如何配置 Duende IdentityServer 6 以使用 HTTPS(自签名证书)和 Docker compose

问题描述 投票:0回答:1

我有以下场景:

  • 我有一个由 Duende IdentityServer 6 在容器内实现的身份提供商 (IdP)。
  • 我有一个客户端应用程序 (client2),需要使用 OIDC 通过 HTTPS 对 IdP 进行身份验证。

我正在使用 dev-certs https 创建自签名证书作为有效证书。 (有关更多详细信息,请参阅https://learn.microsoft.com/en-us/aspnet/core/security/docker-compose-https?view=aspnetcore-6.0

我创建了一个 docker compose 文件来使用此配置(简化版本)运行应用程序:

services:
  idp:
    build: ./Identity
    ports:
      - "5000:80"
      - "7000:443"
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=https://+:443;http://+:80
      - ASPNETCORE_HTTPS_PORT=7000
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/Identity.pfx
      - ASPNETCORE_Kestrel__Certificates__Default__Password=<the-identity-password>
      - SIGNCRED_PATH=/https/SignCred.pfx #required for Duende IdentityServer to sign tokens
      - SIGNCRED_PASS=<another-password>
    volumes:
      - my_data:/https
    networks:
      - my_net
  cli2:
    build: ./Client2
    ports:
      - "5002:80"
      - "7002:443"
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=https://+:443;http://+:80
      - ASPNETCORE_HTTPS_PORT=7002
      - ASPNETCORE_Kestrel__Certificates__Default__Path=/https/Client2.pfx
      - ASPNETCORE_Kestrel__Certificates__Default__Password=<the-client2-password>
      - AUTHORITY=https://idp #I think this is the main problem
    volumes:
      - my_data:/https
    networks:
      - my_net
volumes:
  my_data:
    driver: local
    driver_opts:
      type: none
      device: C:\Users\<my-user>\.aspnet\https
      o: bind
networks:
  my_net:
    driver: bridge

当我尝试从 client2 应用程序登录时,出现以下错误:

cli2  | fail: Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware[1]
cli2  |       An unhandled exception has occurred while executing the request.
cli2  |       System.InvalidOperationException: IDX20803: Unable to obtain configuration from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
cli2  |        ---> System.IO.IOException: IDX20804: Unable to retrieve document from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
cli2  |        ---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
cli2  |        ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

根据我的理解,使用容器名称“idp”不起作用,因为我创建的自签名证书是针对“localhost”的,所以我无法使用容器名称。但我也无法使用“localhost”,因为它将尝试解析容器内的内部地址,而不是 idp 容器本地主机。

有什么帮助吗?

docker ssl-certificate duende identityserver6
1个回答
0
投票

我为 Docker 主机创建了一个 DNS 名称为 host.docker.internal 的自签名证书,但仍然遇到类似的问题,即客户端应用程序不信任 IdP 的证书。

由于证书链错误,远程证书无效:UntrustedRoot

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.