获取 DiscoveryClient 失败 "Issuer name does not match authority"

Question

我在使用 IdentityModel 的 DiscoveryClient 执行 GET 时收到如下错误：

var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer");

Issuer name does not match authority: https://localhost/identityserver

目标 URL 是启用了 IdentityServer4 的 IIS 上的 ASP.NET 核心 Web 应用程序运行。客户端应用程序是同一台机器上的经典 ASP.NET Web 应用程序运行。

显然，GET 确实设法从 IdentityServer 检索值，discoveryResponse.Raw 的内容证明了这一点：

{
  "issuer": "https://localhost/identityserver",
  "jwks_uri": "https://localhost/IdentityServer/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost/IdentityServer/connect/authorize",
  "token_endpoint": "https://localhost/IdentityServer/connect/token",
  "userinfo_endpoint": "https://localhost/IdentityServer/connect/userinfo",
  "end_session_endpoint": "https://localhost/IdentityServer/connect/endsession",
  "check_session_iframe": "https://localhost/IdentityServer/connect/checksession",
  "revocation_endpoint": "https://localhost/IdentityServer/connect/revocation",
  "introspection_endpoint": "https://localhost/IdentityServer/connect/introspect",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "scopes_supported": [ "CustomIdentityResources", "profile", "openid", "MyAPI.full_access", "offline_access" ],
  "claims_supported": [],
  "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit" ],
  "response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
  "response_modes_supported": [ "form_post", "query", "fragment" ],
  "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
  "subject_types_supported": [ "public" ],
  "id_token_signing_alg_values_supported": [ "RS256" ],
  "code_challenge_methods_supported": [ "plain", "S256" ]
}

Answer 1

权限：https://localhost/IdentityServer 发行人：https://localhost/identityserver

它们不匹配 - 区分大小写。

Answer 2

如果您无法更改服务器代码以适应策略，您可以更改策略设置以允许名称不匹配。

例如，我试图在 Azure Rest API 上使用 DiscoveryClient，而 issuer 是 https://sts.windows.net/{{ tenant_id }}，而端点都以 [=15] 开头=].

只需将字段 ValidateIssuerName 和 ValidateEndpoints 设置为 false。

var tenant_id = "8481D2AC-893F-4454-8A3B-A0297D301278"; // Made up for this example
var authority = $"https://login.microsoftonline.com/{tenant_id}";
DiscoveryClient discoveryClient = new DiscoveryClient(authority);

// Accept the configuration even if the issuer and endpoints don't match
discoveryClient.Policy.ValidateIssuerName = false;
discoveryClient.Policy.ValidateEndpoints = false;

var discoResponse = await discoveryClient.GetAsync();

稍后编辑

自发布此消息后，DiscoveryClient class 已被弃用。

这是新的调用语法：

var client = new HttpClient();
var discoResponse = await client.GetDiscoveryDocumentAsync(
    new DiscoveryDocumentRequest
    {
        Address = authority,
        Policy =
        {
            ValidateIssuerName = false,
            ValidateEndpoints = false,
        },
    }
);

Answer 3

其他答案针对客户端 - 使其接受小写发行者。

这会更改发现文档中发行人的大小写：

默认情况下，Identity Server 似乎将颁发者 Uri 更改为小写。这导致发行人的发现文件具有小写字母；以及您为其他所有内容输入 code/publishing 的情况。

我在我的 Identity Server 应用、启动、ConfigureServices 方法中修复了这个问题

            var builder = services.AddIdentityServer(options => { options.LowerCaseIssuerUri = false; })

使用这意味着发现文档中发行者的大小写与所有其他 Uris 相同

获取 DiscoveryClient 失败 "Issuer name does not match authority"

Getting DiscoveryClient fails with "Issuer name does not match authority"

asp.net

asp.net-core

identityserver4

稍后编辑