I'm new to IdentityServer4 (2.5) and certificate setup so please bear with me. I think that I've chased down everything I could. I am using it with ASP.Net Core 2.2.0 in a proof of concept app. I have OpenIdConnect with an authority app and a client using cookies with X509Certificate2. Works great on my local machine; however, when I deploy to IIS I get this error:
System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://my.com/mpauth/.well-known/openid-configuration'. ---> System.ArgumentException: IDX20108: The address specified 'http://my.com/mpauth/.well-known/openid-configuration/jwks' is not valid as per HTTPS scheme. Please specify an https address for security reasons. If you want to test with http address, set the RequireHttps property on IDocumentRetriever to false.
The problem is here - http://my.com/mpauth/.well-known/openid-configuration/jwks. If I put that in the browser I get an error; however, if I change http to https I get the data. What setting controls this?
TL;DR
In most cases IdentityServer defers the base hostname/URI from the incoming request but there might be deployment scenarios which require enforcing it via the IssuerUri and/or PublicOrigin options as documented here.
More Info
The URL you are getting in your exception is part of the discovery lookup. It is necessary for validating tokens (e.g. in an applications auth middleware).
There should be a first request to .../.well-known/openid-configuration (the main discovery document) that refers to several other URIs and one of them should be the jwks (signing key sets). In most cases the other URIs in openid-configuration will point to the same primary hostname and protocol scheme your identity server is using. In your case it looks like the scheme changes to HTTP which might be unwanted in this day and age.
Is it possible, that the deployed IdentityServer lives behind a load balancer/SSL termination appliance? This could cause behavior.
I am not sure about IIS details but there might also be some kind of default hostname/URI thing at play.
I searched and found this related post, and use it as the basis for this question
Simple C example of doing an HTTP POST and consuming the response
Jerry's code works perfectly, but I have an unusual issue. I have Cloudflare implemented on the destination server, which means that the destination cannot be addressed by IP, it has to be directed to the fully qualified domain URL. I proved this by using the code, but got a return message from Cloudflare informing me that the IP could not be used.
My question is, will C support POST to a URL, or does it have to be to an IP address? If if will accept the domain, what can I do to alter that code ?
I think http POST should be working fine with URL. You can either use domain name or direct ip. both should work.
In your code, try to edit the variable 'host'.
I have use Outbound Message in salesforce. When the Trigger is Occur on the particular object outbound Message to pass particular End URL. here I want to receive the Outbound Message from the Mulesoft(EndPoint URL) . I have tried HTTP,UDP,TCP,Genric these Kind of endpoint URL but its not working. How i can Use the Mulesoft end point URL. by using Local host its possible or not. Because I have used Localhost:8081 this kind of URL only. what are all the way i have to receive salesforce outbound Message. Thanks
The target of the outbound message must be accessible from the web. It has to have some meaningful domain name or IP address (and if you're behind a firewall you need to allow messages from SF pool of IP addresses to pass through).
http://wiki.developerforce.com/page/Creating_an_Outbound_Messaging_Notification_Service_with_Eclipse_3.2#Testing_Your_Service
Testing can be a bit of a tricky wicket if you are not developing on a
machine that is accessible from the internet. Following the sample, we
have deployed our web service to localhost:8080. It is not possible
for the salesforce.com servers to make a request to that address.
I'm working with a third party webservice who requires that all calls to their service are made from whitelisted IP addresses. That is, I must give them IP addresses from which I will be making calls to their service.
Problem is I'm using Google Appengine. Is there any way to get a static IP address when making outgoing http requests from Appengine? Failing that - is there a block of IP addresses that all requests will come from? I could get the entire bloc whitelisted. If this exists, how likely is it to change?
I know I could setup a simple Amazon EC2 instance to use as a proxy (will ask another question for how to do this specifically) but just wanted to make sure there was no other way.
I had the same problem a couple of weeks ago connecting via Urlfetch from Google App Engine to the Stack Exchange API (The team has promptly fixed the problem whitelisting all the GAE IPs).
The range of IP addresses that urlfetch connections may come from, can be found by performing the following DNS lookup:
dig -t TXT _netblocks.google.com #ns1.google.com
Last I checked this wasn't possible. You can get the current IP address dynamically, but it isn't predictable.
Please note: _netblocks.google.com is apparently not accurate. Currently I have noticed that GAE connects from addresses not listed when you dig _netblocks, for example from 8.35.201.166.
This range is not listed in _netblocks, _netblocks2 or _netblocks3.
Current dig output:
ip4:216.239.32.0/19
ip4:64.233.160.0/19
ip4:66.249.80.0/20
ip4:72.14.192.0/18
ip4:209.85.128.0/17
ip4:66.102.0.0/20
ip4:74.125.0.0/16
ip4:64.18.0.0/20
ip4:207.126.144.0/20
ip4:173.194.0.0/16
Apparently I do not need a 'Maps API key' to use the 'Google Geocoding API' according to:
http://code.google.com/apis/maps/documentation/geocoding/index.html
However, I obtain this:
{
"status": "REQUEST_DENIED",
"results": [ ]
}
Does this mean that my IP is blocked? What can I do to overcome this?
Until the end of 2014, a common source of this error was omitting the mandatory sensor parameter from the request, as below. However since then this is no longer required:
The sensor Parameter
The Google Maps API previously required that you include the sensor parameter to indicate whether your application used a sensor to determine the user's location. This parameter is no longer required.
Did you specify the sensor parameter on the request?
"REQUEST_DENIED" indicates that your request was denied, generally because of lack of a sensor parameter.
sensor (required) — Indicates whether or not the geocoding request comes from a device with a location sensor. This value must be either true or false
Remove the API key parameter and its value.
eg. https://maps.googleapis.com/maps/api/geocode/json?address=[YOUR ADDRESS]&sensor=true
I found that in my case, calling to the service without secure protocol (meaning: http), after adding the key=API_KEY, cause this issue.
Changing to https solved it.
I've noticed that you also get REQUEST_DENIED for some addresses if you don't properly URL encode your address. For example, in
123 Main St #B, Mytown, CA 94110
the '#' character needs to be encoded as %23
For those who are looking this page in 2017 or beyond, like me
Sensor is not required anymore, I tried and got the error:
SensorNotRequired
I just needed to activate my Google Maps Geocoding API, that seems to be necessary nowadays.
Hope it helps someone like me.
If you just copy&paste the example URL that Google gives in their website
http://maps.google.com/maps/api/geocode/json?address=1600+Amphitheatre+Parkway,+Mountain+View,+CA&sensor=true_or_false
it will fail because of the wrong parameter of the sensor. You should change it to true or false and not the one that they wrote.
Maybe is the error that you have had, like it happened to me...
I had this problem and I realized that I was assuming that Geocoding came with the JS maps API. However, it is a separate API which I hadn't enabled in the cloud console. Enabling it fixed it right away.
I got this problem as well using the drupal 7 Location module. Autofilling all empty locations resulted in this error. Executing one of the requests to the location api manually resulted in this error in the returned JSON:
"Browser API keys cannot have referer restrictions when used with this API."
Resolving the problem then was easy: create a new key without any restrictions and use it only for Geocoding.
Note for those new to google api keys: by restrictions they mean limiting requests using an api key to specific domains / subdomains. (eg. only request from http://yourdomain.com are allowed).
It's suck Google don't let you that your service is not enabled by this account. Try to enable it first.
Go here https://console.developers.google.com/project
and create a new project with place service activated this may solve your problem.
If you not have configured a billing account with your credit card, the API do not work. The Google is now very hungry for money and not open more your products "free". Obviously that him offer a free limited access number of consults and over this acces, the billing is very high.
https://cloud.google.com/maps-platform/pricing
As you say, this can mean that your IP address has been blocked. I'd make sure that you specify the key parameter on the query string for the Geocoding API request.
https://maps.googleapis.com/maps/api/geocode/xml?sensor=false&address=Placename&key=XXxxxXXxXxxxxXXxx
Also make sure that if you've set up IP Address Restrictions within the Developer Console, you've allowed the correct IP address, just click the project within the list and you'll see the allowed IPs.
If you're still running into issues, you might want to look into printing out the values of the status and error_message elements from the response from Google, you'll see something like this:
REQUEST_DENIED - This IP, site or mobile application is not authorized to use this API key. Request received from IP address 123.4.5.678, with empty referer
If it doesn't mention an IP address restriction, it may well give you enough information about the problem to Google a fix.
For anyone struggling with this issue, I just found out that the Geocoding API can't be used with API keys that have referrer restrictions. Just remove all your referrer restrictions and you should be good.
If you're using any other APIs that do allow keys with referrer restrictions (like the Maps JS API), it's probably best to create a 2nd key with no restrictions to use exclusively for geocoding, because other APIs might display your key publicly and someone else could start using it on their own site.
Google is returning a very useful error message, which helps to correct the issue!
Dim Request As New XMLHTTP30
Dim Results As New DOMDocument30
Dim StatusNode As IXMLDOMNode
Request.Open "GET", "https://maps.googleapis.com/maps/api/geocode/xml?" _
& "&address=xxx", False
Request.Send
Results.LoadXML Request.responseText
Set StatusNode = Results.SelectSingleNode("//status")
Select Case UCase(StatusNode.Text)
Case "REQUEST_DENIED"
Debug.Print StatusNode.NextSibling.nodeTypedValue
...
Error Message Examples
Message 1:
Requests to this API must be over SSL. Load the API with "https://"
instead of "http://".
Message 2:
Server denied the request: You must use an API key to authenticate each request to Google Maps Platform APIs. For additional information, please ...
If none of given solutions fixed the error, the issue probably about Google Cloud Billing settings. You must enable Billing on the Google Cloud Project at billing/enable.
Learn more
{
"error_message" : "You must enable Billing on the Google Cloud Project at https://console.cloud.google.com/project/_/billing/enable Learn more at https://developers.google.com/maps/gmp-get-started",
"results" : [],
"status" : "REQUEST_DENIED"
}
I created another Credential(New API) only for Geocoding, with "Key restrictions" 'None' and "API restrictions" 'Restrict key'
Selected APIs:
Directions API
Geocoding API
Geolocation API
Maps JavaScript API
Places API
and then it's worked.
I just ENABLED my geocoding API, geolocation API and places API on my google cloud platform (where I had generated my API key I was using) and it worked.