8

so here's a quick explanation of my issue - my current setup is and IdentityServer4 implementation with ASP.NET Core Identity, an API resource protected by it and a Xamarin.Android application that is the client. My current issue is that the client(Android) cannot get anything from the API because of the following error(from the API logs):

"Bearer" was not authenticated. Failure message: "IDX10205: Issuer validation failed. Issuer: 'http://10.0.2.2:5000'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'http://127.0.0.1:5000'."

Basically, since I'm using the Android emulator, in order to call something that's on localhost on my machine, I need to use the 10.0.2.2 URL for it. Then the problem pops up - the Identity Server is fine with authenticating, I can login fine, I get an access token, but after that I need to call the API. And that's where the error happens - it's expecting an issuer that is with the same authority(127.0.0.1:5000) but receives the 10.0.2.2:5000, which is the authority for the Android client.

So, my question is - is there a way to somehow specify that 10.0.2.2 is also a valid issuer, or do I have to start thinking about deploying both the API and the Identity Server just so I can test the client. I'd really like it if there was a way to have the whole solution running on my local machine rather than having to deploy for every little thing I want to try out.

Any help will be appreciated very much.

Konstantin Severy
  • 168
  • 1
  • 8
  • Hi! did you get any solution for this? – JayDeeEss Dec 13 '17 at 14:12
  • No, haven't really had the time to look into it - so far my ideas have been mainly around trying out deploying the app to a local IIS and open it up in the firewall, or figure out if I can tell the app to trust anything coming in to port 5000. I'll probably be trying out fixing this during some off days as this is for a personal project, not a work-related one. – Konstantin Severy Dec 14 '17 at 15:17
  • ok, thanks for the reply. Yeah i guess the easiest way is to deploy the app on local dev server and access those urls. thats what i'm doing right now and it's working perfect! – JayDeeEss Dec 14 '17 at 15:58

3 Answers3

4

First: Given the standard, you manage just one Issuer.

Are you managing your own Identity / Token generation? It sounds like this isn't the case.

You could customize your API for creating your tokens explicitly. Then, you can indicate a global Issuer (like your project url) so anyone can validate against the same.

var token = new JwtSecurityToken(
                issuer: "http://my-perfect-proj.net",
                claims: ...,
                notBefore: DateTime.Now,
                expires: DateTime.Now.AddHours(1),
                signingCredentials: ...)
            );

After your token is created and sent, validate your incoming request based on your tastes (checking time, user's data, issuer).

ASP.NET Core JWT Bearer Token Custom Validation

Creating RESTful API with Authentication

EDIT: Using Xamarin and Visual Studio on the same machine, didn't gave me this kind of problems but in that case, I was using Visual Studio Emulator. You could give it a try and avoid doing other types of workarounds.

Community
  • 1
  • 1
Jose Cordero
  • 526
  • 5
  • 15
  • Could be a solution, but I'd rather not have to do all of this just for the sake of being able to run it locally - I'd much rather not change the codebase but find a way to expose the API on my internal network. And yeah, the VS Emulator works differently compared with the Google Emulator I'm using now, but it's a pain for some of my needs so I stopped using it. Thanks for the input though - someone else might be able to benefit from it. – Konstantin Severy Dec 20 '17 at 20:32
0

So, I managed to work around the issue by simply running the Web part of it so it's visible on my local network. What I did in more detail - in the Program.cs where I create the host, I use the .UseUrls("http://*:5001") method, and then I run the app with dotnet run.

In this way your app is accessible in your local network via the IP address of your machine and the port you've specified. Also, in order for this to work, you'd have to define a new Outbound Rule in your Firewall to allow traffic through that port you're using. Hope this helps someone else as well, this turned out to be the easiest way to get what I need to work, and that's after fighting with IIS for a while trying to get it to work through there as well.

Konstantin Severy
  • 168
  • 1
  • 8
0

Short answer: In IIS, don't leave the site binding host name set as blank.

Longer explenation:

I received a similar error, but could see that for some reason it was trying to match the issuer domain name vs IP (the domain does point to the IP, but I guess it tries to validate the two strings). I could see this error after allowing logging : IdentityModelEventSource.ShowPII = true.

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'http://ec2XXXXXom'. Did not match: validationParameters.ValidIssuer: 'http://34.111.111.29' or validationParameters.ValidIssuers: 'null'. at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters)

In IIS I previously had the host name set as blank (I am using the server name as domain name) - and therefore it set the issuer using the IP of the server. When I specifically set the site domain name, it worked.

IIS settings

David Smit
  • 829
  • 1
  • 13
  • 31