- ABP Framework version: v5.2.0
- UI type: Blazor
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): no
- Exception message and stack trace: 500 internal server error INVALID_REQUEST response.
- Steps to reproduce the issue:"
I'm trying to set up subdomain login for tenants. I have the following set up:
Blazor Project
Blazor Client running in an Azure Web app service. With the following configuration:
{ "App": { "SelfUrl": "https://test.mydomain.com" }, "AuthServer": { "Authority": "https://testmydomainhost.azurewebsites.net", "ClientId": "App_Blazor", "ResponseType": "code" }, "RemoteServices": { "Default": { "BaseUrl": "https://testmydomain.azurewebsites.net" } } ...... }
All certificates and DNS has been set up correctly for test.mydomain.com and *.test.mydomain.com
Host Project
The Host project is running in a seperate Azure App service.
The Host project ...HttpApi.Host has been modified like this:
At the end of the ConfigureServices method of the ...HttpApiHostModule class I've added:
Configure<AbpTenantResolveOptions>(options =>
{
options.AddDomainTenantResolver("{0}.test.mydomain.com");
});
In the appsettings for the HttpApi.Host project I have:
{ "App": { "SelfUrl": "https://testmydomainhost.azurewebsites.net", "AngularUrl": "https://testmydomainhost.azurewebsites.net:4200", "CorsOrigins": "https://.testmydomainblazor.azurewebsites.net,https://testmydomainblazor.azurewebsites.net,https://test.mydomain.com, https://.test.mydomain.com", "RedirectAllowedUrls": "https://testmydomainhost.azurewebsites.net:4200,https://testmydomainhost.azurewebsites.net,https://.testmydomainblazor.azurewebsites.net,https://testmydomainblazor.azurewebsites.net,https://test.mydomain.com, https://.test.mydomain.com" }, ....
"AuthServer": { "Authority": "https://testmydomainhost.azurewebsites.net", "RequireHttpsMetadata": "false", "SwaggerClientId": "App_Swagger", "SwaggerClientSecret": "...." }
.... }
Identity Server
In Identity Server I have these settings:
IdentityServerClients table:
Id ClientId 9F9E6713-3B8F-6F35-2A69-3A03AAAFAA28 App_Web_Public F372EC2E-2B89-0BF4-C9CC-3A03AAAFAB3D App_App 5A38608A-25E1-03D7-76E3-3A03AAAFABE8 App_Blazor 70C8527D-01EA-2F4B-D58F-3A03AAAFAD68 App_Swagger 10C10C0A-72F4-D0F4-FB1C-3A03DEB6C72E APP_Wildcard
IdentityServerClientCorsOrigins table:
ClientId Origin F372EC2E-2B89-0BF4-C9CC-3A03AAAFAB3D http://localhost:4200 5A38608A-25E1-03D7-76E3-3A03AAAFABE8 https://test.mydomain.com 70C8527D-01EA-2F4B-D58F-3A03AAAFAD68 https://testmydomainhost.azurewebsites.net 10C10C0A-72F4-D0F4-FB1C-3A03DEB6C72E https://*.test.mydomain.com
IdentityServerClientRedirectUris table:
ClientId RedirectUri 9F9E6713-3B8F-6F35-2A69-3A03AAAFAA28 https://localhost:44304/signin-oidc F372EC2E-2B89-0BF4-C9CC-3A03AAAFAB3D http://localhost:4200 5A38608A-25E1-03D7-76E3-3A03AAAFABE8 https://test.mydomain.com/authentication/login-callback 70C8527D-01EA-2F4B-D58F-3A03AAAFAD68 https://testmydomainhost.azurewebsites.net/swagger/oauth2-redirect.html 10C10C0A-72F4-D0F4-FB1C-3A03DEB6C72E https://*.test.mydomain.com/authentication/login-callback
I've tried lots of different combinations of urls, and can't get anything to work. I understand that this last configuration with App_Wilcard client is not having any impact because the Blazor app is using the App_Blazor clientId.
Now this is what is happening:
If I use test.mydomain.com, everything works fine.
I added a new client tenant with the name Test1. If I navigate to test1.test.mydomain.com, the site appears correctly, but when I try to login, I get the 500 internal server error INVALID_REQUEST response.
Can you please tell me what combination of Identity Server Urls or other configuration I would need to use to get subdomain authentication working. I've tried everything I can think of.
7 Answer(s)
-
0
Share related application logs please. It is found under *Logs *folder as logs.txt file. If you are running on containers, you can also retry the process and check the container/pod logs.
-
0
Here is the relevant log from the Host application. The key piece of information is: Error":"invalid_request","ErrorDescription":"Invalid redirect_uri","Category":"Token","Name":"Token Issued
2022-05-18 01:01:27.848 +00:00 [INF] Request starting HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/connect/authorize?client_id=App_Blazor&redirect_uri=https%3A%2F%2Ftest1.test.schemasight.com%2Fauthentication%2Flogin-callback&response_type=code&scope=openid%20profile%20App%20role%20email%20phone&state=1da588d11341487a94642d2bed6eab20&code_challenge=qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI&code_challenge_method=S256&prompt=none&response_mode=query - - 2022-05-18 01:01:27.868 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize 2022-05-18 01:01:27.895 +00:00 [ERR] Invalid redirect_uri: https://test1.test.schemasight.com/authentication/login-callback {"ClientId":"App_Blazor","ClientName":"App_Blazor","RedirectUri":null,"AllowedRedirectUris":["https://test.schemasight.com/authentication/login-callback"],"SubjectId":"a747cd62-452b-4a15-a5ef-3a03aaaf684a","ResponseType":null,"ResponseMode":null,"GrantType":null,"RequestedScopes":"","State":null,"UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":"","MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"App_Blazor","redirect_uri":"https://test1.test.schemasight.com/authentication/login-callback","response_type":"code","scope":"openid profile App role email phone","state":"1da588d11341487a94642d2bed6eab20","code_challenge":"qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI","code_challenge_method":"S256","prompt":"none","response_mode":"query"},"$type":"AuthorizeRequestValidationLog"} 2022-05-18 01:01:27.895 +00:00 [ERR] Request validation failed 2022-05-18 01:01:27.895 +00:00 [INF] {"ClientId":"App_Blazor","ClientName":"App_Blazor","RedirectUri":null,"AllowedRedirectUris":["https://test.schemasight.com/authentication/login-callback"],"SubjectId":"a747cd62-452b-4a15-a5ef-3a03aaaf684a","ResponseType":null,"ResponseMode":null,"GrantType":null,"RequestedScopes":"","State":null,"UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":"","MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"App_Blazor","redirect_uri":"https://test1.test.schemasight.com/authentication/login-callback","response_type":"code","scope":"openid profile App role email phone","state":"1da588d11341487a94642d2bed6eab20","code_challenge":"qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI","code_challenge_method":"S256","prompt":"none","response_mode":"query"},"$type":"AuthorizeRequestValidationLog"} 2022-05-18 01:01:27.896 +00:00 [INF] {"ClientId":"App_Blazor","ClientName":"App_Blazor","RedirectUri":null,"Endpoint":"Authorize","SubjectId":"a747cd62-452b-4a15-a5ef-3a03aaaf684a","Scopes":"","GrantType":null,"Error":"invalid_request","ErrorDescription":"Invalid redirect_uri","Category":"Token","Name":"Token Issued Failure","EventType":"Failure","Id":2001,"Message":null,"ActivityId":"80000037-0000-eb00-b63f-84710c7967bb","TimeStamp":"2022-05-18T01:01:27.0000000Z","ProcessId":1456,"LocalIpAddress":"10.11.0.196:443","RemoteIpAddress":"49.191.30.55","$type":"TokenIssuedFailureEvent"} 2022-05-18 01:01:27.897 +00:00 [INF] Request finished HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/connect/authorize?client_id=App_Blazor&redirect_uri=https%3A%2F%2Ftest1.test.schemasight.com%2Fauthentication%2Flogin-callback&response_type=code&scope=openid%20profile%20App%20role%20email%20phone&state=1da588d11341487a94642d2bed6eab20&code_challenge=qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI&code_challenge_method=S256&prompt=none&response_mode=query - - - 302 - - 48.3418ms 2022-05-18 01:01:27.958 +00:00 [INF] Request starting HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/Account/Error?errorId=CfDJ8A81w2ldNe9HkjgrAVgXeu2KSVwnb2qRNv8Q7cucfA9K5sGzzdnJcqcCwghB2LY0XRj6SvbcTAw-yBmMdeoMLE5Jp4EDCQyvou9drwxJnN8auNRbcKWZE4IUs5OQ9j9yfJp-JRD5oWywlC_T0JHy72pnJBD_tF_R9_aSDmMHH1rd-WN9t0Yps9UT4jSfv5g6BaDdhG4hfarMTw-Yyn3QyiwWjyCS-fnnhNTyYvkc81Y4HsaV4n4YJESuht8NxnE2BM3OXvJiKe7hxDwi96kf6ZD29bKu0PGvoSTruCAtN_BrBTAgBV6tg49H3mpiZkndvFgZ6SVbc6fWYlpUEDVsbhCsBhxru4q_14WAgjMIepYf - - 2022-05-18 01:01:27.970 +00:00 [INF] Executing endpoint 'Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)' 2022-05-18 01:01:27.974 +00:00 [INF] Route matched with {area = "account", action = "Index", controller = "Error", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Index(System.String) on controller Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController (Volo.Abp.Account.Pro.Public.Web.IdentityServer). 2022-05-18 01:01:27.980 +00:00 [INF] Executing action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer) - Validation state: "Valid" 2022-05-18 01:01:27.980 +00:00 [INF] Executed action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer), returned result Microsoft.AspNetCore.Mvc.ViewResult in 0.3649ms. 2022-05-18 01:01:27.980 +00:00 [INF] Executing ViewResult, running view ~/Views/Error/500.cshtml. 2022-05-18 01:01:28.060 +00:00 [INF] Executed ViewResult - view ~/Views/Error/500.cshtml executed in 79.2701ms. 2022-05-18 01:01:28.060 +00:00 [INF] Executed action Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer) in 85.3887ms 2022-05-18 01:01:28.060 +00:00 [INF] Executed endpoint 'Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)' 2022-05-18 01:01:28.066 +00:00 [INF] Request finished HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/Account/Error?errorId=CfDJ8A81w2ldNe9HkjgrAVgXeu2KSVwnb2qRNv8Q7cucfA9K5sGzzdnJcqcCwghB2LY0XRj6SvbcTAw-yBmMdeoMLE5Jp4EDCQyvou9drwxJnN8auNRbcKWZE4IUs5OQ9j9yfJp-JRD5oWywlC_T0JHy72pnJBD_tF_R9_aSDmMHH1rd-WN9t0Yps9UT4jSfv5g6BaDdhG4hfarMTw-Yyn3QyiwWjyCS-fnnhNTyYvkc81Y4HsaV4n4YJESuht8NxnE2BM3OXvJiKe7hxDwi96kf6ZD29bKu0PGvoSTruCAtN_BrBTAgBV6tg49H3mpiZkndvFgZ6SVbc6fWYlpUEDVsbhCsBhxru4q_14WAgjMIepYf - - - 200 - text/html;+charset=utf-8 107.7556ms
-
0
2022-05-18 01:01:27.895 +00:00 [ERR] Invalid redirect_uri: https://test1.test.schemasight.com/authentication/login-callback
AllowedRedirectUris":["https://test.schemasight.com/authentication/login-callback"]
Your database has
https://test.schemasight.com/authentication/login-callback
as RedirectUri for your application but it should behttps://test1.test.schemasight.com/authentication/login-callback
or vise-versa.Update your database with the correct redirectUri of the application.
-
0
test1 is the name of a tenant. I'm using subdomain tenant resolver. So there could be 1000 different tenants with different names, with subdomain names <tenantName>.test.mydomain.com. That is the point of the subdomain tenant resolver.
abp.io is supposed to support a subdomain per tenant. How do I configure to support that?
-
0
HI @agilmore
You can check this demo. https://github.com/abpframework/abp-samples/tree/master/DomainTenantResolver
https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.IdentityServer/BookStoreIdentityServerModule.cs#L55-L61
-
0
Thanks for that.
So... to implement the subdomain tenant resolver, you need to modify the IdentityServer module configuration delivered with the product. The documentation points to the example you gave, but its only for MVC, and gives absolutely no indication of what code has changed from the original implementation. This makes it nearly useless.
This documentation: https://docs.abp.io/en/abp/5.2/Multi-Tenancy#domain-subdomain-tenant-resolver gives the impression that all that needs to change is to drop that simple code into the configuration of the host module. It's deceptive. I've seen several questions about this on this forum. You would save yourselves and others lots of time if you simply completed the documentation detailing all the places code needs to change to implement subdomain tenancy resolution.
-
0
You can try to add the code to your Identity Server project. Update the
RootUrl
of the Client, or update the identity server's data tables.You can migrate the demo project to check the identity server's data tables.
https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.DbMigrator/appsettings.json#L10
context.Services.AddAbpStrictRedirectUriValidator(); context.Services.AddAbpClientConfigurationValidator(); context.Services.AddAbpWildcardSubdomainCorsPolicyService(); Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.test.mydomain.com"); });