- ABP Framework version: v5.3.1
- UI type: Angular
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
I try to use this scenario in multi tenant env: Angular IDS API
We follow the guide https://support.abp.io/QA/Questions/1552/Better-Documentation-for-Multi-Tenant-Subdomain-Resolver but not work.
We are able to login in IDS tenant (es t1.auth.mydomain.com) and open Api in tenant (t1.api.mydomain.com) but when I try to authorize my api client the auth login url is auth.mydomain.com and not t1.auth.mydomain.com so the authentication move to host and not to correct tenant.
on appsettings.json
For IDS
"SelfUrl": "https://{0}.auth.mydomain.com",
"TenantResolver": "https://{0}.auth.maydomain.com"
For API
"SelfUrl": "https://api.mydomain.com",
"TenantResolver": "https://{0}.api.maydomain.com"
"AuthServer": {
"Authority": "https://auth.maydomain.com",
"RequireHttpsMetadata": "true",
"SwaggerClientId": "client_Swagger",
"SwaggerClientSecret": "1234567"
},
on IDS ConfigService we put on top of module
.....
context.Services.AddAbpStrictRedirectUriValidator();
context.Services.AddAbpClientConfigurationValidator();
context.Services.AddAbpWildcardSubdomainCorsPolicyService();
Configure<AbpTenantResolveOptions>(options =>
{
options.AddDomainTenantResolver(configuration["App:TenantResolver"]);
});
Configure<IdentityServerOptions>(options =>
{
options.IssuerUri = configuration["App:SelfUrl"];
});
....
and on HttpApiHost
....
Configure<AbpTenantResolveOptions>(options =>
{
options.AddDomainTenantResolver(configuration["App:TenantResolver"]);
});
.....
12 Answer(s)
-
0
hi
Can you reproduce the problem via DomainTenantResolver
-
0
Hi
I can't because not existing this configuration.
The NG has identity server is not separated
-
0
ok, I see, I will add the new project to
DomainTenantResolver -
0
https://github.com/abpframework/abp/issues/14435
-
0
I think the problem is related to auth. This is the information the API try to use to authorize.
oauth2 (OAuth2, authorizationCode) Authorization URL: https://auth.mydomain.com/connect/authorize Token URL: https://auth.mydomain.com/connect/token Flow: authorizationCode
Is it correct?
About the git repo, your request is to clone the repo and reproduce the issue?
-
0
I re check all configuration on my module and work (partially on Angular).
I need to add to environment.ts
skipIssuerCheck: trueAfter Add this my app will be redirect to correct Auth Server (es Tenant 1 (t1) -> https://t1.auth.mydomain.com) but I use the custom login into angular with customize Login/register page
export class AppComponent { constructor(private replaceableComponentsService: ReplaceableComponentsService) {} ngOnInit() { this.replaceableComponentsService.add({ key: eAccountComponents.Login, component: LoginComponent, }); this.replaceableComponentsService.add({ key: eAccountComponents.Register, component: RegisterComponent, }); this.replaceableComponentsService.add({ key: eThemeLeptonComponents.AccountLayout, component: AccountLayoutComponent, }); } }This work fine if I don't use a normal tenant selector but in tenant rosolve by name when I click login I'll be redirect to Auth (Mvc page and not to angular route). I doesn't work on tenant/host side
I look into the call /.well-known/openid-configuration and I see that and i console I read an error that
main.fbfd4e772f61baa1.js:1 invalid issuer in discovery document expected: https://t1.mydomain.com current: https://auth.mydomain.com
"issuer": "https://auth.mydomain.com", "jwks_uri": "https://t1.auth.mydomain.com/.well-known/openid-configuration/jwks", "authorization_endpoint": "https://t1.auth.mydomain.com/connect/authorize", "token_endpoint": "https://t1.auth.mydomain.com/connect/token", "userinfo_endpoint": "https://t1.auth.mydomain.com/connect/userinfo", "end_session_endpoint": "https://t1.auth.mydomain.com/connect/endsession", "check_session_iframe": "https://t1.auth.mydomain.com/connect/checksession", "revocation_endpoint": "https://t1.auth.mydomain.com/connect/revocation", "introspection_endpoint": "https://t1.auth.mydomain.com/connect/introspect", "device_authorization_endpoint": "https://t1.auth.mydomain.com/connect/deviceauthorization", "frontchannel_logout_supported": true, "frontchannel_logout_session_supported": true, "backchannel_logout_supported": true, "backchannel_logout_session_supported": true, -
0
main.fbfd4e772f61baa1.js:1 invalid issuer in discovery document expected: https://t1.mydomain.com current: https://auth.mydomain.com
I see the
/oauth-service.tscode and it should throw error whenif (!this.skipIssuerCheck && doc.issuer !== this.issuer) {https://github.com/manfredsteyer/angular-oauth2-oidc/blob/d95d7da788e2c1390346c66de62dc31f10d2b852/projects/lib/src/oauth-service.ts#L639
You have set
skipIssuerCheck: trueso the error should not throw. -
0
Hi
I see the same and it works but redirect me to IDS page e not to my local login in angular why?
-
0
hi
I will add a sample.
https://github.com/abpframework/abp/issues/14435
-
0
hi
Here is my angular config and I tested, It works.
import { Environment } from '@abp/ng.core'; const baseUrl = 'https://{0}.ng.getabp.net:4200'; const oAuthConfig = { issuer: 'https://{0}.ids.getabp.net:44301', redirectUri: baseUrl, clientId: 'BookStore_App', responseType: 'code', scope: 'offline_access BookStore', requireHttps: true, }; export const environment = { production: false, application: { baseUrl, name: 'BookStore', }, oAuthConfig, apis: { default: { url: 'https://{0}.api.getabp.net:44302', rootNamespace: 'BookStore', }, AbpAccountPublic: { url: oAuthConfig.issuer, rootNamespace: 'AbpAccountPublic', }, }, } as Environment; -
0
Hi
from my side it not works but I found this post and I remove
responseType: 'code',After that my login on angular side work I dont redirect me to IDS login page.
The issue still exists on API if I try to login from swagger the app redirect me to base auth and not to tenant auth
-
0
hi
I didn't change the swagger behavior. So it does not support the subdomain.
