I get the error below when performing a GET using IdentityModel's DiscoveryClient
as follows:
var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer");
Issuer name does not match authority: https://localhost/identityserver
The target URL is an ASP.NET Core web application running on IIS enabled with IdentityServer4. The client application is a classic ASP.NET web application running on the same machine.
Apparently, the GET did manage to retrieve values from the IdentityServer as evidenced by the contents of discoveryResponse.Raw
:
{
"issuer": "https://localhost/identityserver",
"jwks_uri": "https://localhost/IdentityServer/.well-known/openid-configuration/jwks",
"authorization_endpoint": "https://localhost/IdentityServer/connect/authorize",
"token_endpoint": "https://localhost/IdentityServer/connect/token",
"userinfo_endpoint": "https://localhost/IdentityServer/connect/userinfo",
"end_session_endpoint": "https://localhost/IdentityServer/connect/endsession",
"check_session_iframe": "https://localhost/IdentityServer/connect/checksession",
"revocation_endpoint": "https://localhost/IdentityServer/connect/revocation",
"introspection_endpoint": "https://localhost/IdentityServer/connect/introspect",
"frontchannel_logout_supported": true,
"frontchannel_logout_session_supported": true,
"scopes_supported": [ "CustomIdentityResources", "profile", "openid", "MyAPI.full_access", "offline_access" ],
"claims_supported": [],
"grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit" ],
"response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
"response_modes_supported": [ "form_post", "query", "fragment" ],
"token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
"subject_types_supported": [ "public" ],
"id_token_signing_alg_values_supported": [ "RS256" ],
"code_challenge_methods_supported": [ "plain", "S256" ]
}
authority: https://localhost/IdentityServer issuer: https://localhost/identityserver
They do not match - it's case sensitive.
In the case when you are unable to change the server code to suit the policy, you can change the policy settings to allow name mismatches.
For example, I am attempting to use DiscoveryClient
on the Azure Rest API, and the issuer
is https://sts.windows.net/{{ tenant_id }}
while the endpoints all start with https://login.microsoft.com/{{ tenant_id }}
.
Simply set the fields ValidateIssuerName
and ValidateEndpoints
to false.
var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);
// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;
var discoResponse = await discoveryClient.GetAsync();
Since this message was posted the DiscoveryClient
class has been deprecated.
Here is the new calling syntax:
var client = new HttpClient();
var discoResponse = await client.GetDiscoveryDocumentAsync(
new DiscoveryDocumentRequest
{
Address = authority,
Policy =
{
ValidateIssuerName = false,
ValidateEndpoints = false,
},
}
);
Other answers address the client - making it accept the lowercase issuer.
This changes the case of the issuer in the discovery document:
By default Identity Server seems to change the issuer Uri to lowercase. This leads to the discovery document having lower case for the issuer; and the case you typed in code/publishing for everything else.
I fixed this in my Identity Server app, Startup, ConfigureServices method
var builder = services.AddIdentityServer(options => { options.LowerCaseIssuerUri = false; })
Using this means the case of the issuer in the discovery document is the same as for all the other Uris
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With