Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

InvalidOperationException: The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.

Where do I set this?

I've tried in Startup.ConfigureServices()

if (_hostingEnvironment.IsDevelopment())
    services.AddMvc(opts => opts.RequireHttpsPermanent = false);
Still receive the error.
Also tried to put it in Web.Config just to let me debug locally.
<RequireHttpsMetadata>false</RequireHttpsMetadata>
Neither work. I can't find any documentation from MS on where to set this!
I'm using jwt bearer authentication. 
                You'll want to set JwtBearerOptions.RequireHttpsMetadata (source). If you need more information/an example, I'll post an answer.
– Kirk Larkin
                Aug 28, 2018 at 9:57
                How can I solve this by using HTTPS instead? What URL in particular must be using a secure connection?
– Emanuele Ciriachi
                Jul 5, 2019 at 10:39
You need to add JwtBearerOptions.RequireHttpsMetadata to false as ConfigureServices as @kirk Larkin has suggested above. 
public void ConfigureServices(IServiceCollection services)
            services.AddAuthentication(options =>
                options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
                options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
            }).AddJwtBearer(options =>
                options.Authority = Configuration["Auth0:Authority"];
                options.Audience = Configuration["Auth0:Audience"];
                options.RequireHttpsMetadata = false;
            services.AddMvc();
                The solution does not suggest setting it to false on Development environment only as requested by OP. Currently it can cause unintended enabling of HTTP in Production too which at worst may create vulnerabilities.
– andruso
                Nov 28, 2019 at 14:02
I thought I'd add some code to show how to define a check whether the host environment is in "Development" or not. Which makes your code less prone to vulnerabilities since you won't have to change it before going into production. Hope this helps others searching for this issue as well.
public IConfiguration Configuration { get; }
public IHostingEnvironment HostEnvironment { get; }
public Startup(IConfiguration configuration, IWebHostEnvironment hostEnvironment)
    Configuration = configuration;
    HostEnvironment = hostEnvironment;
public void ConfigureServices(IServiceCollection services)
    services.AddMvc();
    services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
            .AddJwtBearer(opt =>
               opt.Audience = Configuration["AAD:ResourceId"]; 
               opt.Authority = $"{Configuration["AAD: Instance"]}{Configuration["AAD:TenantId"]}";
               if (HostEnvironment.IsDevelopment())
               {   // to make sure this is only used during development
                   opt.RequireHttpsMetadata = false; 
// rest omitted
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.