Permalink
Browse files

Update to document the default validation policy (#667)

  • Loading branch information...
1 parent 38db24d commit 1d9461859dc1430fd8489e2abf7777e677676783 @Brar Brar committed with leastprivilege Jan 8, 2017
Showing with 17 additions and 1 deletion.
  1. +17 −1 docs/endpoints/discovery.rst
@@ -16,4 +16,20 @@ You can programmatically access the discovery endpoint using the `IdentityModel
var doc = await discoveryClient.GetAsync();
var tokenEndpoint = doc.TokenEndpoint;
- var keys = doc.KeySet.Keys;
+ var keys = doc.KeySet.Keys;
+
+For security reasons DiscoveryClient has a configurable validation policy that checks the following rules by default:
+
+* HTTPS must be used for the discovery endpoint and all protocol endpoints
+* The issuer name should match the authority specified when downloading the document (that’s actually a MUST in the discovery spec)
+* The protocol endpoints should be “beneath” the authority – and not on a different server or URL (this could be especially interesting for multi-tenant OPs)
+* A key set must be specified
+
+If for whatever reason (e.g. dev environments) you need to relax a setting, you can use the following code::
+
+ var client = new DiscoveryClient("http://dev.identityserver.internal");
+ client.Policy.RequireHttps = false;
+
+ var disco = await client.GetAsync();
+
+Btw – you can always connect over HTTP to localhost and 127.0.0.1 (but this is also configurable).

0 comments on commit 1d94618

Please sign in to comment.