At Ritter Insurance Marketing, we utilize IdentityServer3 for our authentication mechanism. It has been almost a year of hosting in Windows Azure with great success. While it has been a positive experience, but there has been one frustrating issue. Unpredictably, our authentication system would break, leaving our applications inaccessible. We started noticing a specific exception in our error log when these events would occur:

System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException

IDX10205: Issuer validation failed. Issuer: 'https://auth.ritterim.com/identity'.  \
Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: \
'https://auth.ritterim.com/, https://rim-auth-east.azurewebsites.net/identity'.

We have noticed that the Issuer url value being provided by an authentication request changes randomly in Windows Azure. The unknown bug causes our applications to break. While the change is random, the expected issuer urls are not. We have narrowed it down to these known variations.

https://{custom domain name}.com
https://{custom domain name}.com/identity
https://{azure app name}.azurewebsites.net
https://{azure app name}.azurewebsites.net/identity

To setup the valid issuers for IdentityServer3, we just use the APIs provided by the library.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    // other settings...
    TokenValidationParameters = new TokenValidationParameters()
    {
        AuthenticationType = "Cookies",
        // a comma seperated list of urls
        ValidIssuers = config.ValidIssuers
    }
    // other settings...
});

We hope we’ve found all the variations, and for the last several weeks our authentication has become a lot more stable. I hope this helps anyone experiencing issues with IdentityServer3 and Windows Azure.

Published Jan 16, 2016 by

Director of Software Development (Former)

Senior Software Developer

Senior Application Developer (Former)

Security

Windows Azure

CSS Only Dropdown Menu

Welcome New Hire: Getting started in Frontend at ...

Tab Colors in Azure Data Studio

Platform UI background image and gradient utilities

Vue 3 is official

Defaulting ASP.NET Core 3.1 To Require Authentica...

Customizing VueJS components with scoped slots

Swagger Grouping With Controller Name Fallback Us...

ASP.NET Core 3.1: Newtonsoft.Json Issues With Enu...

ASP.NET Core 3.1: Default System.Text.Json Settin...

CSS Only Tooltip for All Screen Sizes

Elasticsearch With NEST Using C# nameof Not Working

How to avoid NullReferenceException in C#

Getting Started Testing Vue Components

How ConveyUX Can Convey Good Ideas

Running Database Migrations On Web Application St...

Building ASP.NET Core 3.1 Apps To Organizational ...

What Works and What Doesn't With ConfigurationMan...

Regex Performance With and Without RegexOptions.C...

z-index Is Confusing, but It Doesn't Have to Be

Windows Azure, IdentityServer3, and Valid Issuers

Comments

Windows Azure, IdentityServer3, and Valid Issuers

Deprecating Subdomains Effectively With Windows Azure and IIS

Secure Global Stuntman Users With Windows Azure Blob Storage

Considering Hangfire In Windows Azure Instead Of WebJobs

Deploying Jekyll to Windows Azure App Services

Comments