IdentityServer3 PublicOrigin and IssuerUri Difference and Usage in IdentityServerOptions

Question

I got some issue when deploying to IIS. Apparently the client uses reverse proxy and all of the OpenId configuration disco showing IP address instead of their domain name. PublicOrigin solves my problem. However, I still don't understand the different between,

PublicOrigin

and

IssuerUri

Example in:

var options = new IdentityServerOptions
{
    PublicOrigin = "https://myids/project1/",
    IssuerUri = "https://myids/project1/",
    ...
}

I can see from the disco showing changes as well if both value updated respectively, i.e.;

{
  "issuer": "https://myids/project1/",
  "jwks_uri": "https://myids/project1/.well-known/jwks",
  "authorization_endpoint": "https://myids/project1/connect/authorize",
  "token_endpoint": "https://myids/project1/connect/token",
  "userinfo_endpoint": "https://myids/project1/connect/userinfo",
  "end_session_endpoint": "https://myids/project1/connect/endsession",
  "check_session_iframe": "https://myids/project1/connect/checksession",
  "revocation_endpoint": "https://myids/project1/connect/revocation",
  "introspection_endpoint": "https://myids/project1/connect/introspect",
  ...
}

and why not just make it the same as IssuerUri. I have read the documentation on this. Technically is just a description of the properties. I would like to understand more.

Many thanks.

Answer 1

IssuerUri is unique identifier of the authorization server. Value of this property is embedded into ID tokens in the iss property and it is during token validation.

On the other side, PublicOrigin is just a public URI of the server. If the server is behind reverse proxy, then without this hint it would advertise private URI in OpenID Connect metadata (.well-known/openid-configuration).

Why not have just single property? OpenID Connect specification (§ 16.15. Issuer Identifier) supports multiple issuers residing on the same host and port. However the same section in specification recommends to host only a single issuer per host and port (i.e. single-tenant).

When would you use multi-tenant architecture? Suppose you want to build and sell your own Authentication-as-a-Service. Now you have two options - assign dedicated URI (PublicOrigin) to each of your customers or use single PublicOrigin with dedicated IssuerUri for each customer.