Identityserver4: IDX10205
I have come into an issue where I am getting the error:
System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'http://domain.com'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'https://domain.com'.
Please not that the protocol is different. One is http one is https. This is only happening in some instances so I presume we have something going on with our internal network. Is there anything that can be done to work around this?
LiamSmithEngland
All 10 comments
One value is coming from the discovery document - one value is coming from the token.
Both are "calculated" from the current HTTP request. So my guess is your are somehow using HTTP vs HTPPS in certain situations (or a reverse proxy is terminating the TLS channel in certain cases).
Do you have a reverse proxy/load balancer that is terminating Https?
leastprivilege
on 24 Nov 2016
For external traffic (where this is failing) we go through a reverse proxy. For internal traffic we don't go through the reverse proxy and it works.
LiamSmithEngland
on 24 Nov 2016
That's probably it..
So in ASP.NET Core there is middleware (HTTP headers) that takes the headers from the reverse proxy to set things like protocol and hostname. That's what you should use.
Another fix would probably be to set a static issue name in our options.
leastprivilege
on 24 Nov 2016
Let us know what works for you.
leastprivilege
on 24 Nov 2016
To set the IdentityServerOptionsit looks like you need to call the method:
public static IIdentityServerBuilder AddIdentityServer(this IServiceCollection services, Action<IdentityServerOptions> setupAction);
Do you have an example of what you send into setupAction?
LiamSmithEngland
on 25 Nov 2016
something like
services.AddIdentityServer(options => { options.IssuerName = "https://issuer"; })...
leastprivilege
on 25 Nov 2016
I can confirm that setting the IssuerNamehas fixed the issue I was having. Thank you for you help
LiamSmithEngland
on 25 Nov 2016
I've run into this problem trying to get a xamarin client sample working in a demo along with some other js/html clients on localhost. I'm trying to create a demo sample solution that just works if you run it in a dev environment on localhost. Currently my js/html clients all work but having trouble getting a xamarin android client working.
The problem I've run into is that for android emulator, you have to use a special ip address in the client 10.0.2.2 to connect to localhost on the computer. I'm able to connect and login, but when I try to access a protected api I get:
IDX10205: Issuer validation failed. Issuer: 'http://10.0.2.2:50405'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'http://localhost:50405'.
Any ideas how I might be able to solve that would be appreciated.
joeaudette
on 2 Apr 2018
nevermind, surprisingly setting the issuer like this:
options.IssuerUri = "http://10.0.2.2:50405";
worked and did not break my other clients in the demo
It seems that for the xamarin client the issuer must match the authority but that is not the case for my other js/html clients.
joeaudette
on 2 Apr 2018
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.
![lock[bot] picture](https://avatars1.githubusercontent.com/in/6672?v=4&s=40)
lock[bot]
on 13 Jan 2020
Related issues
cixonline
路
3Comments
user1336
路
3Comments
Aravind1729
路
3Comments
brockallen
路
3Comments
ekarlso
路
3Comments
Most helpful comment
nevermind, surprisingly setting the issuer like this:
worked and did not break my other clients in the demo
It seems that for the xamarin client the issuer must match the authority but that is not the case for my other js/html clients.