Hi I've this error
Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed(SecurityToken securityToken, Nullable`1 notBefore, Nullable`1 expires, IEnumerable`1 audiences, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
[17:01:53 INF] Bearer was not authenticated. Failure message: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
6 Answer(s)
-
0
- Solution
That log means the API that validates the token has no issuer configured in its
TokenValidationParameters, so it can’t match theissin the token.
This is common when running behind Kubernetes / reverse proxy.Configure JWT bearer explicitly in the service where the error happens (web app, gateway, microservice, etc.), and set
ValidIssuersto your AuthServer authority (the public URL that issues the token).Example (in the API / gateway project):
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.IdentityModel.Tokens; using Volo.Abp; using Volo.Abp.Modularity; public class YourApiModule : AbpModule { public override void ConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddAbpJwtBearer(options => { options.Authority = configuration["AuthServer:Authority"]; // e.g. "https://your-authserver.yourdomain.com" options.Audience = "YourServiceName"; // must match 'aud' in token options.TokenValidationParameters = new TokenValidationParameters { // Fixes: IDX10204: Unable to validate issuer... ValidIssuers = new[] { configuration["AuthServer:Authority"].EnsureEndsWith('/') } }; }); } }Key points:
AuthServer:Authoritymust be the public URL of the AuthServer that issues the token (for example:https://auth.yourdomain.com/), and you must use the same value in:- The AuthServer configuration (
OpenIddictissuer). - The clients (Angular app, web app, gateways, microservices).
- The AuthServer configuration (
- Make sure it ends with
/(issuer in tokens generated by OpenIddict normally does). - If you still get issuer-related issues under K8s because the AuthServer can’t download keys / metadata properly, you can additionally customize token validation like in the support ticket:
context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddAbpJwtBearer(options => { options.Authority = configuration["AuthServer:Authority"]; options.Audience = "YourServiceName"; options.TokenValidationParameters = new TokenValidationParameters { ValidIssuers = new[] { configuration["AuthServer:Authority"].EnsureEndsWith('/') }, // Optional workaround when keys cannot be resolved in K8s: SignatureValidator = (token, parameters) => { var jwt = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token); return jwt; } }; });Also verify on the AuthServer side (OpenIddict):
PreConfigure<OpenIddictServerBuilder>(builder => { var configuration = context.Services.GetConfiguration(); builder.SetIssuer(new Uri(configuration["AuthServer:Authority"])); });So the issuer in the token and the authority / valid issuer in your APIs are identical.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
adesso dice content-length: 0 date: Mon,26 Jan 2026 17:13:37 GMT strict-transport-security: max-age=31536000; includeSubDomains www-authenticate: Bearer error="invalid_token",error_description="The issuer 'https://auth.aaa.com/' is invalid" x-correlation-id: ff11e3c3b832434bb7202d3a75ea6e3e
-
0
- Solution
The new error:
WWW-Authenticate: Bearer error="invalid_token", error_description="The issuer 'https://auth.routilia.com/' is invalid"means: the token’s
iss=https://auth.routilia.com/but the API that validates the token does not accept this issuer as valid.Configure both AuthServer and all APIs / gateways so that:
- The issuer in tokens is
https://auth.routilia.com/ - The JWT validation in every API explicitly allows that issuer
1. AuthServer: set the issuer
In your AuthServer module:
public override void PreConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); PreConfigure<OpenIddictServerBuilder>(builder => { // Must be the public URL of your AuthServer builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); }); }And in
appsettings.json(or k8s env vars) of AuthServer:"AuthServer": { "Authority": "https://auth.routilia.com", "RequireHttpsMetadata": "true" }Make sure the AuthServer is actually reachable at
https://auth.routilia.com/.well-known/openid-configurationfrom inside the cluster.
2. APIs / Gateways: configure JWT validation
In every service that receives bearer tokens (web app, public web, gateways, microservices), configure JWT like this:
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.IdentityModel.Tokens; using Volo.Abp; using Volo.Abp.Modularity; public class YourServiceModule : AbpModule { public override void ConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddAbpJwtBearer(options => { options.Authority = configuration["AuthServer:Authority"]; // "https://auth.routilia.com" options.Audience = "YourServiceName"; // must match token 'aud' options.TokenValidationParameters = new TokenValidationParameters { // Accept the issuer seen in the token: ValidIssuers = new[] { configuration["AuthServer:Authority"].EnsureEndsWith('/') // -> "https://auth.routilia.com/" } }; }); } }And in
appsettings.jsonor k8s env of each API:"AuthServer": { "Authority": "https://auth.routilia.com", "RequireHttpsMetadata": "true" }If you previously used some internal HTTP URL (like
http://auth-svcorhttp://localhost) asAuthorityor issuer, remove it and consistently use the same HTTPS public URL everywhere.
3. If you also use
IdentityClients(for internal HTTP calls)For services that call others via IdentityModel (client credentials), ensure their
IdentityClients:Default:Authorityalso points to the same HTTPS URL:"IdentityClients": { "Default": { "Authority": "https://auth.routilia.com", "ClientId": "YourClient", "ClientSecret": "YourSecret", "GrantType": "client_credentials", "Scope": "YourScope" } }
Once:
- AuthServer issuer (
SetIssuer) =https://auth.routilia.com/ - All APIs’
AuthorityandValidIssuersincludehttps://auth.routilia.com/
the
invalid_token/ “issuer is invalid” error will disappear.
- Sources
- ABP community article and support answers on
IDX10204/ issuer problems and Kubernetes deployments (includes the sameValidIssuersandSetIssuerpatterns used above):
https://abp.io/docs/latest/tutorials/microservice/index
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
No one service are able to authenticate request
-
0
- Solution
In your current state:
- Tokens are being issued by
https://auth.aaa.com/ - All services (web, gateways, microservices) are rejecting them (
invalid_token,issuer is invalid) - So no service can authenticate.
You must make issuer and authority 100% consistent everywhere, and in Kubernetes you typically also need to explicitly set ValidIssuers (and sometimes a SignatureValidator) in each service.
Do the following steps exactly.
1. AuthServer: define a fixed HTTPS issuer
In your AuthServer project module:
public override void PreConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); PreConfigure<OpenIddictServerBuilder>(builder => { // Must be the public URL of your AuthServer (the same URL you use from browser) builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); }); }And in AuthServer
appsettings.Production.jsonor environment variables (in k8s):"AuthServer": { "Authority": "https://auth.aaa.com", // no trailing slash; code adds it "RequireHttpsMetadata": "true" }Important:
https://auth.aaa.com/.well-known/openid-configurationmust be reachable from inside the cluster and from browsers.
2. All services: JWT bearer with explicit
ValidIssuersIn every project that validates tokens (Angular backend, web app, web gateway, all microservices), configure authentication like this in the module:
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.IdentityModel.Tokens; using Volo.Abp; using Volo.Abp.Modularity; public class MyServiceHttpApiHostModule : AbpModule { public override void ConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddAbpJwtBearer(options => { // Must be the same public URL as in AuthServer options.Authority = configuration["AuthServer:Authority"]; // "https://auth.aaa.com" options.RequireHttpsMetadata = true; // Audience must match 'aud' claim in the token for this service options.Audience = "MyServiceName"; // FIX: IDX10204 / invalid issuer in k8s options.TokenValidationParameters = new TokenValidationParameters { ValidIssuers = new[] { configuration["AuthServer:Authority"]!.EnsureEndsWith('/') // "https://auth.aaa.com/" } }; // If you still get signature key resolution errors in k8s (IDX10500), // you can temporarily add this workaround: /* options.TokenValidationParameters.SignatureValidator = (token, parameters) => { var jwt = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token); return jwt; }; */ }); } }And in each service’s config (values via env in k8s):
"AuthServer": { "Authority": "https://auth.aaa.com", "RequireHttpsMetadata": "true" }Every service must use this same
AuthServer:Authority.
Do not mix inhttp://or internal hostnames here.
3. Internal client-to-service calls (
IdentityClients)If services call other services using client credentials (
IdentityClients), also align their Authority:"IdentityClients": { "Default": { "Authority": "https://auth.aaa.com", "ClientId": "MyService_Internal", "ClientSecret": "…", "GrantType": "client_credentials", "Scope": "MyScope" } }Again, same
https://auth.aaa.comeverywhere.
4. Verify inside Kubernetes
From a pod (e.g., admin microservice), run:
curl -k https://auth.aaa.com/.well-known/openid-configurationYou should see JSON whose:
issuerishttps://auth.aaa.com/- all endpoints are
https://auth.aaa.com/...
If that’s not true, fix DNS / ingress until it is.
5. If still no service authenticates
On one failing service (e.g., Administration microservice):
Enable IdentityModel debug logs as in the article.
Confirm that at startup or at first authenticated request it tries to fetch:
https://auth.aaa.com/.well-known/openid-configurationIf it instead goes to
http://...orlocalhost, yourAuthorityis still wrong in that service.
Once:
- AuthServer issuer =
https://auth.aaa.com/ - All services
AuthServer:Authority=https://auth.aaa.com - All services
TokenValidationParameters.ValidIssuersincludehttps://auth.aaa.com/
your
invalid_token/ issuer errors will disappear and the services will start authenticating requests.
- Sources
- Common IDX* JWT errors and how to fix issuer problems in ABP (includes
ValidIssuersandSetIssuer):
https://abp.io/community/articles/4u3wrbs5 - Similar Kubernetes deployment issue where no app could authenticate until issuer/authority were aligned and
ValidIssuersadded:
https://abp.io/support/questions/4338 - Ticket where the same
ValidIssuers+ k8s workaround solved “no service can authenticate” in ABP microservices:
https://abp.io/support/questions/8139
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi
If the API website cannot get the OpenID Connect metadata from AuthServer website, the validation will fail. You may see the error IDX10204, the full exception message is: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
see more info: https://abp.io/community/articles/common-errors-in-jwt-bearer-authentication-4u3wrbs5
