Asp.net core 2.0 RequireHttpsMetadata=false for Development
You need to add JwtBearerOptions.RequireHttpsMetadata to false as ConfigureServices as @kirk Larkin has suggested above.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.Authority = Configuration["Auth0:Authority"];
options.Audience = Configuration["Auth0:Audience"];
options.RequireHttpsMetadata = false;
});
services.AddMvc();
}
I thought I'd add some code to show how to define a check whether the host environment is in "Development" or not. Which makes your code less prone to vulnerabilities since you won't have to change it before going into production. Hope this helps others searching for this issue as well.
public IConfiguration Configuration { get; }
public IHostingEnvironment HostEnvironment { get; }
public Startup(IConfiguration configuration, IWebHostEnvironment hostEnvironment)
{
Configuration = configuration;
HostEnvironment = hostEnvironment;
}
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(opt =>
{
opt.Audience = Configuration["AAD:ResourceId"];
opt.Authority = $"{Configuration["AAD: Instance"]}{Configuration["AAD:TenantId"]}";
if (HostEnvironment.IsDevelopment())
{ // to make sure this is only used during development
opt.RequireHttpsMetadata = false;
}
});
}
// rest omitted
options.Authority
needs to be a secured connection. Omitting the protocol will default to http, so be sure to explicitly set this url to https. RequireHttpsMetadata=false
should only be used in development scenarios--so you should be checking the hosting env before setting this to false.