How to fix "IDX10205: Issuer validation failed." on Azure Static Web App (Preview Environment)

Thomas Leumann 0

When visiting a Preview Environment, setup via github workflow from Pull Request, I receive this error on API endpoint.

{
    "code": 401,
    "message": "IDX10205: Issuer validation failed. Issuer: 'https://**********.centralus.5.azurestaticapps.net/.auth'. Did not match: validationParameters.ValidIssuer: 'https://***********.5.azurestaticapps.net/.auth' or validationParameters.ValidIssuers: 'null' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'Null'. For more details, see https://aka.ms/IdentityModel/issuer-validation. "
}

It seems the generated hostname where the api is hosted does not match the region specific hostname but I do not know how to change/fix this.

Vahid Ghafarpour 21,970 Reputation points

2024-11-18T02:39:54.7366667+00:00

May this thread help you?

https://learn.microsoft.com/en-us/answers/questions/1618037/jwt-token-issuer-validation-failed
Thomas Leumann 0 Reputation points

2024-11-18T03:00:10.38+00:00

@Vahid Ghafarpour I am using anonymous user role on the api route (there is no authentication configured in staticwebapp.config.json) so I cannot create a configuration for valid issuers?
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-18T03:06:12.5766667+00:00
Hi @Thomas Leumann ,
Welcome to the Microsoft Q&A Platform!
The error IDX10205: Issuer validation failed occurs when the issuer in the JWT token doesn't match the expected issuer configured in the backend API. This commonly happens in Azure Static Web Apps, especially when using Preview Environments, because the issuer URL for the preview environment differs from the production environment.
Add Preview Environment Issuer: Include the preview issuer URL in TokenValidationParameters.ValidIssuers or IssuerValidator.

ValidIssuers = new[] { "https://<production>.azurestaticapps.net/.auth", "https://<preview>.azurestaticapps.net/.auth" };

Custom Issuer Validator: Use a custom IssuerValidator to allow any .azurestaticapps.net/.auth issuer.

Disable Issuer Validation: (Temporary workaround, not recommended) Set ValidateIssuer to false in TokenValidationParameters.

Environment Variable: Add JWT_VALID_ISSUERS in Azure App Service with production and preview issuers.

Auth Config: Update staticwebapp.config.json to ensure proper authentication provider setup.
If the answer is helpful, please click "Accept Answer" and kindly upvote it.
Thomas Leumann 0 Reputation points

2024-11-18T03:19:49.6366667+00:00

Where do I include the Valid Issuers if I am using anonymous authentication and node js
Thomas Leumann 0 Reputation points

2024-11-18T03:23:03.8066667+00:00

@Shree Hima Bindu Maganti Where do I include the valid issuers if I am using anonymous authentication and node js?
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-18T03:46:14.9233333+00:00
Hi @Thomas Leumann ,
Thankyou for Your Response!
If you are using anonymous authentication with Node.js, valid issuers are not required because no token validation occurs for anonymous users.
Remove Issuer Validation Logic in Your Node.js API Ensure no token validation logic exists in your Node.js API for anonymous routes.

app.use('/api', (req, res) => { res.send("Anonymous access allowed, no token required."); });

Ensure staticwebapp.config.json Allows Anonymous Access Update your staticwebapp.config.json to allow anonymous access explicitly:

{ "routes": [ { "route": "/api/*", "allowedRoles": ["anonymous"] } ] }
Thomas Leumann 0 Reputation points

2024-11-18T05:16:03.1+00:00

@Shree Hima Bindu Maganti I have included the anonymous role for the api route and ensured there is no token validation logic in my function. But the error still persists. Please help me understand why this has suddenly started occurring when previous preview environments never had a problem!
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-19T06:32:46.84+00:00

Hi @Thomas Leumann ,
Thank you for the clarification!
Since you’ve already included the anonymous role and ensured no token validation logic exists, here are a few additional possibilities that might explain why this issue happened.

Azure Platform Updates: Azure Static Web Apps may have recently updated their handling of anonymous routes. Check Azure service updates or release notes for relevant changes.

Preview Environment Configuration: Ensure your staticwebapp.config.json is correctly applied. Sometimes, deployment doesn’t propagate the configuration properly, or the environment URL/domain might have mismatches.

Unintended Middleware or Dependency Behavior: Check your Node.js code for any middleware or updated libraries enforcing token validation unintentionally.

Deployment Workflow Changes: Review recent changes in your CI/CD pipeline or GitHub Actions for any unintended alterations to configurations in the preview environment.

Cache or Session Issues: Clear the browser cache or test in an incognito window to rule out caching problems.
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-20T05:18:11.3+00:00

Hi @Thomas Leumann ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Thomas Leumann 0 Reputation points

2024-11-20T06:36:03.36+00:00

Still require help with this problem, nothing has helped so far.
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-20T06:56:23.27+00:00
Hi @Thomas Leumann ,

Thank you for the clarification!
The IDX10205: Issuer validation failed error typically occurs when the token issuer in the authentication process doesn't match the expected issuer. In your case, this is happening in the Azure Static Web App Preview Environment.
In the API's authentication middleware or setup, ensure that the issuer validation is flexible enough to handle multiple issuers (both production and preview). To do this:

Update Allowed Issuers: Modify your configuration to include both the production and preview issuer URLs in the ValidIssuers parameter.
In your Startup.cs or Program.cs file

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddJwtBearer(options => { options.Authority = "https://your-main-environment-url/.auth"; options.Audience = "your-audience"; options.TokenValidationParameters = new TokenValidationParameters { ValidIssuers = new[] { "https://your-main-environment-url/.auth", "https://your-preview-environment-url/.auth" } }; });

Dynamic Issuer Validation: Use a custom IssuerValidator to accept issuers dynamically.

options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, IssuerValidator = (issuer, token, parameters) => { if (issuer.Contains(".azurestaticapps.net/.auth")) return issuer; throw new SecurityTokenInvalidIssuerException(); } };

Ensure your preview environment uses the correct Authority and Audience settings in your deployment configuration.
Azure documentation on issuer validation

Azure Static Web Apps Authentication documentation
Let me know if you have any further assistances.
Thomas Leumann 0 Reputation points

2024-11-21T03:29:12.6+00:00

@Shree Hima Bindu Maganti > In your Startup.cs or Program.cs file

I do not have a .cs file because I am using node js for azure static web app not .net, and because I am using anonymous auth I do not appear to have any control over how to create these valid issuers?
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-21T04:06:36.3033333+00:00
Hi @Thomas Leumann ,
Thank you for the clarification!
Even with anonymous authentication, Azure Static Web Apps still attach a token to API requests in some scenarios. The error may happen if the preview environment URL isn't recognized or doesn't match the expected issuer.
Since you can't configure token validation directly, focus on ensuring the environment is set up correctly.

Verify API Route Configuration: Ensure that your routes.json explicitly allows anonymous access

{ "routes": [ { "route": "/api/*", "allowedRoles": ["anonymous"] } ] }

Ignore Tokens in Node.js API: If the error persists, modify your Node.js API to bypass token validation for anonymous routes

app.use('/api', (req, res, next) => { if (req.headers.authorization) { delete req.headers.authorization; // Ignore tokens for anonymous requests } next(); });

Check Preview Environment URL: Preview environments use region-specific URLs. Ensure the generated preview environment hostname matches the expected issuer format. If not, this could be a backend Azure issue requiring support intervention.

Redeploy Preview Environment: Sometimes, preview environments inherit cached or outdated configurations. Delete the existing environment (close the PR and reopen it) to trigger a fresh deployment.

Raise Azure Support Ticket: If the above steps don't resolve the issue, it could be due to changes in Azure Static Web Apps' backend behavior. Contact Azure Support to investigate why token validation is being enforced even for anonymous routes.
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-22T06:08:09.3633333+00:00

Hi @Thomas Leumann ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Shree Hima Bindu Maganti 895 Reputation points Microsoft Vendor

2024-11-23T16:35:52.9166667+00:00

Hi @Thomas Leumann ,

Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.

Share via

How to fix "IDX10205: Issuer validation failed." on Azure Static Web App (Preview Environment)

Your answer