SolvedIdentityServer4 You must either set Authority or IntrospectionEndpoint

  • [x ] I read and understood how to enable logging

Issue / Steps to reproduce the problem

Trying to update my api to .net core 2.0 and am now getting the exception below. Upon upgrade I changed my startup.cs with the authentication settings below and I have confirmed that the settings are all being correctly pulled from config and set as the options with the debugger. I'm sure i'm doing something wrong but It not obvious to me what that is yet.

services
.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
.AddIdentityServerAuthentication(opts => {
// base-address of your identityserver
opts.Authority = Configuration.GetSection("Id4Settings")["Authority"];
// name of the API resource
opts.ApiName = Configuration.GetSection("Id4Settings")["ApiName"];
opts.RequireHttpsMetadata = bool.Parse(Configuration.GetSection("Id4Settings")["RequireHttps"]);
});

System.InvalidOperation: You must either set Authority or IntrospectionEndpoint

Relevant parts of the log file

Nothing really relevant in the log because of the way I'm handling errors right now it continues to process after this error and the token is successfully validated.

System.InvalidOperationException: You must either set Authority or IntrospectionEndpoint
   at Microsoft.AspNetCore.Builder.OAuth2IntrospectionOptions.Validate()
   at IdentityModel.AspNetCore.OAuth2Introspection.PostConfigureOAuth2IntrospectionOptions.PostConfigure(String name, OAuth2IntrospectionOptions options)
   at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
   at Microsoft.Extensions.Options.OptionsMonitor`1.<>c__DisplayClass10_0.<Get>b__0()
   at System.Lazy`1.ViaFactory(LazyThreadSafetyMode mode)
   at System.Lazy`1.ExecutionAndPublication(LazyHelper executionAndPublication, Boolean useDefaultConstructor)
   at System.Lazy`1.CreateValue()
   at Microsoft.Extensions.Options.OptionsCache`1.GetOrAdd(String name, Func`1 createOptions)
   at Microsoft.Extensions.Options.OptionsMonitor`1.Get(String name)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.<InitializeAsync>d__42.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Authentication.AuthenticationHandlerProvider.<GetHandlerAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationService.<AuthenticateAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Builder.IdentityServerAuthenticationHandler.<HandleAuthenticateAsync>d__1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationHandler`1.<AuthenticateAsync>d__47.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationService.<AuthenticateAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.<Invoke>d__6.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Microsoft.AspNetCore.Cors.Infrastructure.CorsMiddleware.<Invoke>d__7.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 155671.3652ms 500 application/json
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2]
      Request finished in 155671.3652ms 500 application/json
[21:38:45 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
Successfully validated the token.

info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
      Successfully validated the token.
info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler[2]
      Successfully validated the token.
[21:38:45 Information] Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler
AuthenticationScheme: BearerIdentityServerAuthenticationJwt was successfully authenticated.
26 Answers

✔️Accepted Answer

When a malformed JWT is passed to a .NET Core 2.0 API using IdentityServer Authentication and a 500 status code is returned instead of a 401, setting options.SupportedTokens = SupportedTokens.Jwt; in the Startup.cs ConfigureServices() solved this problem.

My Senario:
GET to API requiring OAuth (client credentials is grant type) where I sent some string that cannot be decoded as a JWT.

Header:
Accept:application/json
Authorization:Bearer SomeStringThatIsNotAJwtThatCantbeDecoded

Exception message in the body contains:
InvalidOperationException: You must either set Authority or IntrospectionEndpoint

Other Answers:

OK - I had a look -

so basically you are sending a token that looks like a reference token, but don't configure the handler correctly for reference tokens (the ApiSecret is missing) - right?

I agree that the exception is misleading - so either

  • configure the handler with an ApiSecret
  • restrict the supported token types to JWT
  • don't send garbage for testing

On a related note - if you are using JWTs only - our handler doesn't really give you any extra features. It is only useful if you need to support JWTs and reference tokens in the same API.

For me this error occurs when sending a request from a JavaScript client to Web API only when Authorization header is on the request but the token is null, like so - Authorization: Bearer null or Authorization: Bearer

Is there a way to have this return the response as a 401 instead of a 500? In pre 2.0 the request would just go through unauthenticated and I'd return a 401 so the client could react off that 401 status code and request a new token

For now I injected some middleware to catch the exception and modify the response

 public async Task Invoke(HttpContext context)
        {
            try
            {
                await _next(context);
            }
            catch (InvalidOperationException exc)
            {

but wasn't sure if there exists a better integration point

I was struggling with this issue and getting the same exception - in my case, I had copied and pasted the token into the Authoriation header incorrectly, so it wasn't a valid JWT. Fixing the token immediately fixed the issue.

Based on that and @erikkolo's comment, it looks like failure to extract a valid JWT causes this exception.

More Issues: