Error Code IOException IDX20807, InvalidOperationException: IDX20803

language : C#, .net Core 7
Visual Studio 2022
example : samples-aspnetcore-7x → okta-hosted-login

In ‘App Settings.json’, I changed the OKTA domain to the OKTA domain in service and added the client ID and password.
Then I ran Debug and clicked the Sign in button, but the following error occurred.
If you know the solution, please share.

• IOException: IDX20807: Unable to retrieve document from: ‘[PII of type ‘System.String’ is hidden. For more details, see Bing]’. HttpResponseMessage: ‘[PII of type ‘System.Net.Http.HttpResponseMessage’ is hidden. For more details, see Bing]’, HttpResponseMessage.Content: ‘[PII of type ‘System.String’ is hidden. For more details, see Bing]’.

  • Microsoft.IdentityModel.Protocols.HttpDocumentRetriever.GetDocumentAsync(string address, CancellationToken cancel)

  • Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(string address, IDocumentRetriever retriever, CancellationToken cancel)

  • Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)

• Show raw exception details

• InvalidOperationException: IDX20803: Unable to obtain configuration from: ‘[PII of type ‘System.String’ is hidden. For more details, see Bing]’.

  • Microsoft.IdentityModel.Protocols.ConfigurationManager.GetConfigurationAsync(CancellationToken cancel)

  • Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsyncInternal(AuthenticationProperties properties)

  • Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleChallengeAsync(AuthenticationProperties properties)

  • Microsoft.AspNetCore.Authentication.AuthenticationHandler.ChallengeAsync(AuthenticationProperties properties)

  • Microsoft.AspNetCore.Authentication.AuthenticationService.ChallengeAsync(HttpContext context, string scheme, AuthenticationProperties properties)

  • Microsoft.AspNetCore.Mvc.ChallengeResult.ExecuteResultAsync(ActionContext context)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|30_0<TFilter, TFilterAsync>(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResultExecutedContextSealed context)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.ResultNext<TFilter, TFilterAsync>(ref State next, ref Scope scope, ref object state, ref bool isCompleted)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|28_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Rethrow(ResourceExecutedContextSealed context)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.Next(ref State next, ref Scope scope, ref object state, ref bool isCompleted)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|20_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, object state, bool isCompleted)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)

  • Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|17_0(ResourceInvoker invoker, Task task, IDisposable scope)

  • Microsoft.AspNetCore.Routing.EndpointMiddleware.g__AwaitRequestTask|6_0(Endpoint endpoint, Task requestTask, ILogger logger)

  • Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)

  • Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)

  • Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

Which endpoint does it think is being hit here?

This looks like the error you would receive if you try to have our .NET SDK use a Custom Authorization Server (such as the one named Default, which it will try to use automatically) but your Okta Org lacks the necessary license to use such a server.

In which case, you should be able to resolve the error by setting the AuthorizationServerId to string.Empty, as stated in our documentation here: https://github.com/okta/okta-aspnet/blob/master/docs/aspnetcore-mvc.md#configuration-reference. This will ensure it tries to use the Org Authorization Server instead, which does not require an additional license

Could this problem be caused by a firewall or network blocking?

I’m in development at a company. I’ve set it to allow all outgoing traffic, but if the firewall blocks the incoming connection, could this error occur?

This should be outgoing traffic, but it could be getting blocked.

When I’ve seen this before, the error was related to the SDK/OWIN attempting to reach the discovery/metada endpoint for the authorization server to collect all its endpoint (so it can start making OAuth requests), so this is going to be first request made to Okta to log a user in.

Does the same error reproduce if you test this outside of your companie’s network?

The same error occurred when testing outside the company.

Can you tell which exact URL the library is trying and failing to make a request to?

What do you have configured as the AuthorizationServerID for your application, or are you using the default configuration for okta-aspnet, which is to use the “Default” Authorization Server (see docs)?

If you haven’t set your own AuthorizationServerId in the OktaMvcOptions, it will try to use the Default Authorization Server, whether or not your Okta org is licensed to use this server. If your org lacks the API Access Management license, you can try changing this value to string.Empty. If you do so, do you still see this error?