Skip to main content

Hi,

I have configured an OpenID Connect client in our test environment to have an external application use the API. Our Thinkwise application is hosted on Azure and makes use of a key vault to store the secret. In our test environment this works.

When I want repeat this configuration on another environment I get an HTTP 500 and the application cannot be accessed. The configuration seems te be correct, but still. The question is how I can “debug” what is going on and why it doesn’t work.

Something that seems strange in this regard is that any changing of config files (and restarting the AppService) seem to lag behind. With that I mean: I do change 1, restart, check. Then I do change 2, restart and check, and then change 1 seems to be in effect and not change 2 (yet).

Hope that someone can give me some tips about the debugging or pointers where to look.

Some additional information. When looking at the logging, the following message is shown:

2024-12-03T16:30:30.9129322+00:00  INF] Currently running Indicium version: 2024.1, build: 13.0 (d1c229ce)
2024-12-03T16:30:33.4415923+00:00  INF] ]DataProtection] Loaded 1 data protection keys from Azure Key vault. (8b104c6d)
2024-12-03T16:30:33.7259344+00:00   ERR] ROpenID] Azure secret is not a valid certificate. (b39a522c)
Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Bad Data.

 

So it looks like something in the configuration (certificate?) is not correct. But where to look.

Hi Robert,

I believe the HTTP 500 is because your Azure App Service needs an additional environment variable.
This is required because after adding an OpenID client (and restarting Indicium), Indicium needs to create and load a key for signing the JWT tokens. By default, this is not allowed on Azure.

To fix the HTTP 500, in the Azure portal, after opening the Azure App Service configuration, on the left side you find `Environment variables` option (it is under the `Settings` section). Here you can add the `WEBSITE_LOAD_CERTIFICATES` environment variable with the value `*`. Make sure to press "Apply" in the popup but also a second time at the bottom to save the changes.

You can find more information here:

Certificate storage for client applications | Thinkwise Documentation

Hi Dick,

Thanks for the reply. Added the environment variable and this does solve part of the problem. Indicium will now start again after configuring the client. However, when I try to access an endpoint using Postman I get a 500 error there. Getting the token works however. Looking at the Indicium logging it shows the following error:

2024-12-04T11:24:37.5655560+00:00 40006cc8-0000-d800-b63f-84710c7967bb [err] Exception occurred while processing message. (d37e9c4d) System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.  ---> System.IO.IOException: IDX20807: Unable to retrieve document from: ''PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'. HttpResponseMessage: ''PII of type 'System.Net.Http.HttpResponseMessage' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]', HttpResponseMessage.Content: ''PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.    at Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(String address, CancellationToken cancel)    at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)    at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)    --- End of inner exception stack trace ---    at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)    at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()

Hi Robert,

That is good to hear. The next error is because the BearerTokenAuthority is not set. This you can set in the appsettings.json or you can create an environment variable for this as well.

It needs to be configured as your app service URL. If Indicium is loaded from a virtual path it will be https://xxxxx.azurewebsites.net/indicium/.

You can find more information about the BearerTokenAuthority in the docs: Certificate storage for client applications | Thinkwise Documentation

Additionally, in the client application make sure Api access is enabled for you client application. If it is not, a restart of Indicium is required. Also, Postman needs to be configured to use the full_api_access scope - or a 401 will be returned.

Hi Dick,

The BearerTokenAuthority is set to the indicium location in the appsettings.json and full_api_access is used in Postman.

These are the settings in the appsettings.json

  "DataProtectionSettings": {     "AzureKeyVault": {       "KeyVaultSecretUrl": "https://<keyvault location>/secrets/stratoz-ra-api"     }   },   "OpenIDServerSigningSettings": {     "AzureKeyVault": {       "KeyVaultCertificateUrl": "https://<keyvault location>/certificates/portal-oidc-cert"     }   },     "BearerTokenAuthority" : "https://<application location>.azurewebsites.net/indicium",  

Hi Robert,

Your configuration looks oke.

What happens when you open the url filled in by the BearerTokenAuthority in your browser and add:
.well-known/openid-configuration to it?

You should receive a JSON document in this case. Does that happen for you as well?

Hi ​@Robert Wijn 2,

Any updates on this? :)

Hi Jeroen,

Not yet. Temporary diverted to another topic. There were some Azure settings though that were not correct in context of Frontdoor, so this might have solved the issue. This is however something for the beginning of next year.

Happy holidays !

All right, let's wait and see then. If we haven’t heard anything after the holidays, we’ll make sure to follow up with you. Happy holidays for you too!

Reply


Terms & ConditionsCookie settings