2

I have created a new Blazor WebAssembly App with Individual User Accounts, Store user accounts in-app and ASP.NET Core hosted in .NET 5. When deploying my app to Azure App Service I get the following error:

Object reference not set to an instance of an object.at Microsoft.Extensions.DependencyInjection.IdentityServerBuilderConfigurationExtensions

Reading these links I have to provide my own certificate in production for IdentityServer:

Blazor Web Assembly App .Net Core Hosted: publish runtime error

https://stackoverflow.com/a/56904000/3850405

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-5.0#example-deploy-to-azure-app-service

I then created a .pfx file like this and I have verified that it works and my password is correct.

https://stackoverflow.com/a/48790088/3850405

I then placed the .pfx file in my Server projects root folder and marked Copy to Output Directory as Copy Always.

I then updated appsettings.json to look like this:

  "IdentityServer": {
    "Clients": {
      "BlazorTest.Client": {
        "Profile": "IdentityServerSPA"
      }
    },
    "Key": {
      "Type": "File",
      "FilePath": "localhost.pfx",
      "Password": "MySercurePassword123?"
    }
  },

Now the project does not work neither locally or on Azure. It fails on app.UseIdentityServer(); in Startup.cs with the following error:

Newtonsoft.Json.JsonReaderException: 'Unexpected character encountered while parsing number: �. Path '', line 1, position 1.'

According to Microsoft docs my certificate should be valid:

A production certificate to use for signing tokens.

  • There are no specific requirements for this certificate; it can be a self-signed certificate or a certificate provisioned through a CA authority.
  • It can be generated through standard tools like PowerShell or OpenSSL.
  • It can be installed into the certificate store on the target machines or deployed as a .pfx file with a strong password.

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-5.0#deploy-to-production

If I load the key like this it works:

"Key": {
  "Type": "Store",
  "StoreName": "My",
  "StoreLocation": "CurrentUser",
  "Name": "CN=blazortest"
}
Ogglas
  • 50,115
  • 30
  • 272
  • 333
  • the error "Newtonsoft.Json.JsonReaderException: 'Unexpected character encountered while parsing number: �. Path '', line 1, position 1.'" is typicall when your client can't reach the public discovery endpoint JSON document. are you sure that one is running? (/.well-known/openid-configuration) and it is reachable from the client? – Tore Nestenius Mar 03 '21 at 07:56
  • @ToreNestenius Yes, the exact same code works when using `"Type": "Store"` in `appsettings.json`. – Ogglas Mar 03 '21 at 08:26
  • but in deployment, you have different network topology, are sure sure the Identityserver is reachable inside Azure? If I am not wrong, you have some issues with HTTP vs HTTPS. AppServices terminate HTTPS outside , so your services only get HTTP traffic? – Tore Nestenius Mar 03 '21 at 08:35
  • @ToreNestenius I get the same error locally so I don't think that is the culprit in this case. Locally the app is set to `Enable SSL` and automatically starts with the HTTPS port as usual on localhost. On Azure I got the same error on https://mysite.azurewebsites.net. – Ogglas Mar 03 '21 at 08:55
  • Is the cert selfsigned or a real signed certificate? – Tore Nestenius Mar 03 '21 at 10:09
  • @ToreNestenius Self-signed. Created via Powershell like this: `New-SelfSignedCertificate -DnsName "blazortest" -CertStoreLocation "cert:\CurrentUser\My"` – Ogglas Mar 03 '21 at 10:26
  • You should try to get a real cert, otherwise HTTPS won't connect properly. How can otherwise your AppService in production trust it? – Tore Nestenius Mar 03 '21 at 11:50
  • 1
    @ToreNestenius I don't think that is the issue. It works on localhost and Azure if I pick up the same certificate from `Store` instead of `.pfx` `File`. Looking at what Microsoft says this should have no effect either as stated above: There are no specific requirements for this certificate; it can be a self-signed certificate or a certificate provisioned through a CA authority. It can be generated through standard tools like PowerShell or OpenSSL. It can be installed into the certificate store on the target machines or deployed as a .pfx file with a strong password. – Ogglas Mar 03 '21 at 12:14
  • but for my experience, the App it self gets the traffic as HTTP even if you use HTTPS exernally. That is common issue in Azure. also, do check the log files and I think its more a DNS/HTTPS vs HTTP issue. that the IdentitysErver is not really reachable between services. as a test, you could always try to use https://demo.identityserver.io/ instead, as a identityserver, to see if that works. – Tore Nestenius Mar 03 '21 at 14:07
  • @ToreNestenius If we assume that is the case: How come it works both locally and on Azure with the same certificate and code when the certificate is fetched from the store? That makes no sense in my experience with certificates and HTTPS. :) – Ogglas Mar 03 '21 at 14:14
  • perhaps I don't get exactly where you problem is, I was looking at the "Newtonsoft.Json.JsonReaderException: 'Unexpected character encountered while parsing number: �. Path '', line 1, position 1.'" and that is typical a HTTP->HTTPS error. For token signing, then that is a different ballpark and question. Step #1 is to get the discovery document downloaded... I would try to dig deeper and increase the log-level to Debug or Trace in the services , to better troubleshoot it. – Tore Nestenius Mar 03 '21 at 14:33
  • @ToreNestenius Yes I think I will have to do that. Thanks for trying though! – Ogglas Mar 03 '21 at 15:36
  • Feel free to clarify your question a bit more specific details. I also personally prefer to do most of the config in code,instead of appsettings.json because then I know I don't do any stupid typo :-) – Tore Nestenius Mar 03 '21 at 15:52
  • An alternative that I have used successfully is to use Azure Container Instances instead of AppServices, because then you do all the cert stuff your self and then it is easier to debug. – Tore Nestenius Mar 03 '21 at 15:53
  • Similar problem here. When I use a .pfx file, my Blazor app just replies with a 404 Not Found error. Path to .pfx and password are correct. If I change any of them to something wrong, the error changes to HTTP Error 500.30 - ASP.NET Core app failed to start. What is wrong? – candritzky Apr 28 '21 at 11:59

1 Answers1

2

I was able to fix this problem by removing the entry for IdentityServer in appsettings.Development.json.

Remove the following lines from appsettings.Development.json:

"IdentityServer": {
     "Key": {
       "Type": "Development"
     }
   }
Chris Berlin
  • 554
  • 2
  • 11