Getting DiscoveryClient fails with "Issuer name does not match authority"
In the case when you are unable to change the server code to suit the policy, you can change the policy settings to allow name mismatches.
For example, I am attempting to use DiscoveryClient
on the Azure Rest API, and the issuer
is https://sts.windows.net/{{ tenant_id }}
while the endpoints all start with https://login.microsoft.com/{{ tenant_id }}
.
Simply set the fields ValidateIssuerName
and ValidateEndpoints
to false.
var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);
// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;
var discoResponse = await discoveryClient.GetAsync();
Later Edit
Since this message was posted the DiscoveryClient
class has been deprecated.
Here is the new calling syntax:
var client = new HttpClient();
var discoResponse = await client.GetDiscoveryDocumentAsync(
new DiscoveryDocumentRequest
{
Address = authority,
Policy =
{
ValidateIssuerName = false,
ValidateEndpoints = false,
},
}
);
authority: https://localhost/IdentityServer issuer: https://localhost/identityserver
They do not match - it's case sensitive.