×

Windows Azure, IdentityServer3, and Valid Issuers

Written by Khalid Abuhakmeh |Bill Boga |Ken Dale
2
This post is days old.

At Ritter Insurance Marketing, we utilize IdentityServer3 for our authentication mechanism. It has been almost a year of hosting in Windows Azure with great success. While it has been a positive experience, but there has been one frustrating issue. Unpredictably, our authentication system would break, leaving our applications inaccessible. We started noticing a specific exception in our error log when these events would occur:

System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException

IDX10205: Issuer validation failed. Issuer: 'https://auth.ritterim.com/identity'.  \
Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: \
'https://auth.ritterim.com/, https://rim-auth-east.azurewebsites.net/identity'.

We have noticed that the Issuer url value being provided by an authentication request changes randomly in Windows Azure. The unknown bug causes our applications to break. While the change is random, the expected issuer urls are not. We have narrowed it down to these known variations.

  • https://{custom domain name}.com
  • https://{custom domain name}.com/identity
  • https://{azure app name}.azurewebsites.net
  • https://{azure app name}.azurewebsites.net/identity

To setup the valid issuers for IdentityServer3, we just use the APIs provided by the library.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    // other settings...
    TokenValidationParameters = new TokenValidationParameters()
    {
        AuthenticationType = "Cookies",
        // a comma seperated list of urls
        ValidIssuers = config.ValidIssuers
    }
    // other settings...
});

We hope we’ve found all the variations, and for the last several weeks our authentication has become a lot more stable. I hope this helps anyone experiencing issues with IdentityServer3 and Windows Azure.

Khalid Abuhakmeh
Khalid Abuhakmeh
Director of Software Development
Bill Boga
Bill Boga
Senior Software Developer
Ken Dale
Ken Dale
Senior Application Developer
Security
Windows Azure
Suggested reading

Deprecating Subdomains Effectively With Windows Azure and IIS

Windows Azure
We are in the process of deprecating many smaller subdomain app services and ...
Read now

Secure Global Stuntman Users With Windows Azure Blob Storage

Windows Azure
Stuntman is an open source library we developed at RIMdev to make testing use...
Read now

Considering Hangfire In Windows Azure Instead Of WebJobs

Windows Azure
Applications are known to break, but erosion is a much sneakier adversary of ...
Read now

Deploying Jekyll to Windows Azure App Services

Windows Azure
As the development team at Ritter Insurance Marketing, we are leaning more on...
Read now

Comments

Stay fresh! The brighter green, the fresher the article!