Bearer error="invalid_token", error_description="The issuer is invalid"
Solution 1
The Authority
of AddIdentityServerAuthentication
middleware should be the base-address of your identityserver , middleware will contact the identity server's OIDC metadata endpoint to get the public keys to validate the JWT token .
Please confirm that the Authority is the url of identity server where you issued the jwt token .
Solution 2
I ran into a similar issue. I was generating my token via Postman when sending in my request and using an external IP to access my Keycloak instance running inside of my kubernetes cluster. When my service inside the cluster tried to verify the token against the authority, it failed because the internal service name (http://keycloak) it used to validated the token was different than what Postman had used to generate the token (<external-keycloak-ip).
Since this was just for testing, I set the ValidateIssuer
to false.
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = false
};
Solution 3
I'm on dotnet 5.0, adding swagger (NSwag.AspNetCore) to my AzureAD "protected" web api and got a similar error about invalid issuer:
date: Tue,16 Mar 2021 22:50:58 GMT
server: Microsoft-IIS/10.0
www-authenticate: Bearer error="invalid_token",error_description="The issuer 'https://sts.windows.net/<your-tenant-id>/' is invalid"
x-powered-by: ASP.NET
So, instead of not validating the issuer, I just added sts.windows.net to the list (important parts in the end):
// Enable JWT Bearer Authentication
services.AddAuthentication(sharedOptions =>
{
sharedOptions.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
}).AddJwtBearer(options =>
{
Configuration.Bind("AzureAd", options);
// Authority will be Your AzureAd Instance and Tenant Id
options.Authority = $"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/v2.0";
// The valid audiences are both the Client ID(options.Audience) and api://{ClientID}
options.TokenValidationParameters.ValidAudiences = new[]
{
Configuration["AzureAd:ClientId"], $"api://{Configuration["AzureAd:ClientId"]}",
};
// Valid issuers here:
options.TokenValidationParameters.ValidIssuers = new[]
{
$"https://sts.windows.net/{Configuration["AzureAd:TenantId"]}/",
$"{Configuration["AzureAd:Instance"]}{Configuration["AzureAd:TenantId"]}/"
};
});
This solved my problems. Now, why NSwag uses sts.windows.net as token issuer, I don't know. Seems wrong. I'm using these package versions:
<PackageReference Include="Microsoft.AspNetCore.Authentication" Version="2.2.0" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="5.0.3" />
<PackageReference Include="NSwag.AspNetCore" Version="13.10.8" />
w0051977
Updated on June 15, 2022Comments
-
w0051977 almost 2 years
I have a simple web api project, which looks like this:
[Authorize] [Route("Get")] public ActionResult<string> SayHello() { return "Hello World"; }
I am trying to test it with Postman. By following the steps here: https://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-testing-your-authorization-server-with-postman/
1) Send the request below and receive a token as expected:
2) Attempt to send another request with the authorization token as shown below:
Why do I get a 401 (unauthorized) error? The WWW-Authenticate response header says: Bearer error="invalid_token", error_description="The issuer is invalid". I am using .Net Core 3.1. I have commented out the sensitive information in the screenshots.
The web api works as expected when accessed from an MVC application.
Here is the startup code:
services.AddAuthentication("Bearer") .AddIdentityServerAuthentication(options => { options.Authority = identityUrl; //identityurl is a config item options.RequireHttpsMetadata = false; options.ApiName = apiName; });
-
Johan Danforth about 3 yearsI had a similar problem, but added the issuer to my list of valid issuers to get past the problem, see my answer at stackoverflow.com/questions/60306175/…
-
RazorShorts almost 3 yearsFor me a similar issue was the case. My application had configured baseadress with a / at the end . This was validated against the oidc issuer without the slash.
-
Nlr about 2 years@RazorShorts you save my day. I was not using / when configuring the issuer. Don't know why this work like this