Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Getting DiscoveryClient fails with "Issuer name does not match authority"

I get the error below when performing a GET using IdentityModel's DiscoveryClient as follows:

var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer");

Issuer name does not match authority: https://localhost/identityserver

The target URL is an ASP.NET Core web application running on IIS enabled with IdentityServer4. The client application is a classic ASP.NET web application running on the same machine.

Apparently, the GET did manage to retrieve values from the IdentityServer as evidenced by the contents of discoveryResponse.Raw:

{
  "issuer": "https://localhost/identityserver",
  "jwks_uri": "https://localhost/IdentityServer/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost/IdentityServer/connect/authorize",
  "token_endpoint": "https://localhost/IdentityServer/connect/token",
  "userinfo_endpoint": "https://localhost/IdentityServer/connect/userinfo",
  "end_session_endpoint": "https://localhost/IdentityServer/connect/endsession",
  "check_session_iframe": "https://localhost/IdentityServer/connect/checksession",
  "revocation_endpoint": "https://localhost/IdentityServer/connect/revocation",
  "introspection_endpoint": "https://localhost/IdentityServer/connect/introspect",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "scopes_supported": [ "CustomIdentityResources", "profile", "openid", "MyAPI.full_access", "offline_access" ],
  "claims_supported": [],
  "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit" ],
  "response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
  "response_modes_supported": [ "form_post", "query", "fragment" ],
  "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
  "subject_types_supported": [ "public" ],
  "id_token_signing_alg_values_supported": [ "RS256" ],
  "code_challenge_methods_supported": [ "plain", "S256" ]
}
like image 587
Sigurd Garshol Avatar asked Apr 26 '17 06:04

Sigurd Garshol


3 Answers

authority: https://localhost/IdentityServer issuer: https://localhost/identityserver

They do not match - it's case sensitive.

like image 88
leastprivilege Avatar answered Nov 12 '22 11:11

leastprivilege


In the case when you are unable to change the server code to suit the policy, you can change the policy settings to allow name mismatches.

For example, I am attempting to use DiscoveryClient on the Azure Rest API, and the issuer is https://sts.windows.net/{{ tenant_id }} while the endpoints all start with https://login.microsoft.com/{{ tenant_id }}.

Simply set the fields ValidateIssuerName and ValidateEndpoints to false.

var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);

// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;

var discoResponse = await discoveryClient.GetAsync();


Later Edit

Since this message was posted the DiscoveryClient class has been deprecated.

Here is the new calling syntax:

var client = new HttpClient();
var discoResponse = await client.GetDiscoveryDocumentAsync(
    new DiscoveryDocumentRequest
    {
        Address = authority,
        Policy =
        {
            ValidateIssuerName = false,
            ValidateEndpoints = false,
        },
    }
);
like image 17
Andrew Shepherd Avatar answered Nov 12 '22 11:11

Andrew Shepherd


Other answers address the client - making it accept the lowercase issuer.

This changes the case of the issuer in the discovery document:

By default Identity Server seems to change the issuer Uri to lowercase. This leads to the discovery document having lower case for the issuer; and the case you typed in code/publishing for everything else.

I fixed this in my Identity Server app, Startup, ConfigureServices method

            var builder = services.AddIdentityServer(options => { options.LowerCaseIssuerUri = false; })

Using this means the case of the issuer in the discovery document is the same as for all the other Uris

like image 2
TomFp Avatar answered Nov 12 '22 11:11

TomFp