Home > Blockchain >  IdentityServer4 AddLocalApiAuthentication not using the right issuer uri when hosting behind reverse
IdentityServer4 AddLocalApiAuthentication not using the right issuer uri when hosting behind reverse

Time:09-24

I am hosting identity server behind a reverse proxy on a subpath of the root url (example.com/subpath). For external api's behind the same proxy (example.com/apisubpath) token validation is working correctly.

Now I added an api on the same service that hosts IdentityServer as documented in Adding more API endpoints.

Requesting a token with the scope IdentityServerApi is working fine and when testing it in my local dev environment without the reverse proxy I call the api successfully. Behind the reverse proxy I get an error: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://example.com/subpath'. Did not match: validationParameters.ValidIssuer: 'https://example.com' or validationParameters.ValidIssuers: 'null'.

So it gets the right domain from the requests but it does'nt include the sub path when 'registering' the validationParameters.ValidIssuer it seems.

Is there a way to set the validationParameters.ValidIssuer manually or am I doing something else wrong?

Thanks for your help

CodePudding user response:

There're a few way to get this thing work, with Identity Server 4

  • If no explicit Issuer was set on Identity Server, it's would inspect the Host header that came from client request. Otherwise just explicitly set Issuer on Identity Server 4:
// This one was on the Identity server
services.AddIdentityServer(opts => opts.IssuerUri = "The explicit Url came here!")
  • Don't wanna explicit set Issuer on server but rather let Identity Server figure out Issuer on its own ?
// This one was on the other services, If not set to the same instance of Identity Server
services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    options.TokenValidationParameters = new TokenValidationParameters
    {
        ValidateIssuer = false, // If set to true, It's gonna take care of the issuer
        ValidIssuer = "If we just have a single Issuer, set it here",
        ValidIssuers = new []{"Multiple", "Issuer", "Came", "Here"}
    };
});
  • Your current situation should be when taking token out of the server, the request to connect/token have Host header of https://example.com/subpath, while it should be https://example.com, so... just choose some of the options above that suit the most

Page link:https//www.codepudding.com/Blockchain/125130.html

Prev:C# dynamic object, modify properties based on string paths
Next:_signInManager.GetExternalLoginInfoAsync() returns null for Apple Login
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding