asp.net core identity Server 4 only one of three custom domain accepted for requests
I followed this guide to setup my asp.net hosted blazor wasm project and I was able to setup everything so that I have multiple custom domains which all are considered to have a valid ssl certificate and that I was able to login to all of them. The HTTPS certificate was generated as a Azure App Service managed certificate. The one for IS4 was generated via Azure Key Vault.
The strange thing then is, that from the now 3 domains only one is able to make actual requests to an endpoint. For the others I get this exception:
www-authenticate: Bearer error="invalid_token", error_description="The issuer '[Domain]' is invalid" Funny enough it seems that it is pretty much random which of the domains is the valid one. After a restart that can change again. For reproduction I created a new project in visual studio with individual authentication and deployed it to a new azure app service, and added two new domains. So I have now 3 again:
- foo.apply-solutions.ch
- foo.apply-solutions.com
- blazorapp1server20201008191519.azurewebsites.net
As of this writing the .ch address is the one who is able to make requests. For the two others, when moving to the Fetch Data page, there is just an in the console. My suspicion is, that after a restart the domain who makes the first request works and the others don't.
The signing certificate is created with this settings:
And I load it via the WEBSITE_LOAD_CERTIFICATES configuration. I also attach the solution I uploaded to azure, although it is only minimal adjusted to apply migrations during startup.
You can find a example under this link (it links to a github issue I opened to this topic in the ASPNetCore Documentation Repository: https://github.com/dotnet/AspNetCore.Docs/files/5350494/BlazorApp1.zip
You can set the IssuerUri in the IdentityServer options, see this page for details:
https://identityserver4.readthedocs.io/en/latest/reference/options.html
You should only have one issuer in the system, otherwise it will be confusing...
In azure one issue is that you might have a public domain that the public clients see, but internally the service itself sees an internal domain namn. Especially common if you terminate HTTPS/TLS outside your application. I think its ok to set the IssuerUri to the public domain name that clients use to communicate with it.
- How to hide the Links column in the Swagger UI Responses section
- Blazor InputText: conditionally rendering an attribute
- Check if a string is half width or full width in C#
- Unable to invoke javascript function from blazor component
- Cannot remove DBContext from DI
- Send HTTP_1_1_REQUIRED from ASP.NET Core controller
- How to disable the component hierarchy in Blazor?
- IdentityServer4 in IIS being recycled due to app_offline.htm when using discovery endpoint sometimes
- Interact with the Virtualize component
- Cannot resolve scoped service 'xx.IEnumerable`1[xx.IDbContextOptionsConfiguration`1[xx.ExampleDbContext]]...' after upgrading from .NET 8 to .NET 9
- How i can add endpoint (or сatch a request and check its path) to BCL?
- How does the "Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" package resolves types which are in "Microsoft.AspNetCore.dll"?
- Customize output Serilog
- Unhandled exception. System.InvalidOperationException
- Is it possible to use ASP.NET Core within an F# fsx script?
- How to send data with the size more than Signalr message size limit in Blazor?
- IDX12723: Unable to decode the payload '[PII of type 'System.String' is hidden
- UpdateRange method of Entity Framework Core does not work
- How to enable CORS in ASP.net Core WebAPI
- Why does my CORS configuration still block datatables from consuming an API?
- .NET return JSON without reformating
- .NET 8 & SQL Server 2016 - Contains() throws error
- Multiple many-to-many and multiple one-to-one relationships in the same entities
- Unable to Select Custom User Class in Identity Scaffolding
- How to redirect to an ASP.NET Core Razor Page without using routes
- Username is already taken when actually it is not ASP.NET Core
- Cancellation Token Injection
- How to log using serilog to elasticsearch with Elastic.Serilog.Sinks in .net application
- Invoking SignalR from Postman
- How does the Form Tag Helper determine the rendered form action?