Visual Studio Code - IdentityServer token issuer claim missing port number in issued JWT token

Mathieu
December 12, 2024
181 views
0 votes
2 Answers

I have a strange issue with tokens issued by my local development IdentityServer (happens both with IdentityServer4 and with Duende IdentityServer).

The IdentityServer on my local dev machine is running on port 44310 and this is reflected correctly in the discovery document

However, since a few days, when I obtain a JWT access token, the issuer for some reason is just https://localhost when I inspect it in jwt.io

So it omits the port and by consequence when I use this token from a calling client it returns Unauthorized with message https://localhost is invalid issuer.

The strange thing is that this started to happen only a few days ago (cannot pinpoint exactly when) because my local IdentityServer code hasn’t changed in months.

Even stranger is that on another development VM with exactly the same Visual Studio 2022 version and running exactly the same codebase of my IdentityServer project, it is still working correctly (that is, emitting issuer "https://localhost:44310" in the JWT token).

Any ideas ?

EDIT:

Tore’s answer got me thinking and I decided to call the discovery endpoint from Postman and indeed from there the issuer is returned as https://localhost without the port, while the called url is actually with the port, which I don’t understand why it’s different when calling it from the browser (and what made it change to this behavior recently)

Answers

Chosen as BEST ANSWER
- Mathieu
- December 12, 2024 at 1:24 pm
- 0 votes
0
Found the issue !

My Postman HTTP version in the settings was set to Auto, which I guess uses HTTP 2.

When I hard select HTTP 2 it indeed comes back without the port, but when I put it on HTTP 1.x the port is included... Go figure...

(Edit)

- ToreNestenius
- December 12, 2024 at 12:05 pm
- 0 votes
0
The URL’s in the discovery document will wary depending on who is calling IdentityServer, so you will see different issuer when the client calls IdentityServer and when the browser calls it.

One option is to set the issuer to a Static URL like this:
```
var isBuilder = builder.Services.AddIdentityServer(options =>
{
    options.IssuerUri = "https://identity";
    ...
}
```
You also might need to override the URL’s used in the client like this:
```
}).AddOpenIdConnect(options =>
{
    options.Authority = "https://localhost:7001";
    options.MetadataAddress = "http://identity:80/.well-known/openid-configuration";

    ...
    options.Events.OnRedirectToIdentityProvider = context =>
    {
        context.ProtocolMessage.IssuerAddress = "https://localhost:7001/connect/authorize";
        return Task.CompletedTask;
    };
});
```
You can read a full explanation of why in my blog post: IdentityServer in Docker Containers
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.

Visual Studio Code – IdentityServer token issuer claim missing port number in issued JWT token

Answers