Bearer error="invalid_token", error_description="The issuer is invalid"

Question

I have a simple web api project, which looks like this:

[Authorize]
        [Route("Get")]
        public ActionResult<string> SayHello()
        {
            return "Hello World";
        }

I am trying to test it with Postman. By following the steps here: https://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-testing-your-authorization-server-with-postman/

1) Send the request below and receive a token as expected:

2) Attempt to send another request with the authorization token as shown below:

Why do I get a 401 (unauthorized) error? The WWW-Authenticate response header says: Bearer error="invalid_token", error_description="The issuer is invalid". I am using .Net Core 3.1. I have commented out the sensitive information in the screenshots.

The web api works as expected when accessed from an MVC application.

Here is the startup code:

services.AddAuthentication("Bearer")
                .AddIdentityServerAuthentication(options =>
                {
                    options.Authority = identityUrl; //identityurl is a config item
                    options.RequireHttpsMetadata = false;
                    options.ApiName = apiName;

                });

Answer 1

I ran into a similar issue. I was generating my token via Postman when sending in my request and using an external IP to access my Keycloak instance running inside of my kubernetes cluster. When my service inside the cluster tried to verify the token against the authority, it failed because the internal service name (http://keycloak) it used to validated the token was different than what Postman had used to generate the token (<external-keycloak-ip).

Since this was just for testing, I set the ValidateIssuer to false.

options.TokenValidationParameters = new TokenValidationParameters
{
    ValidateIssuer = false 
};

Answer 2

I'm on dotnet 5.0, adding swagger (NSwag.AspNetCore) to my AzureAD "protected" web api and got a similar error about invalid issuer:

 date: Tue,16 Mar 2021 22:50:58 GMT 
 server: Microsoft-IIS/10.0 
 www-authenticate: Bearer error="invalid_token",error_description="The issuer 'https://sts.windows.net/<your-tenant-id>/' is invalid" 
 x-powered-by: ASP.NET 

So, instead of not validating the issuer, I just added sts.windows.net to the list (important parts in the end):

// Enable JWT Bearer Authentication
services.AddAuthentication(sharedOptions =>
{
    sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
    Configuration.Bind("AzureAd", options);
    // Authority will be Your AzureAd Instance and Tenant Id
    options.Authority = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/v2.0";

    // The valid audiences are both the Client ID(options.Audience) and api://{ClientID}
    options.TokenValidationParameters.ValidAudiences = new[]
    {
        Configuration["AzureAd:ClientId"], $"api://{Configuration["AzureAd:ClientId"]}",

    };
    // Valid issuers here:
    options.TokenValidationParameters.ValidIssuers = new[]
    {
        $"https://sts.windows.net/{Configuration["AzureAd:TenantId"]}/",
        $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/"
    };
});

This solved my problems. Now, why NSwag uses sts.windows.net as token issuer, I don't know. Seems wrong. I'm using these package versions:

    <PackageReference Include="Microsoft.AspNetCore.Authentication" Version="2.2.0" />
    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="5.0.3" />
    <PackageReference Include="NSwag.AspNetCore" Version="13.10.8" />