OpendIdConnect Configuration with multitenant url #6712 | Support

dipak.z created 8 months ago

ABP Framework version: v8.0.2
UI Type: MVC
Database System: EF Core ( PostgreSQL)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
Exception message and full stack trace:
Steps to reproduce the issue:

Created Project using abp suite with public site, cms, Tired and Seprate Tenant Schema

i want diff urls for tenants like for that i config

in Auth Project PreConfigure<AbpOpenIddictWildcardDomainOptions>(options => { options.EnableWildcardDomainSupport = true; options.WildcardDomainsFormat.Add("https://{0}.auth.domain.com"); });

and

Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.auth.domain.com"); });

In Web Project Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.web.domain.com"); });

in HttpApi.Host

Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.api.domain.com"); });

now i want to add in openidcconnect

in this i added urls for Application Type : Web ClientUrl : https://web.domain.com/ Redirect Uris : https://web.domain.com/signin-oidc Post Logout Redirect Uris:https://web.domain.com/signout-callback-oidc

how to config dynamic tenant wise urls in this?

11 Answer(s)

0

maliming created 8 months ago
Support Team Fullstack Developer

hi

https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.Web/BookStoreWebModule.cs#L145-L177

dipak.z created 8 months ago

hi

https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.Web/BookStoreWebModule.cs#L145-L177

i have to add in web and Httpapi.Host both?

.AddAbpOpenIdConnect("oidc", options => { options.Authority = configuration["AuthServer:Authority"]; options.RequireHttpsMetadata = configuration.GetValue<bool>("AuthServer:RequireHttpsMetadata"); options.ResponseType = OpenIdConnectResponseType.CodeIdToken;

options.ClientId = configuration["AuthServer:ClientId"];
options.ClientSecret = configuration["AuthServer:ClientSecret"];

options.UsePkce = true;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;

options.Scope.Add("roles");
options.Scope.Add("email");
options.Scope.Add("phone");
options.Scope.Add("TestIdentity");

options.Events.OnRedirectToIdentityProviderForSignOut = redirectContext =>
{
    var currentTenant = redirectContext.HttpContext.RequestServices.GetRequiredService&lt;ICurrentTenant&gt;();
    if (currentTenant.IsAvailable)
    {
        //https://ids.getabp.net:44301
        redirectContext.ProtocolMessage.IssuerAddress =
            redirectContext.ProtocolMessage.IssuerAddress.Replace("ids",
                $"{currentTenant.Name}.ids");
    }

    return Task.CompletedTask;
};
options.Events.OnRedirectToIdentityProvider = options.Events.OnRedirectToIdentityProviderForSignOut;

});

0

maliming created 8 months ago
Support Team Fullstack Developer

hi

You only need to add AddAbpOpenIdConnect for the projects that use OpenIdConnect.
0

dipak.z created 8 months ago

hi

You only need to add AddAbpOpenIdConnect for the projects that use OpenIdConnect.

i want like if i create tenant name smc then urls are smc.web.domain.com smc.auth.domain.com

but its when i click login button from smc.web.domain.com then its redirect to auth.domain.com and throw 400 https://auth.domain.com/Error?httpStatusCode=400 In Auth Project Logs ->

2024-02-21 13:38:35.147 +05:30 [INF] Request finished HTTP/1.1 GET https://auth.domain.com/.well-known/jwks - 200 1667 application/json;charset=UTF-8 14.1696ms 2024-02-21 13:38:39.349 +05:30 [INF] Request starting HTTP/2 GET https://auth.domain.com/connect/authorize?client_id=TestIdentity&redirect_uri=https%3A%2F%2Fsmc.web.domain.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20TestIdentity&response_mode=form_post&nonce=638440997151617322.ZTA2NTc1OWUtZTE0NS00ZjU0LWIyZjktZjU1ZWFlM2ExY2JhZDM0YjMxNGMtZWUwOC00YTJhLWE1NjgtM2M5ODU2NzhhNzIz&state=CfDJ8JByH2MkMuNNl3sV5fVf9nQ9ClPWZshJc5L3ihk5XA6cYJO8E0NXUtAdYFccsFRcCeSFIZ179gYHlU6firu6HkGCNjBlBiUM31kXS2GHJH2QLp7YOhtAa68iww6sv0wJOnntlRFQEIl8PFuhqGal5iLh6sFO10P3iMJ5frqaUiNEePfJfAEXUrp7hLp2457kLv6r82VdrGwEWqWloM_ZxOv9CA3lELinNxGPPl0gEyV77h96GfIlsOSloAV8G1y9XSzV-Nv43zfxOG5pTbe30bOasTmTNDJZdq6ha0i16I6oI1GP8nd8zyeLzxVyycZtbA&x-client-SKU=ID_NET8_0&x-client-ver=7.0.3.0 - null null 2024-02-21 13:38:39.351 +05:30 [INF] The request URI matched a server endpoint: "Authorization". 2024-02-21 13:38:39.356 +05:30 [INF] The authorization request was successfully extracted: { "client_id": "TestIdentity", "redirect_uri": "https://smc.web.domain.com/signin-oidc", "response_type": "code id_token", "scope": "openid profile roles email phone TestIdentity", "response_mode": "form_post", "nonce": "638440997151617322.ZTA2NTc1OWUtZTE0NS00ZjU0LWIyZjktZjU1ZWFlM2ExY2JhZDM0YjMxNGMtZWUwOC00YTJhLWE1NjgtM2M5ODU2NzhhNzIz", "state": "CfDJ8JByH2MkMuNNl3sV5fVf9nQ9ClPWZshJc5L3ihk5XA6cYJO8E0NXUtAdYFccsFRcCeSFIZ179gYHlU6firu6HkGCNjBlBiUM31kXS2GHJH2QLp7YOhtAa68iww6sv0wJOnntlRFQEIl8PFuhqGal5iLh6sFO10P3iMJ5frqaUiNEePfJfAEXUrp7hLp2457kLv6r82VdrGwEWqWloM_ZxOv9CA3lELinNxGPPl0gEyV77h96GfIlsOSloAV8G1y9XSzV-Nv43zfxOG5pTbe30bOasTmTNDJZdq6ha0i16I6oI1GP8nd8zyeLzxVyycZtbA", "x-client-SKU": "ID_NET8_0", "x-client-ver": "7.0.3.0" }. 2024-02-21 13:38:39.586 +05:30 [INF] Client validation failed because 'https://smc.web.domain.com/signin-oidc' was not a valid redirect_uri for TestIdentity. 2024-02-21 13:38:39.586 +05:30 [INF] The authorization request was rejected because the redirect_uri was invalid: 'https://smc.web.domain.com/signin-oidc'. 2024-02-21 13:38:39.597 +05:30 [INF] Request finished HTTP/2 GET https://auth.domain.com/connect/authorize?client_id=TestIdentity&redirect_uri=https%3A%2F%2Fsmc.web.domain.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20TestIdentity&response_mode=form_post&nonce=638440997151617322.ZTA2NTc1OWUtZTE0NS00ZjU0LWIyZjktZjU1ZWFlM2ExY2JhZDM0YjMxNGMtZWUwOC00YTJhLWE1NjgtM2M5ODU2NzhhNzIz&state=CfDJ8JByH2MkMuNNl3sV5fVf9nQ9ClPWZshJc5L3ihk5XA6cYJO8E0NXUtAdYFccsFRcCeSFIZ179gYHlU6firu6HkGCNjBlBiUM31kXS2GHJH2QLp7YOhtAa68iww6sv0wJOnntlRFQEIl8PFuhqGal5iLh6sFO10P3iMJ5frqaUiNEePfJfAEXUrp7hLp2457kLv6r82VdrGwEWqWloM_ZxOv9CA3lELinNxGPPl0gEyV77h96GfIlsOSloAV8G1y9XSzV-Nv43zfxOG5pTbe30bOasTmTNDJZdq6ha0i16I6oI1GP8nd8zyeLzxVyycZtbA&x-client-SKU=ID_NET8_0&x-client-ver=7.0.3.0 - 302 null null 247.1638ms 2024-02-21 13:38:39.600 +05:30 [INF] Request starting HTTP/2 GET https://auth.domain.com/Error?httpStatusCode=400 - null null
0

dipak.z created 8 months ago

and when i open smc.auth.domain.com

then its show all applcation in that web.domain.com is show how to change that tenant wise if smc.auth.domain.com then show smc.web.domain.com

if auth.domain.com then show web.domain.com like that

maliming created 8 months ago

Support Team Fullstack Developer

[INF] Client validation failed because 'https://smc.web.domain.com/signin-oidc' was not a valid redirect_uri for TestIdentity.
[INF] The authorization request was rejected because the redirect_uri was invalid: 'https://smc.web.domain.com/signin-oidc'.

PreConfigure<AbpOpenIddictWildcardDomainOptions>(options =>
{
    options.EnableWildcardDomainSupport = true;
    options.WildcardDomainsFormat.Add("https://{0}.auth.domain.com");
    options.WildcardDomainsFormat.Add("https://{0}.web.domain.com/signin-oidc");
   
});

Try to add https://{0}.web.domain.com/signin-oidc to WildcardDomainsFormat

0

dipak.z created 8 months ago

Ok after adding this its working.Thank you for support. but if i open https://smc.auth.domain.com

then show all applications in this when i open web application this open https://web.domain.com but i want if tenant open than directly open https://smc.web.domain.com this url.
0

maliming created 8 months ago
Support Team Fullstack Developer

hi

then show all applications in this when i open web application this open https://web.domain.com but i want if tenant open than directly open https://smc.web.domain.com this URL.

I don't understand this very well. Can you explain in detail?

Thanks
0

dipak.z created 8 months ago

hi

then show all applications in this when i open web application this open https://web.domain.com but i want if tenant open than directly open https://smc.web.domain.com this URL.

I don't understand this very well. Can you explain in detail?

Thanks

when i create new tenant example name smc. then its urls are : https://smc.web.domain.com (Web Project) and for auth : https://smc.auth.domain.com (Auth Project)

when we open https://auth.domain.com (Auth Project) it shows all application of openidconnect with urls , name and icons in this web project url shown as https://web.domain.com and when we open https://smc.auth.domain.com but its shown web url as https://web.domain.com instead of https://smc.web.domain.com this

maliming created 8 months ago

Support Team Fullstack Developer

You can replace these URLs on the index.cshtml page.

Same as

//https://ids.getabp.net:44301
redirectContext.ProtocolMessage.IssuerAddress =
    redirectContext.ProtocolMessage.IssuerAddress.Replace("ids",
        $"{currentTenant.Name}.ids");

0

dipak.z created 8 months ago

Thank you its working fine.

Have an answer to this question? Log in and write your answer.