I've configured Identity Server 4 and using Azure AD Authentication. Everything works fine if I use a tenant specific Authority URL in identity server. With that, only a user from that tenant can login. I would like to allow multiple domains to login and would like to validate the issuer in the backend.
To support that I need to use common login endpoint for Azure AD and after I login I get the following error when it redirects to signin-aad endpoint of Identity Server. What configuration should I do so that I can validate the issuer manually?
SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://sts.windows.net/94b73406-72db-4abb-a142-adfdfdfdfdbc/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://sts.windows.net/{tenantid}/'. Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(string issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)
If your domains can grow dynamically at runtime then set ValidateIssuer to false in the TokenValidationParameters. If you have predetermined set of domains then add them all to ValidIssuers.