I need some help to point me in the right direction. I publish my app in docker and setup my appsettings.json with my public address. my public address is using cloudflare zero trust. when loging am constanly getting this message alt-svc: h3=":443"; ma=86400 cf-cache-status: DYNAMIC cf-ray: 9def33e9dd99b3c1-MIA content-length: 0 date: Thu,19 Mar 2026 20:24:48 GMT nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800} report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=h8VnfxfihWQw9PAhhxz3ezEHa%2BCBsvfh8xsRwuP%2BFcSkmyQOlkEmlf58CrF62Vv6Y2BZfkaluNgcevVOdBsrGZqF%2Bb0ihIy0nUbZK8PGtnsSGarrN3%2BRE%2Bu5%2Fa6w"}]} server: cloudflare www-authenticate: Bearer error="invalid_token",error_description="The issuer 'https://auth-apollo-stg.ligjamaica.com/' is invalid" x-content-type-options: nosniff x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block
2 Answer(s)
-
0
- This error means the API (resource server) is validating the JWT and rejects it because the
iss(issuer) claim inside the access token does not match what the API expects from the discovery document / configured authority. - In ABP (OpenIddict AuthServer), the issuer is derived from the incoming HTTP request unless you explicitly set it. When you put the AuthServer behind Cloudflare Zero Trust / reverse proxy, the AuthServer may “see” a different scheme/host than the public one, causing tokens to be issued with an unexpected
iss.
Fix (recommended): Force a stable Issuer on the AuthServer
In your AuthServer project, set the issuer to your public URL (the one you want clients/APIs to accept):
using OpenIddict.Server; public override void PreConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); PreConfigure<OpenIddictServerBuilder>(builder => { builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); // Example value should be exactly the public issuer: // https://auth-apollo-stg.ligjamaica.com/ }); }Then make sure
AuthServer:Authorityis exactly the same value everywhere (AuthServer, API/HttpApiHost, Blazor app), including scheme (https) and trailing slash behavior (be consistent; OpenIddict typically returns issuer with a trailing/).Fix (also important behind Cloudflare): Ensure forwarded headers are honored
Because Cloudflare terminates TLS, your container may receive HTTP internally. Configure forwarded headers early in the pipeline (AuthServer and the API hosts) so ASP.NET Core can reconstruct the original scheme/host:
using Microsoft.AspNetCore.HttpOverrides; public override void OnApplicationInitialization(ApplicationInitializationContext context) { var app = context.GetApplicationBuilder(); app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedProto | ForwardedHeaders.XForwardedHost }); // ... the rest of your middleware pipeline }This helps OpenIddict generate correct endpoints/issuer when it relies on the current request.
What to verify after changes
- Open the discovery document publicly:
https://auth-apollo-stg.ligjamaica.com/.well-known/openid-configurationConfirmissueris exactly:https://auth-apollo-stg.ligjamaica.com/
- Acquire a new access token and confirm its
issclaim matches the same value. - Ensure the API’s
AuthServer:Authoritypoints to that same URL.
Sources:
- https://abp.io/community/articles/4u3wrbs5
- https://abp.io/support/questions/4338
- https://abp.io/docs/latest/modules/openiddict
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
- This error means the API (resource server) is validating the JWT and rejects it because the
-
0
hi
Can you share the logs.txt files for all of your apps?
We need check the backend logs.
Debug Logs: https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems
And you can refer to this article: https://abp.io/community/articles/Common%20Errors%20in%20JWT%20Bearer%20Authentication-4u3wrbs5#gsc.tab=0
Thanks.
