Getting DiscoveryClient fails with "Issuer name does not match authority"

asp.net asp.net-core identityserver4
Sigurd Garshol picture Sigurd Garshol · Apr 26, 2017 · Viewed 10.1k times · Source

I get the error below when performing a GET using IdentityModel's DiscoveryClient as follows:

var discoveryResponse = await DiscoveryClient.GetAsync("https://localhost/IdentityServer");

Issuer name does not match authority: https://localhost/identityserver

The target URL is an ASP.NET Core web application running on IIS enabled with IdentityServer4. The client application is a classic ASP.NET web application running on the same machine.

Apparently, the GET did manage to retrieve values from the IdentityServer as evidenced by the contents of discoveryResponse.Raw:

{
  "issuer": "https://localhost/identityserver",
  "jwks_uri": "https://localhost/IdentityServer/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://localhost/IdentityServer/connect/authorize",
  "token_endpoint": "https://localhost/IdentityServer/connect/token",
  "userinfo_endpoint": "https://localhost/IdentityServer/connect/userinfo",
  "end_session_endpoint": "https://localhost/IdentityServer/connect/endsession",
  "check_session_iframe": "https://localhost/IdentityServer/connect/checksession",
  "revocation_endpoint": "https://localhost/IdentityServer/connect/revocation",
  "introspection_endpoint": "https://localhost/IdentityServer/connect/introspect",
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "scopes_supported": [ "CustomIdentityResources", "profile", "openid", "MyAPI.full_access", "offline_access" ],
  "claims_supported": [],
  "grant_types_supported": [ "authorization_code", "client_credentials", "refresh_token", "implicit" ],
  "response_types_supported": [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ],
  "response_modes_supported": [ "form_post", "query", "fragment" ],
  "token_endpoint_auth_methods_supported": [ "client_secret_basic", "client_secret_post" ],
  "subject_types_supported": [ "public" ],
  "id_token_signing_alg_values_supported": [ "RS256" ],
  "code_challenge_methods_supported": [ "plain", "S256" ]
}

Answer

leastprivilege picture leastprivilege · Apr 26, 2017

authority: https://localhost/IdentityServer issuer: https://localhost/identityserver

They do not match - it's case sensitive.

Related questions

IdentityServer4 Role Based Authorization for Web API with ASP.NET Core Identity

I am using IdentityServer4 with .Net Core 2.1 and Asp.Net Core Identity. I have two projects in my Solution. IdentityServer Web API I want to Protect my Web APIs, I use postman for requesting new tokens, It works and tokens …

Read More
How do you create a custom AuthorizeAttribute in ASP.NET Core?

I'm trying to make a custom authorization attribute in ASP.NET Core. In previous versions it was possible to override bool AuthorizeCore(HttpContextBase httpContext). But this no longer exists in AuthorizeAttribute. What is the current approach to make a custom …

Read More
Visual Studio 2017 error: Unable to start program, An operation is not legal in the current state

After fresh installation of Visual Studio 2017 I tried to run .NET Core Web project and when trying to run it on Chrome I am getting this error: Unable to start program, An operation is not legal in the current state

Read More