Getting DiscoveryClient fails with "Issuer name does not match authority"

In the case when you are unable to change the server code to suit the policy, you can change the policy settings to allow name mismatches.

For example, I am attempting to use DiscoveryClient on the Azure Rest API, and the issuer is https://sts.windows.net/{{ tenant_id }} while the endpoints all start with https://login.microsoft.com/{{ tenant_id }}.

Simply set the fields ValidateIssuerName and ValidateEndpoints to false.

var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);

// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;

var discoResponse = await discoveryClient.GetAsync();

Later Edit

Since this message was posted the DiscoveryClient class has been deprecated.

Here is the new calling syntax:

var client = new HttpClient();
var discoResponse = await client.GetDiscoveryDocumentAsync(
    new DiscoveryDocumentRequest
    {
        Address = authority,
        Policy =
        {
            ValidateIssuerName = false,
            ValidateEndpoints = false,
        },
    }
);

authority: https://localhost/IdentityServer issuer: https://localhost/identityserver

They do not match - it's case sensitive.

Getting DiscoveryClient fails with "Issuer name does not match authority"

Later Edit

Tags:

Asp.Net

Asp.Net Core

Identityserver4

Related

Recent Posts