Unable to get OpenIddict server working when behing Apache proxy

[mindfieldspace]

Confirm you've already contributed to this project or that you sponsor it

• I confirm I'm a sponsor or a contributor

Version

7.0.0

Question

Running Localhost client to Localhost server: (All good - works well)

Server Config (part)

// Register the OpenIddict server components.
.AddServer(options =>
{
	// Enable the token endpoint.
	options.SetTokenEndpointUris("/connect/token");

	// Enable the client credentials flow.
	options.AllowClientCredentialsFlow();

	// Register the signing and encryption credentials.
	options.AddDevelopmentEncryptionCertificate();
	options.AddDevelopmentSigningCertificate();

	// Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
	options.UseAspNetCore().DisableTransportSecurityRequirement();
	options.UseAspNetCore()
		   .EnableTokenEndpointPassthrough();
})

// Register the OpenIddict validation components.
.AddValidation(options =>
{
	// Import the configuration from the local OpenIddict server instance.
	options.UseLocalServer();
	
	// Register the ASP.NET Core host.
	options.UseAspNetCore();

});

Server Run

[10:20:44 INF] Initiating oidc test application
info: Quartz.Core.SchedulerSignalerImpl[0]
      Initialized Scheduler Signaller of type: Quartz.Core.SchedulerSignalerImpl
info: Quartz.Core.QuartzScheduler[0]
      Quartz Scheduler created
info: Quartz.Core.QuartzScheduler[0]
      JobFactory set to: Quartz.Simpl.MicrosoftDependencyInjectionJobFactory
info: Quartz.Simpl.RAMJobStore[0]
      RAMJobStore initialized.
info: Quartz.Impl.StdSchedulerFactory[0]
      Quartz Scheduler 3.14.0.0 - 'QuartzScheduler' with instanceId 'NON_CLUSTERED' initialized
info: Quartz.Impl.StdSchedulerFactory[0]
      Using thread pool 'Quartz.Simpl.DefaultThreadPool', size: 10
info: Quartz.Impl.StdSchedulerFactory[0]
      Using job store 'Quartz.Simpl.RAMJobStore', supports persistence: False, clustered: False
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://127.0.0.1:7500
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Quartz.Core.QuartzScheduler[0]
      Scheduler QuartzScheduler_$_NON_CLUSTERED started.
info: OpenIddict.Server.OpenIddictServerDispatcher[6053]
      The request URI matched a server endpoint: Configuration.
info: OpenIddict.Server.OpenIddictServerDispatcher[6066]
      The configuration request was successfully extracted: {}.
info: OpenIddict.Server.OpenIddictServerDispatcher[6067]
      The configuration request was successfully validated.
info: OpenIddict.Server.OpenIddictServerDispatcher[6142]
      The response was successfully returned as a JSON document: {
        "issuer": "http://127.0.0.1:7500/",
        "token_endpoint": "http://127.0.0.1:7500/connect/token",
        "jwks_uri": "http://127.0.0.1:7500/.well-known/jwks",
        "grant_types_supported": [
          "client_credentials"
        ],
        "scopes_supported": [
          "openid"
        ],
        "claims_supported": [
          "aud",
          "exp",
          "iat",
          "iss",
          "sub"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "subject_types_supported": [
          "public"
        ],
        "prompt_values_supported": [
          "consent",
          "login",
          "none",
          "select_account"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_post",
          "private_key_jwt",
          "client_secret_basic"
        ],
        "require_pushed_authorization_requests": false,
        "claims_parameter_supported": false,
        "request_parameter_supported": false,
        "request_uri_parameter_supported": false,
        "tls_client_certificate_bound_access_tokens": false,
        "authorization_response_iss_parameter_supported": true
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[6053]
      The request URI matched a server endpoint: JsonWebKeySet.
info: OpenIddict.Server.OpenIddictServerDispatcher[6068]
      The JSON Web Key Set request was successfully extracted: {}.
info: OpenIddict.Server.OpenIddictServerDispatcher[6069]
      The JSON Web Key Set request was successfully validated.
info: OpenIddict.Server.OpenIddictServerDispatcher[6142]
      The response was successfully returned as a JSON document: {
        "keys": [
          {
            "kid": "8330C593B900DA62C8D806974F986B60FD6D9DFE",
            "use": "sig",
            "kty": "RSA",
            "alg": "RS256",
            "e": "AQAB",
            "n": "0gOvSR2kh4ImnEaqajjKKMTFPPOHHTakacIvUN9x41xIwLbSnSptNL-RCt4X9Br7e9uHf4UW1ch0t9BEeJe_kbQ9zDvs6SWeoBpW--lIdVrWAF0Wg9ujjcjJmssErktzLfNB28e4Z1L9f2tE6cP9zajyk-Qmhyhgp1QF86EqGKAmua3qYzcSbJPk_vR8w_Hvf_Mgl26x0Jtq0KczytU7Z9Yd4P2x3Onk5x4xFgm-6SnU4QzEiKD7qqlswJZsl3LwzMs5z-h3RmPy_d7SKcK464B3XmBSlVTZfru-mDx2vobh7UjX3TYgeOlza4fw_oNJz65tswriS9Jhil-VzwUJmQ",
            "x5t": "gzDFk7kA2mLI2AaXT5hrYP1tnf4",
            "x5c": [
              "MIIC9TCCAd2gAwIBAgIJANYamlcNLySaMA0GCSqGSIb3DQEBCwUAMDAxLjAsBgNVBAMTJU9wZW5JZGRpY3QgU2VydmVyIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMjUwNzMwMjM0MjQzWhcNMjcwNzMwMjM0MjQzWjAwMS4wLAYDVQQDEyVPcGVuSWRkaWN0IFNlcnZlciBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0gOvSR2kh4ImnEaqajjKKMTFPPOHHTakacIvUN9x41xIwLbSnSptNL+RCt4X9Br7e9uHf4UW1ch0t9BEeJe/kbQ9zDvs6SWeoBpW++lIdVrWAF0Wg9ujjcjJmssErktzLfNB28e4Z1L9f2tE6cP9zajyk+Qmhyhgp1QF86EqGKAmua3qYzcSbJPk/vR8w/Hvf/Mgl26x0Jtq0KczytU7Z9Yd4P2x3Onk5x4xFgm+6SnU4QzEiKD7qqlswJZsl3LwzMs5z+h3RmPy/d7SKcK464B3XmBSlVTZfru+mDx2vobh7UjX3TYgeOlza4fw/oNJz65tswriS9Jhil+VzwUJmQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBALQ7z1jfPotlamRiRBMSM1UamKTRwCzrdj8IMGeu5yPQNUs/95lNZVA2Pc2FhBbVempf//GoPpbfPHWI2/A601N3NkXAwTXFI/rWKQEvt+AqMVxp4SvsLWKZLbjepjnEIFcNaxoTCjnqrRN8ncpTjqYtwWFPh+vh9IAwE0PUnwQTXnZdt6ONPkcpaXo8Z8LPtV6RLx9sTu1BTiuZVTYeyj9AC15q/eSjm5S+3KYknaS/hErpsJvGk7Sqawhw6j+OwrE6Ad3dDPRC4s7QPiZIzdeAbyMOhuS9ERufy12zr2w4Z7LXgo9cI7e5nkXEQVmNfUDqk0UfS7b+oRhkEkkB6sk="
            ]
          }
        ]
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[6053]
      The request URI matched a server endpoint: Token.
info: OpenIddict.Server.OpenIddictServerDispatcher[6075]
      The token request was successfully extracted: {
        "grant_type": "client_credentials",
        "client_id": "newUser",
        "client_secret": "[redacted]"
      }.

Client

info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://localhost:5013
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.LogicalHandler[100]
      Start processing HTTP request GET http://127.0.0.1:7500/.well-known/openid-configuration
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.ClientHandler[100]
      Sending HTTP request GET http://127.0.0.1:7500/.well-known/openid-configuration
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.ClientHandler[101]
      Received HTTP response headers after 219.9966ms - 200
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.LogicalHandler[101]
      End processing HTTP request after 284.6384ms - 200
info: OpenIddict.Client.OpenIddictClientDispatcher[6186]
      The configuration request was successfully sent to http://127.0.0.1:7500/.well-known/openid-configuration: {}.
info: OpenIddict.Client.OpenIddictClientDispatcher[6187]
      The configuration response returned by http://127.0.0.1:7500/.well-known/openid-configuration was successfully extracted: {
        "issuer": "http://127.0.0.1:7500/",
        "token_endpoint": "http://127.0.0.1:7500/connect/token",
        "jwks_uri": "http://127.0.0.1:7500/.well-known/jwks",
        "grant_types_supported": [
          "client_credentials"
        ],
        "scopes_supported": [
          "openid"
        ],
        "claims_supported": [
          "aud",
          "exp",
          "iat",
          "iss",
          "sub"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "subject_types_supported": [
          "public"
        ],
        "prompt_values_supported": [
          "consent",
          "login",
          "none",
          "select_account"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_post",
          "private_key_jwt",
          "client_secret_basic"
        ],
        "require_pushed_authorization_requests": false,
        "claims_parameter_supported": false,
        "request_parameter_supported": false,
        "request_uri_parameter_supported": false,
        "tls_client_certificate_bound_access_tokens": false,
        "authorization_response_iss_parameter_supported": true
      }.
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.LogicalHandler[100]
      Start processing HTTP request GET http://127.0.0.1:7500/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.ClientHandler[100]
      Sending HTTP request GET http://127.0.0.1:7500/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.ClientHandler[101]
      Received HTTP response headers after 52.9523ms - 200
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.LogicalHandler[101]
      End processing HTTP request after 60.1832ms - 200
info: OpenIddict.Client.OpenIddictClientDispatcher[6188]
      The JSON Web Key Set request was successfully sent to http://127.0.0.1:7500/.well-known/jwks: {}.
info: OpenIddict.Client.OpenIddictClientDispatcher[6189]
      The JSON Web Key Set response returned by http://127.0.0.1:7500/.well-known/jwks was successfully extracted: {
        "keys": [
          {
            "kid": "8330C593B900DA62C8D806974F986B60FD6D9DFE",
            "use": "sig",
            "kty": "RSA",
            "alg": "RS256",
            "e": "AQAB",
            "n": "0gOvSR2kh4ImnEaqajjKKMTFPPOHHTakacIvUN9x41xIwLbSnSptNL-RCt4X9Br7e9uHf4UW1ch0t9BEeJe_kbQ9zDvs6SWeoBpW--lIdVrWAF0Wg9ujjcjJmssErktzLfNB28e4Z1L9f2tE6cP9zajyk-Qmhyhgp1QF86EqGKAmua3qYzcSbJPk_vR8w_Hvf_Mgl26x0Jtq0KczytU7Z9Yd4P2x3Onk5x4xFgm-6SnU4QzEiKD7qqlswJZsl3LwzMs5z-h3RmPy_d7SKcK464B3XmBSlVTZfru-mDx2vobh7UjX3TYgeOlza4fw_oNJz65tswriS9Jhil-VzwUJmQ",
            "x5t": "gzDFk7kA2mLI2AaXT5hrYP1tnf4",
            "x5c": [
              "MIIC9TCCAd2gAwIBAgIJANYamlcNLySaMA0GCSqGSIb3DQEBCwUAMDAxLjAsBgNVBAMTJU9wZW5JZGRpY3QgU2VydmVyIFNpZ25pbmcgQ2VydGlmaWNhdGUwHhcNMjUwNzMwMjM0MjQzWhcNMjcwNzMwMjM0MjQzWjAwMS4wLAYDVQQDEyVPcGVuSWRkaWN0IFNlcnZlciBTaWduaW5nIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0gOvSR2kh4ImnEaqajjKKMTFPPOHHTakacIvUN9x41xIwLbSnSptNL+RCt4X9Br7e9uHf4UW1ch0t9BEeJe/kbQ9zDvs6SWeoBpW++lIdVrWAF0Wg9ujjcjJmssErktzLfNB28e4Z1L9f2tE6cP9zajyk+Qmhyhgp1QF86EqGKAmua3qYzcSbJPk/vR8w/Hvf/Mgl26x0Jtq0KczytU7Z9Yd4P2x3Onk5x4xFgm+6SnU4QzEiKD7qqlswJZsl3LwzMs5z+h3RmPy/d7SKcK464B3XmBSlVTZfru+mDx2vobh7UjX3TYgeOlza4fw/oNJz65tswriS9Jhil+VzwUJmQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCB4AwDQYJKoZIhvcNAQELBQADggEBALQ7z1jfPotlamRiRBMSM1UamKTRwCzrdj8IMGeu5yPQNUs/95lNZVA2Pc2FhBbVempf//GoPpbfPHWI2/A601N3NkXAwTXFI/rWKQEvt+AqMVxp4SvsLWKZLbjepjnEIFcNaxoTCjnqrRN8ncpTjqYtwWFPh+vh9IAwE0PUnwQTXnZdt6ONPkcpaXo8Z8LPtV6RLx9sTu1BTiuZVTYeyj9AC15q/eSjm5S+3KYknaS/hErpsJvGk7Sqawhw6j+OwrE6Ad3dDPRC4s7QPiZIzdeAbyMOhuS9ERufy12zr2w4Z7LXgo9cI7e5nkXEQVmNfUDqk0UfS7b+oRhkEkkB6sk="
            ]
          }
        ]
      }.
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.LogicalHandler[100]
      Start processing HTTP request POST http://127.0.0.1:7500/connect/token
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.ClientHandler[100]
      Sending HTTP request POST http://127.0.0.1:7500/connect/token
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.ClientHandler[101]
      Received HTTP response headers after 3500.1708ms - 200
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationId2WZhn8huWp-UnySjDOrqPNXK-I0-fhRHG19JoWwL-7o.LogicalHandler[101]
      End processing HTTP request after 3508.3333ms - 200
info: OpenIddict.Client.OpenIddictClientDispatcher[6192]
      The token request was successfully sent to http://127.0.0.1:7500/connect/token: {
        "grant_type": "client_credentials",
        "client_id": "newUser",
        "client_secret": "[redacted]"
      }.
info: OpenIddict.Client.OpenIddictClientDispatcher[6193]
      The token response returned by http://127.0.0.1:7500/connect/token was successfully extracted: {
        "access_token": "[redacted]",
        "token_type": "Bearer",
        "expires_in": 3599
      }.

####################################

Running Localhost client via Apache Proxy to Localhost Server (Fails on .well-know/jwks) retrieval

Server Config (part)

// Register the OpenIddict server components.
.AddServer(options =>
{
	// Enable the token endpoint.
	options.SetIssuer(new Uri("https://single.mindfields.space/oidc"));
	
	options.SetTokenEndpointUris(new Uri("https://single.mindfields.space/oidc/connect/token"));

	options.SetJsonWebKeySetEndpointUris(new Uri("https://single.mindfields.space/oidc/.well-known/jwks"));

	// Enable the client credentials flow.
	options.AllowClientCredentialsFlow();

	// Register the signing and encryption credentials.
	options.AddDevelopmentEncryptionCertificate();
	options.AddDevelopmentSigningCertificate();

	// Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
	options.UseAspNetCore().DisableTransportSecurityRequirement();
	options.UseAspNetCore()
		   .EnableTokenEndpointPassthrough();
})

// Register the OpenIddict validation components.
.AddValidation(options =>
{
	// Import the configuration from the local OpenIddict server instance.
	options.UseLocalServer();
	
	// Register the ASP.NET Core host.
	options.UseAspNetCore();

});

Server Run

[10:36:18 INF] Initiating oidc test application
info: Quartz.Core.SchedulerSignalerImpl[0]
      Initialized Scheduler Signaller of type: Quartz.Core.SchedulerSignalerImpl
info: Quartz.Core.QuartzScheduler[0]
      Quartz Scheduler created
info: Quartz.Core.QuartzScheduler[0]
      JobFactory set to: Quartz.Simpl.MicrosoftDependencyInjectionJobFactory
info: Quartz.Simpl.RAMJobStore[0]
      RAMJobStore initialized.
info: Quartz.Impl.StdSchedulerFactory[0]
      Quartz Scheduler 3.14.0.0 - 'QuartzScheduler' with instanceId 'NON_CLUSTERED' initialized
info: Quartz.Impl.StdSchedulerFactory[0]
      Using thread pool 'Quartz.Simpl.DefaultThreadPool', size: 10
info: Quartz.Impl.StdSchedulerFactory[0]
      Using job store 'Quartz.Simpl.RAMJobStore', supports persistence: False, clustered: False
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://127.0.0.1:7500
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Production
info: Quartz.Core.QuartzScheduler[0]
      Scheduler QuartzScheduler_$_NON_CLUSTERED started.
info: OpenIddict.Server.OpenIddictServerDispatcher[6053]
      The request URI matched a server endpoint: Configuration.
info: OpenIddict.Server.OpenIddictServerDispatcher[6066]
      The configuration request was successfully extracted: {}.
info: OpenIddict.Server.OpenIddictServerDispatcher[6067]
      The configuration request was successfully validated.
info: OpenIddict.Server.OpenIddictServerDispatcher[6142]
      The response was successfully returned as a JSON document: {
        "issuer": "https://single.mindfields.space/oidc",
        "token_endpoint": "https://single.mindfields.space/oidc/connect/token",
        "jwks_uri": "https://single.mindfields.space/oidc/.well-known/jwks",
        "grant_types_supported": [
          "client_credentials"
        ],
        "scopes_supported": [
          "openid"
        ],
        "claims_supported": [
          "aud",
          "exp",
          "iat",
          "iss",
          "sub"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "subject_types_supported": [
          "public"
        ],
        "prompt_values_supported": [
          "consent",
          "login",
          "none",
          "select_account"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_post",
          "private_key_jwt",
          "client_secret_basic"
        ],
        "require_pushed_authorization_requests": false,
        "claims_parameter_supported": false,
        "request_parameter_supported": false,
        "request_uri_parameter_supported": false,
        "tls_client_certificate_bound_access_tokens": false,
        "authorization_response_iss_parameter_supported": true
      }.

Client

info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://localhost:5013
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.LogicalHandler[100]
      Start processing HTTP request GET https://single.mindfields.space/oidc/.well-known/openid-configuration
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[100]
      Sending HTTP request GET https://single.mindfields.space/oidc/.well-known/openid-configuration
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[101]
      Received HTTP response headers after 336.4774ms - 200
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.LogicalHandler[101]
      End processing HTTP request after 403.473ms - 200
info: OpenIddict.Client.OpenIddictClientDispatcher[6186]
      The configuration request was successfully sent to https://single.mindfields.space/oidc/.well-known/openid-configuration: {}.
info: OpenIddict.Client.OpenIddictClientDispatcher[6187]
      The configuration response returned by https://single.mindfields.space/oidc/.well-known/openid-configuration was successfully extracted: {
        "issuer": "https://single.mindfields.space/oidc",
        "token_endpoint": "https://single.mindfields.space/oidc/connect/token",
        "jwks_uri": "https://single.mindfields.space/oidc/.well-known/jwks",
        "grant_types_supported": [
          "client_credentials"
        ],
        "scopes_supported": [
          "openid"
        ],
        "claims_supported": [
          "aud",
          "exp",
          "iat",
          "iss",
          "sub"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "subject_types_supported": [
          "public"
        ],
        "prompt_values_supported": [
          "consent",
          "login",
          "none",
          "select_account"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_post",
          "private_key_jwt",
          "client_secret_basic"
        ],
        "require_pushed_authorization_requests": false,
        "claims_parameter_supported": false,
        "request_parameter_supported": false,
        "request_uri_parameter_supported": false,
        "tls_client_certificate_bound_access_tokens": false,
        "authorization_response_iss_parameter_supported": true
      }.
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.LogicalHandler[100]
      Start processing HTTP request GET https://single.mindfields.space/oidc/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[100]
      Sending HTTP request GET https://single.mindfields.space/oidc/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[101]
      Received HTTP response headers after 59.4484ms - 404
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[100]
      Sending HTTP request GET https://single.mindfields.space/oidc/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[101]
      Received HTTP response headers after 5.8375ms - 404
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[100]
      Sending HTTP request GET https://single.mindfields.space/oidc/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[101]
      Received HTTP response headers after 3.2745ms - 404
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[100]
      Sending HTTP request GET https://single.mindfields.space/oidc/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[101]
      Received HTTP response headers after 3.646ms - 404
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[100]
      Sending HTTP request GET https://single.mindfields.space/oidc/.well-known/jwks
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.ClientHandler[101]
      Received HTTP response headers after 27.1826ms - 404
info: System.Net.Http.HttpClient.OpenIddict.Client.SystemNetHttp:RegistrationIdikMWMqU2xvZ7o0WRG4ZjMDZYSWtLZ7hvPtyrS6n2BBE.LogicalHandler[101]
      End processing HTTP request after 15176.736ms - 404
info: OpenIddict.Client.OpenIddictClientDispatcher[6188]
      The JSON Web Key Set request was successfully sent to https://single.mindfields.space/oidc/.well-known/jwks: {}.
fail: OpenIddict.Client.OpenIddictClientDispatcher[6184]
      A generic NotFound response was returned by the remote HTTP server: .
fail: OpenIddict.Client.OpenIddictClientDispatcher[6219]
      An error occurred while retrieving the configuration of the remote authorization server.
      System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://single.mindfields.space/oidc/.well-known/openid-configuration'. Will retry at '1/01/0001 12:00:00 AM +00:00'. Exception: 'OpenIddict.Abstractions.OpenIddictExceptions+ProtocolException: An error occurred while extracting the JSON Web Key Set response.
        Error: server_error
        Error description: A generic 404 error was returned by the remote authorization server.
        Error URI: https://documentation.openiddict.com/errors/ID2161
         at OpenIddict.Client.OpenIddictClientService.<>c__DisplayClass22_0.<<GetSecurityKeysAsync>g__ExtractJsonWebKeySetResponseAsync|2>d.MoveNext()
      --- End of stack trace from previous location ---
         at OpenIddict.Client.OpenIddictClientService.GetSecurityKeysAsync(OpenIddictClientRegistration registration, Uri uri, CancellationToken cancellationToken)
         at OpenIddict.Client.OpenIddictClientService.GetSecurityKeysAsync(OpenIddictClientRegistration registration, Uri uri, CancellationToken cancellationToken)
         at OpenIddict.Client.OpenIddictClientRetriever.Microsoft.IdentityModel.Protocols.IConfigurationRetriever<OpenIddict.Abstractions.OpenIddictConfiguration>.GetConfigurationAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
         at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationNonBlockingAsync(CancellationToken cancel)'.
       ---> OpenIddict.Abstractions.OpenIddictExceptions+ProtocolException: An error occurred while extracting the JSON Web Key Set response.
        Error: server_error
        Error description: A generic 404 error was returned by the remote authorization server.
        Error URI: https://documentation.openiddict.com/errors/ID2161
         at OpenIddict.Client.OpenIddictClientService.<>c__DisplayClass22_0.<<GetSecurityKeysAsync>g__ExtractJsonWebKeySetResponseAsync|2>d.MoveNext()
      --- End of stack trace from previous location ---
         at OpenIddict.Client.OpenIddictClientService.GetSecurityKeysAsync(OpenIddictClientRegistration registration, Uri uri, CancellationToken cancellationToken)
         at OpenIddict.Client.OpenIddictClientService.GetSecurityKeysAsync(OpenIddictClientRegistration registration, Uri uri, CancellationToken cancellationToken)
         at OpenIddict.Client.OpenIddictClientRetriever.Microsoft.IdentityModel.Protocols.IConfigurationRetriever<OpenIddict.Abstractions.OpenIddictConfiguration>.GetConfigurationAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
         at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationNonBlockingAsync(CancellationToken cancel)
         --- End of inner exception stack trace ---
         at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationNonBlockingAsync(CancellationToken cancel)
         at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)
         at OpenIddict.Client.OpenIddictClientHandlers.ResolveClientRegistrationFromAuthenticationContext.HandleAsync(ProcessAuthenticationContext context)

Even attempting to run from browser to access:

https://single.mindfields.space/oidc/.well-known/jwks
or
http://locahost:7500/.well-known/jwks

both fail.

################################

Thanks for your help

[kevinchalet]

Hey,

The issue you describe is always the sign either the reverse proxy wasn't correctly configured to flow the original protocol/headers (typically, the Host header) or the ASP.NET Core application wasn't correctly configured to resolve and restore these artifacts.

This documentation page should tell you everything you need to know to fix that in Apache and ASP.NET Core, but if it still doesn't work, consider sharing your Apache and ASP.NET Core forwarded headers settings and I'll take a look.

Cheers.

[mindfieldspace]

Hey Kevin,
Thanks very much for getting back so fast.

I added the required Forwarder code

builder.Services.Configure(options =>
{
options.ForwardedHeaders =
ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;
});

and

app.UseForwardedHeaders();

Apache proxy sends by default X-Forwarded-For and X-Forwarded-Host and X-Forwarded-Server and I added X-Forwarded-Proto into the configuration and checked with Wireshark that it was all good.

However it still cannot find (404) the ./well-known-jwks configuration.

Since both https://single.mindfields.space/oidc/.well-known/openid-configuration and https://single.mindfields.space/oidc/.well-known/jwks are both GET requests

I started the server and can manually from a browser retrieve https://single.mindfields.space/oidc/.well-known/openid-configuration which shows the correct response.

However when from the browser I request https://single.mindfields.space/oidc/.well-known/jwks I get 404.

If I remove options.SetJsonWebKeySetEndpointUris(new Uri("https://single.mindfields.space/oidc/.well-known/jwks")); from the OpenIddict configuration and run the server then I can access both of them. That is https://single.mindfields.space/oidc/.well-known/jwks returns the correct response and since I'm running both on the same box I can also access http://127.0.0.1:7500/.well-known/jwks and get the same response.

The issue with not having SetJsonWebKeySetEndpointUris is that the returned configuration shows it as http://127.0.0.1:7500/.well-known/jwks.

So it seems that when SetJsonWebKeySetEndpointUris is configured the server does not appear to respond correctly.

[kevinchalet]

Hey,

Thanks very much for getting back so fast.

My pleasure 😃

The issue with not having SetJsonWebKeySetEndpointUris is that the returned configuration shows it as http://127.0.0.1:7500/.well-known/jwks.

Unfortunately, this indicates that your ASP.NET Core forwarded headers configuration isn't correct, as neither the original protocol/scheme (http vs https) nor the host (127.0.0.1:7500 vs single.mindfields.space) are properly restored by the forwarded headers middleware (OpenIddict generates URLs using the HttpRequest.Scheme/HttpRequest.Host values, so if they are not correct, the returned URLs won't be what you expect).

You can confirm that by adding a middleware or a minimal API that reflects these values:

app.MapGet("/test", (HttpRequest request) => Results.Text(string.Format("Scheme: {0} ; Host: {1}", request.Scheme, request.Host)));

[ilmax]

@mindfieldspace make sure you configure the forwarded headers middleware correctly, i.e. make sure you add this:

options.KnownProxies.Add(IPAddress.Parse("127.0.10.1")); // or whatever the IP of your ngix proxy is

AFAIK it's an opt-in mechanism and if you don't add the reverse proxy IP, it won't overwrite any header hence everything in your application that generates URI won't work as it should.

[mindfieldspace]

Hi kevin and ilmax,

I added the "test" minial API call and also added HttpLogging.

I added:

options.KnownProxies.Add(IPAddress.Parse("10.1.1.183"));

builder.Services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.KnownProxies.Add(IPAddress.Parse("10.1.1.183"));
            options.ForwardedHeaders =
                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedHost | ForwardedHeaders.XForwardedProto;
        });
        
        builder.Services.AddHttpLogging(options =>
        {
            options.LoggingFields = HttpLoggingFields.Request | HttpLoggingFields.Response| 
                                    HttpLoggingFields.RequestBody | HttpLoggingFields.ResponseBody;
            options.RequestHeaders.Add("X-Forwarded-Proto");
            options.RequestHeaders.Add("X-Forwarded-For");
            options.RequestHeaders.Add("X-Forwarded-Host");
            options.RequestHeaders.Add("X-Forwarded-Server");
            options.RequestBodyLogLimit = 4096;
            options.ResponseBodyLogLimit = 4096;
            options.CombineLogs = true;
        });

Test looks correct,
/.well-kown/openid-configuration does not seem to go through HttpLogging
and the the call to /.well-known/jwks failed with 404 as before.

Log output of the 3 calls follows:

2025-10-13 09:24:12.523 +11:00 [INF] calling app.Run
2025-10-13 09:24:12.715 +11:00 [INF] Now listening on: http://127.0.0.1:7500
2025-10-13 09:24:12.720 +11:00 [INF] Hosting environment: Production
2025-10-13 09:25:01.233 +11:00 [INF] Request starting HTTP/1.1 GET http://127.0.0.1:7500/test - null null
2025-10-13 09:25:02.606 +11:00 [INF] Executing endpoint 'HTTP: GET /test'
2025-10-13 09:25:02.617 +11:00 [INF] Write content with HTTP Response ContentType of text/plain; charset=utf-8
2025-10-13 09:25:02.632 +11:00 [INF] Executed endpoint 'HTTP: GET /test'
2025-10-13 09:25:02.637 +11:00 [INF] Request and Response:
Protocol: HTTP/1.1
Method: GET
Scheme: http
PathBase: 
Path: /test
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Host: 127.0.0.1:7500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.5
Upgrade-Insecure-Requests: [Redacted]
Sec-Fetch-Dest: [Redacted]
Sec-Fetch-Mode: [Redacted]
Sec-Fetch-Site: [Redacted]
Sec-Fetch-User: [Redacted]
Priority: [Redacted]
X-Forwarded-Proto: https
X-Forwarded-For: 10.1.1.183
X-Forwarded-Host: single.mindfields.space
X-Forwarded-Server: single.mindfields.space
StatusCode: 200
Content-Type: text/plain; charset=utf-8
Content-Length: 45
ResponseBody: Scheme: https ; Host: single.mindfields.space
2025-10-13 09:25:02.640 +11:00 [INF] Request finished HTTP/1.1 GET https://single.mindfields.space/test - 200 45 text/plain; charset=utf-8 1408.3992ms
2025-10-13 09:25:08.568 +11:00 [INF] Request starting HTTP/1.1 GET http://127.0.0.1:7500/.well-known/openid-configuration - null null
2025-10-13 09:25:08.577 +11:00 [INF] The request URI matched a server endpoint: "Configuration".
2025-10-13 09:25:08.593 +11:00 [INF] The configuration request was successfully extracted: {}.
2025-10-13 09:25:08.594 +11:00 [INF] The configuration request was successfully validated.
2025-10-13 09:25:08.623 +11:00 [INF] The response was successfully returned as a JSON document: {
  "issuer": "https://single.mindfields.space/oidc",
  "token_endpoint": "https://single.mindfields.space/oidc/connect/token",
  "jwks_uri": "https://single.mindfields.space/oidc/.well-known/jwks",
  "grant_types_supported": [
    "client_credentials"
  ],
  "scopes_supported": [
    "openid"
  ],
  "claims_supported": [
    "aud",
    "exp",
    "iat",
    "iss",
    "sub"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "prompt_values_supported": [
    "consent",
    "login",
    "none",
    "select_account"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_post",
    "private_key_jwt",
    "client_secret_basic"
  ],
  "require_pushed_authorization_requests": false,
  "claims_parameter_supported": false,
  "request_parameter_supported": false,
  "request_uri_parameter_supported": false,
  "tls_client_certificate_bound_access_tokens": false,
  "authorization_response_iss_parameter_supported": true
}.
2025-10-13 09:25:08.625 +11:00 [INF] Request finished HTTP/1.1 GET http://127.0.0.1:7500/.well-known/openid-configuration - 200 1042 application/json;charset=UTF-8 59.1844ms
2025-10-13 09:25:14.855 +11:00 [INF] Request starting HTTP/1.1 GET http://127.0.0.1:7500/.well-known/jwks - null null
2025-10-13 09:25:14.861 +11:00 [INF] Request and Response:
Protocol: HTTP/1.1
Method: GET
Scheme: http
PathBase: 
Path: /.well-known/jwks
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Connection: keep-alive
Host: 127.0.0.1:7500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: en-US,en;q=0.5
Upgrade-Insecure-Requests: [Redacted]
Sec-Fetch-Dest: [Redacted]
Sec-Fetch-Mode: [Redacted]
Sec-Fetch-Site: [Redacted]
Sec-Fetch-User: [Redacted]
Priority: [Redacted]
X-Forwarded-Proto: https
X-Forwarded-For: 10.1.1.183
X-Forwarded-Host: single.mindfields.space
X-Forwarded-Server: single.mindfields.space
StatusCode: 404
2025-10-13 09:25:14.862 +11:00 [INF] Request finished HTTP/1.1 GET https://single.mindfields.space/.well-known/jwks - 404 0 null 6.101ms
2025-10-13 09:25:14.862 +11:00 [INF] Request reached the end of the middleware pipeline without being handled by application code. Request path: GET https://single.mindfields.space/.well-known/jwks, Response status code: 404

[kevinchalet]

AFAICT, you configured the JWKS endpoint to accept HTTP requests sent to https://single.mindfields.space/oidc/.well-known/jwks but you're actually sending the request to https://single.mindfields.space/.well-known/jwks, which is a completely different endpoint, hence the 404 response.

Note: in general, you'll want to use relative URIs to configure the endpoints, not absolute URIs (absolute URIs can be useful to move the userinfo endpoint to a separate domain, but it's an advanced scenario).