7

The access token in response contains the following claims:

"alg": "RS256",
"kid": "143e829c2b57489969753ba4f8205979df0da988c640cffa5f1f4eda1b6e6aa4",
"typ": "JWT"
"nbf": 1481451903,
"exp": 1481455503,
"iss": "https://localhost:44350",
"aud": [ "https://localhost:44350/resources", "customAPI" ],
"client_id": "oauthClient",
"scope": [ "customAPI.read" ]

And here is the config to tell my application to use IdentityServer to authenticate

app.UseIdentityServerAuthentication(
    new IdentityServerAuthenticationOptions
        {
            Authority = "https://localhost:44350/",
            ApiName = "customAPI",
            ApiSecret = "secret",
            AllowedScopes = {"customAPI.full_access", "customAPI.read_only" },                
            RequireHttpsMetadata = false
        });

How do I allow the user to authenticate on different alias of the IdentityServer aside https://localhost:44350/ e.g : http://192.168.1.20:44350/?

As currently the token get from the latter domain is deemed as invalid on my client which has the Authority setting to the former domain.

Elveryx
  • 151
  • 1
  • 8

1 Answers1

8

You can set a static issuer name when adding IdentityServer in the ConfigureServices method. It's on the options passed into AddIdentityServer.

https://identityserver4.readthedocs.io/en/latest/reference/options.html

eddex
  • 1,622
  • 1
  • 15
  • 37
leastprivilege
  • 18,196
  • 1
  • 34
  • 50
  • the link is broken. here is the working link https://identityserver4.readthedocs.io/en/latest/reference/options.html – Serkan Yilmaz May 24 '19 at 12:56
  • and if i need to change it per client basis? – giammin Dec 13 '19 at 10:55
  • 1
    does this have to be a uri? Would a non-uri string work? – liang Jun 15 '20 at 07:47
  • This IssuerUri parameter logically should be a Uri, but practically does not as it is just a string appearing in the token as '**iss**' and resulting discovery document. I've just tested this. IssuerUri = "foo" is appearing in the document as well as the token and it is accepted. (This is a major benefit for development environments and internal docker networks.) *Do note* that using an per-request URL allows you to see on what domain the authentication was done and can help in making production environments more secure that way. – David Zwart Dec 01 '20 at 18:32