I am hosting identity server behind a reverse proxy on a subpath of the root url (example.com/subpath
).
For external api's behind the same proxy (example.com/apisubpath
) token validation is working correctly.
Now I added an api on the same service that hosts IdentityServer as documented in Adding more API endpoints.
Requesting a token with the scope IdentityServerApi
is working fine and when testing it in my local dev environment without the reverse proxy I call the api successfully.
Behind the reverse proxy I get an error: Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://example.com/subpath'. Did not match: validationParameters.ValidIssuer: 'https://example.com' or validationParameters.ValidIssuers: 'null'.
So it gets the right domain from the requests but it does'nt include the sub path when 'registering' the validationParameters.ValidIssuer
it seems.
Is there a way to set the validationParameters.ValidIssuer
manually or am I doing something else wrong?
Thanks for your help
There're a few way to get this thing work, with Identity Server 4
Host
header that came from client request. Otherwise just explicitly set Issuer on Identity Server 4:// This one was on the Identity server
services.AddIdentityServer(opts => opts.IssuerUri = "The explicit Url came here!")
// This one was on the other services, If not set to the same instance of Identity Server
services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false, // If set to true, It's gonna take care of the issuer
ValidIssuer = "If we just have a single Issuer, set it here",
ValidIssuers = new []{"Multiple", "Issuer", "Came", "Here"}
};
});
connect/token
have Host
header of https://example.com/subpath
, while it should be https://example.com
, so... just choose some of the options above that suit the most