How to disable ssl certificate validation upon OpenId connect in .Net Core 3.1?

问题

I'm trying to connect in a development environment to a open id authority with it's ip address. Obviously in this scenario the ssl validation will fail. I'd like to bypass it, without any luck so far. I've found the following answers regarding this topic:

• Setting the RequireHttpsMetadata to false in the OpenIdConnectOptions class.
• Using the code below:

ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) => true;

When my app tries to access the oidc authority I recieve the same error:

An unhandled exception occurred while processing the request. AuthenticationException: The remote certificate is invalid according to the validation procedure. System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)

HttpRequestException: The SSL connection could not be established, see inner exception. System.Net.Http.ConnectHelper.EstablishSslConnectionAsyncCore(Stream stream, SslClientAuthenticationOptions sslOptions, CancellationToken cancellationToken)

IOException: IDX20804: Unable to retrieve document from: 'https://172.11.0.11:1111/MY_APP/.well-known/openid-configuration'. Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)

InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://172.11.0.11:1111/MY_APP/.well-known/openid-configuration'. Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)

回答1:

Warning: only use this during development. You need a custom certificate validation routine for your production platform if appropriate.

You might have overridden the wrong HttpClientHandler. Back-channel HttpClient for OpenId Connect can be overridden here:

services
    .AddAuthentication(options =>
    {
        ...
    })
    .AddCookie()
    .AddOpenIdConnect(options =>
    {
        ...
        HttpClientHandler handler = new HttpClientHandler();
        handler.ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator;
        options.BackchannelHttpHandler = handler;
    });

来源：https://stackoverflow.com/questions/62990470/how-to-disable-ssl-certificate-validation-upon-openid-connect-in-net-core-3-1