Unable to login. Bearer was not authenticated. Unable to obtain configuration from : \u0027[PII is hidden

Support
1

I have…

  • [x ] Checked the logs and have provided the logs if I found something suspicious there

I’m submitting a…

  • [ x] Bug report

Current behavior

Squidex doesn’t load after successful authentication.
When I enter login and password the login window closes but squidex doesn’t load up.
I can see 401 (Unauthorized) on http://default/api/apps from dev console.
from the squidex logs
"IDX20803: Unable to obtain configuration from: \u0027[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]\u0027."

Expected behavior

Minimal reproduction of the problem

Environment

  • [x ] Self hosted with docker
  • [ ] Self hosted with IIS
  • [ ] Self hosted with other version
  • [ ] Cloud version

Version: [VERSION]

Browser:

  • [ x] Chrome (desktop)
  • [ ] Chrome (Android)
  • [ ] Chrome (iOS)
  • [x ] Firefox
  • [ ] Safari (desktop)
  • [ ] Safari (iOS)
  • [ ] IE
  • [ ] Edge

log

{
  "logLevel": "Information",
  "message": "Profile service returned the following claim types: sub urn:squidex:name urn:squidex:permissions email preferred_username name email email_verified",
  "types": "sub urn:squidex:name urn:squidex:permissions email preferred_username name email email_verified",
  "app": {
    "name": "Squidex",
    "version": "4.2.0.0",
    "sessionId": "380cfa29-5a1d-4dce-8fde-ab1fe0c516a7"
  },
  "web": {
    "requestId": "|be02f5e3-46879754aa404f84.",
    "requestPath": "/connect/userinfo",
    "requestMethod": "GET"
  },
  "timestamp": "2020-04-23T14:02:35Z",
  "category": "IdentityServer4.ResponseHandling.UserInfoResponseGenerator"
}

{
  "logLevel": "Information",
  "filters": {
    "userId": "5ea19918c63a08000191df9c",
    "costs": 0
  },
  "elapsedRequestMs": 8,
  "app": {
    "name": "Squidex",
    "version": "4.2.0.0",
    "sessionId": "380cfa29-5a1d-4dce-8fde-ab1fe0c516a7"
  },
  "web": {
    "requestId": "|be02f5e3-46879754aa404f84.",
    "requestPath": "/identity-server/connect/userinfo",
    "requestMethod": "GET"
  },
  "timestamp": "2020-04-23T14:02:35Z"
}

{
  "logLevel": "Error",
  "message": "Exception occurred while processing message.",
  "eventId": {
    "id": 3,
    "name": "ProcessingMessageFailed"
  },
  "app": {
    "name": "Squidex",
    "version": "4.2.0.0",
    "sessionId": "380cfa29-5a1d-4dce-8fde-ab1fe0c516a7"
  },
  "web": {
    "requestId": "|be02f5e4-46879754aa404f84.",
    "requestPath": "/apps",
    "requestMethod": "GET"
  },
  "timestamp": "2020-04-23T14:02:35Z",
  "category": "Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler",
  "exception": {
    "type": "System.InvalidOperationException",
    "message": "IDX20803: Unable to obtain configuration from: \u0027[PII is hidden. For more details, see https://aka.ms/IdentityModel/PII.]\u0027.",
    "stackTrace": "   at Microsoft.IdentityModel.Protocols.ConfigurationManager\u00601.GetConfigurationAsync(CancellationToken cancel)\n   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()"
  }
}
2

There is a setting to show PII. You will find it in the app settings: https://github.com/Squidex/squidex/blob/master/backend/src/Squidex/appsettings.json#L507

BTW: PLEASE format your code / logs with code comments.

3

Here is what i got after enabling showPII. I am running non-proxy.yml with http://localhost.local domain name. I tried using https, but the server refuses connection presumably due to the absence of an ssl certificate

{
  "logLevel": "Error",
  "message": "IDX20803: Unable to obtain configuration from: \u0027http://localhost.local/identity-server/.well-known/openid-configuration\u0027.",
  "app": {
    "name": "Squidex",
    "version": "4.2.0.0",
    "sessionId": "32771719-15e2-4ace-8aed-d2bf4eae4ee3"
  },
  "web": {
    "requestId": "|6e5fcbb-4eac850031fb9055.",
    "requestPath": "/apps",
    "requestMethod": "GET"
  },
  "timestamp": "2020-04-30T11:27:59Z",
  "category": "IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler",
  "exception": {
    "type": "System.InvalidOperationException",
    "message": "IDX20803: Unable to obtain configuration from: \u0027http://localhost.local/identity-server/.well-known/openid-configuration\u0027.",
    "stackTrace": "   at Microsoft.IdentityModel.Protocols.ConfigurationManager\u00601.GetConfigurationAsync(CancellationToken cancel)\n   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()\n   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()\n   at Microsoft.AspNetCore.Authentication.AuthenticationHandler\u00601.AuthenticateAsync()\n   at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme)\n   at IdentityServer4.AccessTokenValidation.IdentityServerAuthenticationHandler.HandleAuthenticateAsync()"
  }
}
4

I guess your docker container cannot reach localhost.local.

5

yes, you were right, the container could not resolve localhost.local.
But where should it be pointed to? I tried to update docker container’s hosts file to point it to either 127.0.0.1 or docker host ip but it all resulted in Invalid redirect_uri: http://localhost.local/client-callback-popup\n{ on the client.
I am still quite confused about the whole authorisation workflow. Thank you

6

I think the only option is to use a custom host name entry in your windows host file pointing to 127.0.0.1.

The reason why it is so complicated is that squidex host and OIDC server as well. So basically you can think about 2 servers hosted in one process.

7

my docker doesn’t see windows host file as it’s inside a VM. I tried to update hosts files on windows host, VM and even in the container to 127.0.0.1 but still not luck. I will try again, thanks

8

But this is a problem that only exists on your local environment. When you have a proper domain and server it works.

9

We have the same issue. Our environment is Apache with the standard Squidex Identity server