Can/should OpenIdConnectCachingSecurityTokenProvider be fault tolerant?

[phatcher]

Issue I had today was my API couldn't connect to Azure B2C, during startup which caused a yellow screen with the API.

[WebException: The remote server returned an error: (500) Internal Server Error.]
   System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) +606
   System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result) +19
   System.Net.WebClient.DownloadBitsResponseCallback(IAsyncResult result) +91
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__4.MoveNext() in c:\workspace\WilsonForDotNet45Release\src\Microsoft.IdentityModel.Protocol.Extensions\Configuration\GenericDocumentRetriever.cs:42

[IOException: Unable to get document from: https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration?p=B2C_1_StandardSignup]
   Microsoft.IdentityModel.Protocols.<GetDocumentAsync>d__4.MoveNext() in c:\workspace\WilsonForDotNet45Release\src\Microsoft.IdentityModel.Protocol.Extensions\Configuration\GenericDocumentRetriever.cs:48
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   Microsoft.IdentityModel.Protocols.<GetAsync>d__0.MoveNext() in c:\workspace\WilsonForDotNet45Release\src\Microsoft.IdentityModel.Protocol.Extensions\Configuration\OpenIdConnectConfigurationRetriever.cs:81
   System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +92
   System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +58
   System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task) +25
   Microsoft.IdentityModel.Protocols.<GetConfigurationAsync>d__3.MoveNext() in c:\workspace\WilsonForDotNet45Release\src\Microsoft.IdentityModel.Protocol.Extensions\Configuration\ConfigurationManager.cs:198

Given that we are making an RPC call which can fail, does it make sense for the policy acquisition not to fail/throw so that the API doesn't crash at startup, it just can't authenticate using OAuth. When the service comes back, it will then pick up the policies, something like...

private void RetrieveMetadata()
{
	_synclock.EnterWriteLock();
	try
	{
		OpenIdConnectConfiguration config = Task.Run(_configManager.GetConfigurationAsync).Result;
		_issuer = config.Issuer;
		_tokens = config.SigningTokens;
	}
	catch (AggregateException ex)
	{
		// Unwrap and log
	}
	catch (Exception ex)
	{
		// Log failure
	}
	finally
	{
		_synclock.ExitWriteLock();
	}
}

What I then get if the front-end can talk to B2C are
DX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier errors as the issuer/token are null in the API.

What I don't know is if this is appropriate, i.e. JwtFormat keep calling the IIssuerSecurityTokenProvider, or am I abusing the interface.

[mikeybrin]

Did you ever find a fix for this phatcher? I have strange scenario where this call works on my local computer running on local IIS, HTTPS, IIS Express development certificate however whenever any of the other developers check out my code they see the error you are getting. To troubleshoot my colleagues issue I have created a wildcard certificate and ensured I have hosted their APIs on the correct domain corresponding to the certificate. When I navigate to their APIs with this offending line of code commented out, the browser accepts the website is secure. If I switch my local machine to IIS Express I can reproduce their issue. All very stange seeing as it works so perfectly on my machine. I am suspecting a firewall problem but the switching between IIS local and express tells me it is certificate related. Anyone any ideas?

[phatcher]

@mikeybrin No resolution - and no engagement from the team either :-(

[parakhj]

I would recommend checking out this sample instead: https://github.com/Azure-Samples/active-directory-b2c-dotnet-webapp-and-webapi

This sample is outdated and will soon be deprecated. If you're struggling with OWIN specifically, I would post a question on stack overflow with the proper tags

[phatcher]

@parakhj The new sample contains exactly the same code as the old one for the OpenIdConnectCachingSecurityTokenProvider - I'll raise the question over there, again.

[mikeybrin]

@phatcher For me this turned out to be a firewall issue where I needed to use our proxy server. Adding the following to the web.config seemed to do the trick:

<system.net>



</system.net>

The error was so vague when essentially the call to Microsoft was just getting blocked as no outbound traffic was permitted. Hope this helps.

[mikeybrin]

<defaultProxy>
  <proxy usesystemdefault="false" proxyaddress="​" bypassonlocal="false"/>
</defaultProxy>

[phatcher]

@mikeybrin Thanks for the update, it's a useful one to know

[derisen]

Closing as this repo is being archived.