RequireHttpsMetadata

sean.feldman · March 19, 2022, 6:27pm

I’m building a Blazor WebAssembly (WASM) application hosted with ASP.NET Core on .NET 6.
In my attempt to deploy to Azure App Service (Windows), I’ve run into an issue with the Auth0 configuration working locally but failing in Azure. The error I’m getting:

{
"type": "https://httpstatuses.com/500",
"title": "Internal Server Error",
"status": 500,
"detail": "The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false."
}

After a quick search online, I’ve found a few posts where JwtBearerOptions.RequireHttpsMetadata (link) was set to false to resolve the issue. Reading the documentation, it states that this should not be done in production:

Gets or sets if HTTPS is required for the metadata address or authority. The default is true. This should be disabled only in development environments.

My question is how to address this issue? Is this something on the Auth0 side or the tenant configuration?

sean.feldman · March 21, 2022, 5:13pm

After carefully reviewing the deployment, I’ve noticed that the appsettings.json values were overriding my Azure App Service Settings. To find that out, I had to add the following line to my Program.cs

IdentityModelEventSource.ShowPII = true; // DO NOT do this

~~This, essentially, has exposed the values that were used and pointed out the issue.~~

After going through more issues, finally can confirm that none of this is needed. The error message is very misleading.

“The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.”

What is says is that MetadataAddress or Authority must use HTTPS. In my case, the setting for Authority was not coming through and the value was null. So rather than throwing an exception saying that Authority is null, this error was coming through.

Conclusion: check that the Audience value is coming through properly and do not set RequireHttpsMetadata to false as documentation states.

dan.woda · March 21, 2022, 5:41pm

Thanks for the update!

Topic		Replies	Views
Securing Blazor WebAssembly Apps Blog Discussions .net , blazor , dotnet , webassembly	202	26994	March 27, 2024
.Net 6 and No 'Access-Control-Allow-Origin' header is present on the requested resource Get Help	3	5496	November 9, 2021
The cookie .AspNetCore.OpenIdConnect.Nonce has set SameSite=None' and must also set 'Secure' Get Help login-experience , new-universal-login-experience	4	2218	June 14, 2024
What is Blazor? A Tutorial on Building Web Apps with Authentication Blog Discussions .net , aspnet-core , net-core , blazor , dotnet	173	24676	May 30, 2024
Cant add app_metadata to accessToken Get Help management-api , client-grants	5	1794	January 9, 2023

RequireHttpsMetadata

Related topics