Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
834 views
in Technique[技术] by (71.8m points)

identityserver4 - .NET Core JWTBearer skip self-signed certificate validation for local communication with identity server

I have two API projects, one that's based on the .NET Framework 4.6.2 (an old API) and one that's based on .NET Core 2.0. The old API can disable self-signed certificate validation quite simply:

System.Net.ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };

However this code does not work in .NET Core (even though it compiles fine), and it is causing me issues when the API tries to communicate (specifically when it tries to get the discovery document from the identity server, which is behind a reverse proxy which, in this environment, has a self-signed certificate that it uses for https). I've seen similar questions on StackOverflow but all the answers have to do with how the HttpClient is created. The issue for me is that I have no control over how the HttpClient is created (the token validation is middleware and I don't see any way to control how it's creating the HttpClient), so I'm wondering if there is a global way in .NET Core to skip self-signed certificate validation?

EDIT: my issue seems closely related to this issue, however I have taken the self-signed certificated and loaded it into the trusted root of both the container (where the api is running) and my local machine (where the container is running) and I still get the certificate validation errors.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

I should have looked more closely at the JwtBearerOptions, turns out I could set options.BackchannelHttpHandler, e.g.: options.BackchannelHttpHandler = new HttpClientHandler { ServerCertificateCustomValidationCallback = delegate { return true; } }; -- now it works as expected.

EDIT: although it is possible to skip certificate validation in .NET Core, I eventually abandoned this approach because it became too cumbersome to find all the components that had an HttpClient and to modify the HttpClient to skip cert validation. The approach I eventually went with was to create a CA using easy-rsa and then to generate certs signed by the CA. Then the only step is to import the CA cert into the containers and they'll trust the other certs. It may sound like a lot but the easy-rsa command interface is fairly straight-forward and it really doesn't end up being that much effort.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...