SteeltoeOSS · TimHess · Aug 29, 2025 · Aug 28, 2025
diff --git a/src/Security/src/Authentication.JwtBearer/PostConfigureJwtBearerOptions.cs b/src/Security/src/Authentication.JwtBearer/PostConfigureJwtBearerOptions.cs
@@ -5,6 +5,7 @@
 using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.Options;
+using Steeltoe.Common;
 
 namespace Steeltoe.Security.Authentication.JwtBearer;
 
@@ -42,7 +43,18 @@ public void PostConfigure(string? name, JwtBearerOptions options)
             return;
         }
 
-        options.TokenValidationParameters.ValidIssuer = $"{options.Authority}/oauth/token";
+        if (Platform.IsCloudFoundry && options.Authority.Contains(".login", StringComparison.OrdinalIgnoreCase))
+        {
+            options.TokenValidationParameters.ValidIssuers =
+            [
+                $"{options.Authority}/oauth/token",
+                $"{options.Authority.Replace(".login", ".uaa", StringComparison.OrdinalIgnoreCase)}/oauth/token"
+            ];
+        }
+        else
+        {
+            options.TokenValidationParameters.ValidIssuer = $"{options.Authority}/oauth/token";
+        }
 
         var keyResolver = new TokenKeyResolver(options.Authority, options.Backchannel);
         options.TokenValidationParameters.IssuerSigningKeyResolver = (_, _, keyId, _) => keyResolver.ResolveSigningKey(keyId);

diff --git a/src/Security/test/Authentication.JwtBearer.Test/PostConfigureJwtBearerOptionsTest.cs b/src/Security/test/Authentication.JwtBearer.Test/PostConfigureJwtBearerOptionsTest.cs
@@ -36,6 +36,53 @@ public void PostConfigure_AddsClientIdToValidAudiences()
 
     [Fact]
     public async Task PostConfigure_ConfiguresForCloudFoundry()
+    {
+        const string vcapServices = """
+            {
+                "p-identity": [
+                {
+                    "label": "p-identity",
+                    "provider": null,
+                    "plan": "steeltoe",
+                    "name": "mySSOService",
+                    "tags": [],
+                    "instance_guid": "ea8b8ac0-ce85-4726-8b39-d1b2eb55b45b",
+                    "instance_name": "mySSOService",
+                    "binding_guid": "be94e8e7-9246-49af-935f-5390ff10ac23",
+                    "binding_name": null,
+                    "credentials": {
+                        "auth_domain": "https://steeltoe.uaa.sys.cf-app.com",
+                        "grant_types": [ "client_credentials" ],
+                        "client_secret": "dd2c82e1-aa99-4eaf-9871-2eb7412b79bb",
+                        "client_id": "4e6f8e34-f42b-440e-a042-f2b13c1d5bed"
+                    },
+                    "syslog_drain_url": null,
+                    "volume_mounts": []
+                }]
+            }
+            """;
+
+        using var servicesScope = new EnvironmentVariableScope("VCAP_SERVICES", vcapServices);
+        IConfiguration configuration = new ConfigurationBuilder().AddCloudFoundryServiceBindings().Build();
+        var services = new ServiceCollection();
+        services.AddSingleton(configuration);
+        services.AddAuthentication().AddJwtBearer().ConfigureJwtBearerForCloudFoundry();
+
+        await using ServiceProvider serviceProvider = services.BuildServiceProvider(true);
+        var optionsMonitor = serviceProvider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>();
+        JwtBearerOptions options = optionsMonitor.Get(JwtBearerDefaults.AuthenticationScheme);
+
+        options.Authority.Should().Be("https://steeltoe.uaa.sys.cf-app.com");
+        options.MetadataAddress.Should().Be("https://steeltoe.uaa.sys.cf-app.com/.well-known/openid-configuration");
+        options.RequireHttpsMetadata.Should().BeTrue();
+        options.TokenValidationParameters.ValidIssuer.Should().Be("https://steeltoe.uaa.sys.cf-app.com/oauth/token");
+        options.TokenValidationParameters.ValidIssuers.Should().BeEmpty();
+        options.TokenValidationParameters.IssuerSigningKeyResolver.Should().NotBeNull();
+        options.TokenValidationParameters.ValidAudiences.Should().Contain("4e6f8e34-f42b-440e-a042-f2b13c1d5bed");
+    }
+
+    [Fact]
+    public async Task PostConfigure_ConfiguresForCloudFoundry_AllowMultipleIssuers()
     {
         const string vcapServices = """
             {
@@ -62,6 +109,7 @@ public async Task PostConfigure_ConfiguresForCloudFoundry()
             }
             """;
 
+        using var applicationScope = new EnvironmentVariableScope("VCAP_APPLICATION", "{}");
         using var servicesScope = new EnvironmentVariableScope("VCAP_SERVICES", vcapServices);
         IConfiguration configuration = new ConfigurationBuilder().AddCloudFoundryServiceBindings().Build();
         var services = new ServiceCollection();
@@ -75,7 +123,11 @@ public async Task PostConfigure_ConfiguresForCloudFoundry()
         options.Authority.Should().Be("https://steeltoe.login.sys.cf-app.com");
         options.MetadataAddress.Should().Be("https://steeltoe.login.sys.cf-app.com/.well-known/openid-configuration");
         options.RequireHttpsMetadata.Should().BeTrue();
-        options.TokenValidationParameters.ValidIssuer.Should().Be("https://steeltoe.login.sys.cf-app.com/oauth/token");
+        options.TokenValidationParameters.ValidIssuer.Should().BeNull();
+
+        options.TokenValidationParameters.ValidIssuers.Should().Contain("https://steeltoe.login.sys.cf-app.com/oauth/token").And
+            .Contain("https://steeltoe.uaa.sys.cf-app.com/oauth/token");
+
         options.TokenValidationParameters.IssuerSigningKeyResolver.Should().NotBeNull();
         options.TokenValidationParameters.ValidAudiences.Should().Contain("4e6f8e34-f42b-440e-a042-f2b13c1d5bed");
     }