Skip to main content

I'm trying to use my IAM as external OpenID authentication. I have an website that i need to secure access to. For that i want to use the Thinkwise IAM OpenID as authentication backend.

For testing purposes I created a new IAM database on the 2022.2 platform with the latest indicium (2022.2.12) in the Azure cloud.

In the OpenID -> OpenID clients i created a new record with olly the ClientID populated. In the Configuration tab are values for Redirects, Post logout redirects and Secrets.

When the Azure Web App that hosts the Indicium is restarted it fails to start with “HTTP Error 500.30 - ASP.NET Core app failed to start”.

In the Application Event Logs I see the error message “The process was terminated due to an unhandled exception.

Exception Info: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at Indicium.Startup.getOrCreateCertificateFromStore(String certificateName) in C:\azp\agent\_work\1\s\src\Indicium\Startup.cs:line 1285
   at Indicium.Startup.getIdentityServerCertificate() in C:\azp\agent\_work\1\s\src\Indicium\Startup.cs:line 1137
   at Indicium.Startup.createIdentityServerBuilder(IServiceCollection services, IRootApplicationLoader rootApplicationLoader) in C:\azp\agent\_work\1\s\src\Indicium\Startup.cs:line 1034
   at Indicium.Startup.ConfigureServices(IServiceCollection services) in C:\azp\agent\_work\1\s\src\Indicium\Startup.cs:line 514
   at System.RuntimeMethodHandle.InvokeMethod(Object target, Span`1& arguments, Signature sig, Boolean constructor, Boolean wrapExceptions)
   at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object ] parameters, CultureInfo culture)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.InvokeCore(Object instance, IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass9_0.<Invoke>g__Startup|0(IServiceCollection serviceCollection)
   at Microsoft.AspNetCore.Hosting.StartupLoader.ConfigureServicesDelegateBuilder`1.<>c__DisplayClass15_0.<BuildStartupServicesFilterPipeline>g__RunPipeline|0(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.Invoke(Object instance, IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConfigureServicesBuilder.<>c__DisplayClass8_0.<Build>b__0(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.StartupLoader.ConfigureServicesDelegateBuilder`1.<>c__DisplayClass14_0.<ConfigureServices>g__ConfigureServicesWithContainerConfiguration|0(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.ConventionBasedStartup.ConfigureServices(IServiceCollection services)
   at Microsoft.AspNetCore.Hosting.WebHost.EnsureApplicationServices()
   at Microsoft.AspNetCore.Hosting.WebHost.Initialize()
   at Microsoft.AspNetCore.Hosting.WebHostBuilder.Build()
   at Indicium.Program.Main(String(] args) in C:\azp\agent\_work\1\s\src\Indicium\Program.cs:line 23

 

When i remove the OpenID client configuration the Indicium runs normal.

Does anybody know what is causing this error and how can i successfully create an OpenID configuration to use as Authentication Back End?

 

You can add the following configuration to your WebApp to fix this issue. The name of the key must be: website_load_certificates and the value must be a * and not a thumbprint, because Indicium is generating the certificate. This is something that we might improve in the future. Also the App service plan must be basic or higher for it to work.

 

 


Thank you for the information. That should be added to the documentation.

Now i have to find out how to call this endpoint. The documentation is not providing much information