Turn off issuer validation or modify valid issuers in IdentityServer4

3
votes

When using IdentityServer4 how can one modify the token validation parameters so that the token issuer is not validated or multiple valid issuers can be provided?

I've tried the following approach but this doesn't seem to work:

    public void ConfigureServices(IServiceCollection services)
    {
        // ... omitted

        services.AddAuthentication("Bearer")
            .AddIdentityServerAuthentication(options =>
            {
                options.Authority = "http://localhost:5000";
                options.RequireHttpsMetadata = false;

                options.ApiName = scopeName;
            });

        services.PostConfigure<JwtBearerOptions>("Bearer", options =>
        {
            // Option 1: turn off issuer validation at all
            options.TokenValidationParameters.ValidateIssuer = false;

            // Option 2 (preferable): Provide multiple valid issuers
            options.TokenValidationParameters.ValidIssuers = new[]
            {
                "http://localhost:5000",
                "http://127.0.0.1:5000",
            };
        });

        // ... omitted
    }

The reason why I need this: APIs which are protected by identity server are accessed internally and externally. External parties are using a different URL to get tokens from identity server than internal parties, so a protected API should consider both internal and external URLs as valid.

1
c#asp.net-coreidentityserver4
Is this approach something for you? stackoverflow.com/questions/51231697/…Ruard van Elburg
@RuardvanElburg: cool, thanks a lot, this seems to be an approach to make my scenario work. However, I'd still be interested if there is a solution to my question above where the issuer initially being used for generating tokens is persisted and not lost in the JWT token.baumgarb
@RuardvanElburg: testing this out I just realized that this approach won't really work because as it says in the other approach the shared URL must be accessible by all tenants. This means, I could never use an authority in my protected APIs which is only known by the internal DNS.baumgarb

1 Answers

13
votes

All right, after checking out the GitHub repo IdentityServer4.AccessTokenValidation I found a way to accomplish that. My tests confirm that it works.

    public void ConfigureServices(IServiceCollection services)
    {
        // ... omitted

        services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
            .AddIdentityServerAuthentication(
                IdentityServerAuthenticationDefaults.AuthenticationScheme,
                jwtOptions =>
                {
                    jwtOptions.Authority = "http://localhost:5000";
                    jwtOptions.RequireHttpsMetadata = false;

                    // This previously was: options.ApiName = scopeName;
                    jwtOptions.Audience = scopeName;

                    // Option 1: if you want to turn off issuer validation
                    //jwtOptions.TokenValidationParameters.ValidateIssuer = false;

                    // Option 2: if you want to support multiple issuers
                    jwtOptions.TokenValidationParameters.ValidIssuers = new[]
                    {
                        "http://localhost:5000",
                        "http://127.0.0.1:5000",
                    };
                },
                null
            );

        // ... omitted
    }