I’m building a Blazor WebAssembly (WASM) application hosted with ASP.NET Core on .NET 6.
In my attempt to deploy to Azure App Service (Windows), I’ve run into an issue with the Auth0 configuration working locally but failing in Azure. The error I’m getting:

"type": "",
"title": "Internal Server Error",
"status": 500,
"detail": "The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false."

After a quick search online, I’ve found a few posts where JwtBearerOptions.RequireHttpsMetadata (link) was set to false to resolve the issue. Reading the documentation, it states that this should not be done in production:

Gets or sets if HTTPS is required for the metadata address or authority. The default is true. This should be disabled only in development environments.

My question is how to address this issue? Is this something on the Auth0 side or the tenant configuration?

After carefully reviewing the deployment, I’ve noticed that the appsettings.json values were overriding my Azure App Service Settings. To find that out, I had to add the following line to my Program.cs

IdentityModelEventSource.ShowPII = true; // DO NOT do this

This, essentially, has exposed the values that were used and pointed out the issue.

After going through more issues, finally can confirm that none of this is needed. The error message is very misleading.

“The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.”

What is says is that MetadataAddress or Authority must use HTTPS. In my case, the setting for Authority was not coming through and the value was null. So rather than throwing an exception saying that Authority is null, this error was coming through.

Conclusion: check that the Audience value is coming through properly and do not set RequireHttpsMetadata to false as documentation states.


Thanks for the update!