Open charlieH1 opened 8 months ago
Hi can you please post the error message? I’ve checked OpenIdConnectOptions
and they don’t have this validation. I will check a few more places in the aspnetcore source code.
Hi Andrew
Sorry for the slow reply, see below
Main Error:
An unhandled exception occurred while processing the request.
SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: '<removed for security>'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'null' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'localhost:5000'. For more details, see https://aka.ms/IdentityModel/issuer-validation.
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(string idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
AuthenticationFailureException: An error was encountered while handling the remote login.
Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()
Stack:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: '<removed for security>'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'null' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'localhost:5000'. For more details, see https://aka.ms/IdentityModel/issuer-validation.
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.ValidateTokenUsingHandlerAsync(String idToken, AuthenticationProperties properties, TokenValidationParameters validationParameters)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
Hope that helps
Ok I found that it was this commit that added this: https://github.com/dotnet/aspnetcore/commit/a56e968c19be1275db6dc462310d723615b006a7
Per tenant issuer should be possible. You would just use per-tenant options for OpenIdConnectOptions
and override that property for the options class using something on the tenant info. Likely you'd want to add a specific property to your tenant info type to store that. I will add a convention to the per-tenant authentication functionality that will look for a property with that name and use it by convention.
Also I’ll add that in most of my dev and samples I disable issuer validation so I wouldn’t have seen this for a while. Thanks for bringing it to the community’s attention.
Hi
With the update to the packages I noticed that issuer validation is being enforced differently, previously I didnt have to put in a Valid issuer or anything in the AddOpenIdConnect defaults now I have to, here's some sample code to demo it, below is what I have to do now
and before
Is there a way that hasnt been documented to have per tenant issuer validation or not and if not I'd suggest this might be worth a look into?