Windows Azure, IdentityServer3, and Valid Issuers

Written by Khalid Abuhakmeh, Bill Boga, and Ken Dale

At Ritter Insurance Marketing, we utilize IdentityServer3 for our authentication mechanism. It has been almost a year of hosting in Windows Azure with great success. While it has been a positive experience, but there has been one frustrating issue. Unpredictably, our authentication system would break, leaving our applications inaccessible. We started noticing a specific exception in our error log when these events would occur:

System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException

IDX10205: Issuer validation failed. Issuer: 'https://auth.ritterim.com/identity'.  \
Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: \
'https://auth.ritterim.com/, https://rim-auth-east.azurewebsites.net/identity'.

We have noticed that the Issuer url value being provided by an authentication request changes randomly in Windows Azure. The unknown bug causes our applications to break. While the change is random, the expected issuer urls are not. We have narrowed it down to these known variations.

https://{custom domain name}.com
https://{custom domain name}.com/identity
https://{azure app name}.azurewebsites.net
https://{azure app name}.azurewebsites.net/identity

To setup the valid issuers for IdentityServer3, we just use the APIs provided by the library.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    // other settings...
    TokenValidationParameters = new TokenValidationParameters()
    {
        AuthenticationType = "Cookies",
        // a comma seperated list of urls
        ValidIssuers = config.ValidIssuers
    }
    // other settings...
});

We hope we’ve found all the variations, and for the last several weeks our authentication has become a lot more stable. I hope this helps anyone experiencing issues with IdentityServer3 and Windows Azure.