- ABP Framework version: v4.4.3
- UI type: MVC / Blazor
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:"
When deploying a tiered application in containers behind an application gateway, what is the recommended configuration? The main web interface and API Host seem to work fine by configuring the "/" path to reoute to the "Web" and "/swagger" and "/api" to route to the HTTPAPI server, but routing "/Account" to the identity server causes problems (such as resources not being found).
- Should it be configured similar to a virtual directory, where all URLs have a specific path (something like "/Identity/Account/Login" instead of the current behavior of just "/Account/Login")?
-
- If so, how do I configure JUST the IdentityServer project to expect a path beyond the base URL (trying to put http://localhost/Identity" in the appsettings.json seems to ignore the "/Identity" part)
- Is there a different way to make the 3 separate containers work properly? We do not want to go to the full microservice template if possible.
6 Answer(s)
-
0
To clarify, do you want to deploy all your applications (Http.Api.Host, Web and IdentityServer) to same domain with sub folders? Web is running on: mydomain Http.Api.Host on: mydomain.com/api IdentityServer on: mydomain.com/account
If so, you will need to write Rewrite rule in load balancer (nginx i suppose) to redirect to /account
You can check deployment configurations docs. Also official identityserver4 deployment docs.
If you have already deployed identityserver, you can also share its link.
-
0
To clarify, do you want to deploy all your applications (Http.Api.Host, Web and IdentityServer) to same domain with sub folders? Web is running on: mydomain Http.Api.Host on: mydomain.com/api IdentityServer on: mydomain.com/account
If so, you will need to write Rewrite rule in load balancer (nginx i suppose) to redirect to /account
You can check deployment configurations docs. Also official identityserver4 deployment docs.
If you have already deployed identityserver, you can also share its link.
Correct. I have the rules configured and working, but the interactions aren't correct.
For RemoteServices__Default__BaseUrl I am using the internal name of the HTTP-API service. For AuthServer__Authority I cannot use the internal name because the redirect to the login page does not work externally. When I put the FQDN of the Identity-Server (with /Account at the end), and click the Login button, I am redirected to my url.com/?handler=Login which does not load.
- Should the Identity server external URL be configured for AuthServer__Authority?
- How do I get the Login button to redirect to url.com/Account/Login (or, is there another way to get that redirection to work properly behind the load balancer?)
-
0
UPDATE
I was able to get Idenity Server working better by modifying the Startup.cs:
public void Configure(IApplicationBuilder app) { app.UseStaticFiles("/IdentityServer"); app.UsePathBase("/IdentityServer"); app.InitializeApplication(); }
and modifying the ...Module.cs to include (ABOVE the
app.UseIdentityServer();
line!):var forwardOptions = new ForwardedHeadersOptions { ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto, RequireHeaderSymmetry = false }; forwardOptions.KnownNetworks.Clear(); forwardOptions.KnownProxies.Clear(); // ref: https://github.com/aspnet/Docs/issues/2384 app.UseForwardedHeaders(forwardOptions);
This allows the LOGIN button to redirect to the Identity login page. Now if I go directly to the /IdentityServer/ URL (which redirects me to /IdentityServer/Account/Login), I can login successfully. The problem is:
If I go to the MVC Index page and click the Login button the Request URL header has this:
https://url.com/IdentityServer/connect/authorize?client_id=ABPWeb_Web&redirect_uri=http://url.com/signin-oidc&response_type=code id_token&scope=openid
When this happens, the /IdentityServer/Account/Login page redirects to a 500 error page with a message "Invalid redirect_uri"
Where does the redirect_uri come from? I am running HTTPS up to the load balancer, and HTTP behind it.
-
0
Redirect_uri's are declared when client is created. See https://support.abp.io/QA/Questions/1951/500-Internal-Server-Error-Invalid-redirecturi#answer-99adb092-2a26-5dbb-6bac-39ff6bc7b817
-
0
It turns out that the problem was that it is necessary to put the ForwardedHeadersOptions code into EACH PROJECT, simply adding it to IdentityServer is not enough. In hindisght this makes sense, as the MVC project is what generates the headers with the redirect URL in them.
-
0
closing the issue. you can reopen anytime.