WebAPI and IdentityServer on same machine and external Clients

0
votes

I'm facing the following scenario: I have a ASP.NET Core WebAPI (the API resource I'm trying to protect) hosted in the same machine as IdentityServer and I've clients outside of my network that communicates with both through their public addresses (eg: https://myapi.com and https://myidentity.com).

I was wondering if it is possible to set the API to communicate with the IdentityServer through a localhost address (eg: http://localhost:5000) while the external clients keep communicating with both via their public addresses?

I've tried to modify the IdentityServer Authority property to use the localhost address:

services.AddAuthentication(IdentityServerAuthenticationDefaults.AuthenticationScheme)
 .AddIdentityServerAuthentication(options =>
  {
    options.Authority = http://localhost:5000;
    options.ApiName = apiName;
  });

But I get the following error when the API attempts to validate the token that it received from the client:

Bearer error="invalid_token", error_description="The issuer 'https://myidentity.com' is invalid"

This makes sense since the token was issued by https://myidentity.com and my API has its authority set to http://localhost:5000.

Any ideas?

1
asp.net-coreidentityserver4

1 Answers

0
votes

You can set TokenValidationParameters to add a valid ValidIssuer, the two token issuer should both work :

services.AddAuthentication("Bearer")
.AddJwtBearer("Bearer", options =>
{
    options.Authority = "http://localhost:5000";
    options.RequireHttpsMetadata = false;
    options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
    {
        ValidateIssuer = true,
        ValidIssuer = "https://myidentity.com"
    };

    options.Audience = "api1";
});