如何在 .Net Core 3.1 中的 OpenId 连接时禁用 ssl 证书验证? [英] How to disable ssl certificate validation upon OpenId connect in .Net Core 3.1?

问题描述

I'm trying to connect in a development environment to a open id authority with it's ip address. Obviously in this scenario the ssl validation will fail. I'd like to bypass it, without any luck so far. I've found the following answers regarding this topic:

• Setting the RequireHttpsMetadata to false in the OpenIdConnectOptions class.
• Using the code below:

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

When my app tries to access the oidc authority I recieve the same error:

An unhandled exception occurred while processing the request. AuthenticationException: The remote certificate is invalid according to the validation procedure. System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

HttpRequestException: The SSL connection could not be established, see inner exception. System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

IOException: IDX20804: Unable to retrieve document from: 'https://172.11.0.11:1111/MY_APP/.well-known/openid-configuration'. Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://172.11.0.11:1111/MY_APP/.well-known/openid-configuration'. Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)

解决方案

Warning: only use this during development. You need a custom certificate validation routine for your production platform if appropriate.

You might have overridden the wrong HttpClientHandler. Back-channel HttpClient for OpenId Connect can be overridden here:

services
    .AddAuthentication(options =>
    {
        ...
    })
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        ...
        HttpClientHandler handler = new HttpClientHandler();
        handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
        options.BackchannelHttpHandler = handler;
    });

这篇关于如何在 .Net Core 3.1 中的 OpenId 连接时禁用 ssl 证书验证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！