License error due to multiple issuer

[human-technologist]

Duende Identity Server version: 7.0.8
License: Self-hosted business licence
.NET target framework: net 8.0

We are encountering a license-related error in our test environment after applying our Duende Identity Server license key.

Error message

Your license for Duende IdentityServer only permits 1 number of issuers. You have processed requests for 2. The issuers used were: [External URL of Identity Server API], [Internal URL of AKS cluster]. This might be due to your server being accessed via different URLs or a direct IP and/or you have reverse proxy or a gateway involved. This suggests a network infrastructure configuration problem, or you are deliberately hosting multiple URLs and require an upgraded license.

We are not deliberately hosting multiple URLs, nor do we believe we should require an upgraded license.
Based on our setup, we suspect this is an infrastructure configuration issue, but we’re uncertain how to resolve it.

Background

We are running Identity Server within an AKS cluster. This results in two URLs pointing to the same Identity provider:

• An internal URL used within the cluster.
• An external URL used by applications outside the AKS cluster.

Troubleshooting

We are exploring the following potential solutions:

• Enable forwarded headers:
  Set the environment variable ASPNETCORE_FORWARDEDHEADERS_ENABLED to true, as suggested in the IdentityServer Deployment documentation. (IdentityServer Deployment | Duende Software Docs). We understand this is commonly recommended for cloud-hosted and AKS-based environments, but we’re unsure if this alone would resolve the licensing issue.

• Statically set the issuer URI:
  Configure IdentityServerOptions.IssuerUri to the external URL used in the discovery document, as described in the IdentityServer Options documentation. (IdentityServer Options | Duende Software Docs). However, we understand this approach is generally discouraged, as the issuer should be inferred dynamically from URLs used by the client applications.

Could technical support please advise on the best course of action to resolve the license error under our current setup?
Any guidance or best practices would be greatly appreciated.

[RolandGuijt]

Can you please try the forwarded headers option and report back? Chances are that will solve your problem. And indeed, statically setting the issuer URI should only be done as a last resort: if the issuer can't be inferred dynamically there is usually some kind of configuration problem.