At Ritter Insurance Marketing, we utilize IdentityServer3 for our authentication mechanism. It has been almost a year of hosting in Windows Azure with great success. While it has been a positive experience, but there has been one frustrating issue. Unpredictably, our authentication system would break, leaving our applications inaccessible. We started noticing a specific exception in our error log when these events would occur:

System.IdentityModel.Tokens.SecurityTokenInvalidIssuerException

IDX10205: Issuer validation failed. Issuer: 'https://auth.ritterim.com/identity'.  \
Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: \
'https://auth.ritterim.com/, https://rim-auth-east.azurewebsites.net/identity'.

We have noticed that the Issuer url value being provided by an authentication request changes randomly in Windows Azure. The unknown bug causes our applications to break. While the change is random, the expected issuer urls are not. We have narrowed it down to these known variations.

https://{custom domain name}.com
https://{custom domain name}.com/identity
https://{azure app name}.azurewebsites.net
https://{azure app name}.azurewebsites.net/identity

To setup the valid issuers for IdentityServer3, we just use the APIs provided by the library.

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
    // other settings...
    TokenValidationParameters = new TokenValidationParameters()
    {
        AuthenticationType = "Cookies",
        // a comma seperated list of urls
        ValidIssuers = config.ValidIssuers
    }
    // other settings...
});

We hope we’ve found all the variations, and for the last several weeks our authentication has become a lot more stable. I hope this helps anyone experiencing issues with IdentityServer3 and Windows Azure.

Published Jan 16, 2016 by

Director of Software Development

Senior Software Developer

Senior Application Developer

Security

Windows Azure

Regex Performance With and Without RegexOptions.C...

z-index Is Confusing, but It Doesn't Have to Be

Logging ASP.NET Web API 2 Failed Request Body to ...

Using forEach for IE 11

Understanding Dart Sass modules and namespaced va...

Autofac: Eager vs Lazy Construction During Regist...

Writing a Browser Compatible Date Input

Non Pro/Premier SendGrid Accounts May Have Issues...

Vue 3 Composition API

Upcoming Google Chrome SameSite Change Breaks Our...

A Case Of Newtonsoft.Json, TypeNameHandling.All, ...

Ordering of static fields in C# matters

Avoiding a LINQ FirstOrDefault mishap

Artifact Conference 2019

How to Work with NPM Packages Locally Using .tgz ...

Caching Git LFS in AppVeyor to Avoid Large GitHub...

UX/UI Solutions: Make Content Less Overwhelming.

Takeaways from An Event Apart

ChatOps at RIMDev Using Probot

Working At Work: This And Other Thoughts On High ...

Windows Azure, IdentityServer3, and Valid Issuers

Comments

Windows Azure, IdentityServer3, and Valid Issuers

Deprecating Subdomains Effectively With Windows Azure and IIS

Secure Global Stuntman Users With Windows Azure Blob Storage

Considering Hangfire In Windows Azure Instead Of WebJobs

Deploying Jekyll to Windows Azure App Services

Comments