ASP.Net TestServer and OpenId Connect infrastructure to work together?

=== EDIT ====

In reflecting on this a bit, it occurred to me that the issue is that the JWT authorization internals is trying to make a request to http://localhost port 80, but it isn't trying to make the request using the TestServer and is therefore looking for a real server. Since there isn't one, it's never going to authenticate. It looks like the next step is to see if there is some way to turn off the Authority check or extend the infrastructure in some way to allow for it to use the TestServer as the host.

Derek Greer
  • 15,454
  • 5
  • 45
  • 52
  • Your edit is correct. Have you tried providing a configuration in your tests that doesn't set the Authority? Technically, all your tests should need is an authenticated User - which you can improvise/mock - without having to use JWT authentication at all. – Brad Oct 24 '16 at 22:39
  • I believe I tried not setting the Authority, but I seem to recall it throwing an error. I ended up finding a solution and will be posting an answer. – Derek Greer Oct 24 '16 at 23:46

1 Answers1

1

The JWT infrastructure does indeed try to make an HTTP request by default. I was able to get it working by setting the JwtBearerOptions.ConfigurationManager property to a new instance of OpenIdConnectionConfigurationRetriever() which supplied an IDocumentResolver provided by DI:

        ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(
            authority + "/.well-known/openid-configuration",
            new OpenIdConnectConfigurationRetriever(),
            _documentRetriever),

In the production code, I just register the default with my container (Autofac):

builder.RegisterType<HttpDocumentRetriever>().As<IDocumentRetriever>();

I was already using a derived Setup class for my integration tests which follows the Template Method pattern to configure the container, so I was able to override the IDocumentRetriever instance with one that returns the results from the TestServer instance.

I did run into an additional snag which is that the TestServer's client seemed to hang when a request was made (the one initiated from JWT calling my IDocumentRetriever) while another request was already outstanding (the one that initiated the request to begin with), so I had to make the request beforehand and supply the cached results from my IDocumentRetriever:

public class TestServerDocumentRetriever : IDocumentRetriever
{
    readonly IOpenIdConfigurationAccessor _openIdConfigurationAccessor;

    public TestServerDocumentRetriever(IOpenIdConfigurationAccessor openIdConfigurationAccessor)
    {
        _openIdConfigurationAccessor = openIdConfigurationAccessor;
    }

    public Task<string> GetDocumentAsync(string address, CancellationToken cancel)
    {
        return Task.FromResult(_openIdConfigurationAccessor.GetOpenIdConfiguration());
    }
}
Derek Greer
  • 15,454
  • 5
  • 45
  • 52
  • 2
    Hi @Derek I hope you don't mind me hijacking this thread for other people using IdentityServer4 and trying to do integration tests. I found the solution in this thread http://stackoverflow.com/questions/39390339/integration-testing-with-in-memory-identityserver – JimiSweden Jan 17 '17 at 14:53