Authentication issue with mirror link to IS

[obihobit]

Hi,

I have a problem with authentication in my app: if IS is reached with a direct link and an access token is generated, when API tries to validate it on same IS, but with a mirror link, I get the 401 error. I believe the cause of this bug is that token contains URL of IS in it, so it is not recognized on same IS with mirror link.

My question is - how could I generate a custom token that will not contain information about URL in it? Any other suggestion or advice on this matter will be much appreciated!

[leastprivilege]

This is probably because you use different URLs - the issuer name MUST (per spec) - match the base-address of the server. I think this is a networking issue.

You can also explicitly set the issuer name in the IS options.

[obihobit]

The problem is that I have old users (on iOS and Android) that have direct link to the IS in their apps, and new ones have a mirror link. Also, my API has mirror link to IS.

So, when old user authenticate with the direct link, and API tries to validate token via mirror link, the error is 401. New users or users who updated their app don't have this problem, but I need this to be functional for users with both mirror and direct link to IS (forcing the updates on old users isn't an option, unfortunately).

Would explicitly setting Issuer Name solve this problem? Do you think that migrating to IS4 would help me to solve this problem more effectively?

[leastprivilege]

It probably would solve the issue. You need to try it.

IS4 implements the spec in the same way as IS3 - so no.

[obihobit]

Yeah, that did it. I set the IssuerUri on IS and IssuerName on the API and now everything works as it should be.

Thank you very much for quick and very helpful answers.