- ABP Framework version: v8.0.2
- UI Type: Angular
- Database System: EF Core (MySQL)
- Tiered (for MVC) or Auth Server Separated (for Angular): no
- Exception message and full stack trace: infinite loop, with no errors in the logs
- Steps to reproduce the issue: enable multitenancy, try to login as superadmin
I enabled multitenancy based on this example: ABP Framework Sample.
Later, I encountered an issue where the issuer endpoint was set to the main domain (mydomain.com) instead of the tenant subdomain (tenant.mydomain.com).
To resolve this, I had to comment out the following line in the configuration:
PreConfigure<OpenIddictServerBuilder>(builder =>
{
builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
// builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
});
After commenting out this line, the multitenancy worked correctly for tenant1.mydomain.com, tenant2.mydomain.com, etc.
However, I now face an issue when trying to log in with the admin user to mydomain.com as a "superadmin". I end up in an infinite loop because the /connect/token
endpoint responds with a 400 error:
{
"error": "invalid_grant",
"error_description": "The issuer associated to the specified token is not valid.",
"error_uri": "https://documentation.openiddict.com/errors/ID2088"
}
In your forums, I found this topic: Local Docker Installation which suggests that the issue may be caused by the aforementioned commented-out line. However, my multitenancy setup does not work with that line included.
Additionally, there are no errors in the logs, and the logs are clean.
How can I fix this issue where the main domain login for the superadmin ends up in an infinite loop due to the invalid issuer token, while still maintaining the correct issuer endpoint for tenant subdomains?
Thank you.
5 Answer(s)
-
0
hi
What are error logs when
builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
? -
0
Hi,
Thanks for your response.
There are no backend logs on this issue, on the frontend console I see:
invalid issuer in discovery document expected: https://tenant.api.mydomain.com current: https://api.mydomain.com/
and when I check the https://api.mydomain.com/.well-known/openid-configuration endpoint, I see the following configuration:
{ "issuer": "https://api.mydomain.com", "authorization_endpoint": "https://tenant.api.mydomain.com/connect/authorize", "token_endpoint": "https://tenant.api.mydomain.com/connect/token", "introspection_endpoint": "https://tenant.api.mydomain.com/connect/introspect", "end_session_endpoint": "https://tenant.api.mydomain.com/connect/logout" }
FYI, this issue is not reproducible locally as soon as
SetIssuer
is in the if(!hostingEnvironment.IsDevelopment())
block. -
0
hi
The
issuer
is obtained byrequest.Scheme + Uri.SchemeDelimiter + host + request.PathBase
if you don't call theSetIssuer
method.invalid issuer in discovery document expected
You could disable issuer validation using
skipIssuerCheck
. https://manfredsteyer.github.io/angular-oauth2-oidc/docs/classes/AuthConfig.html#skipIssuerCheck -
0
Hi,
Is it OK to disable the issuer validation on production?
also, without
SetIssuer
the login works just fine on all other tenants (tenant1.mydomain.com, tenant2.mydomain.com) but not for mydomain.com, it should work the same way for all URLs, right?Can I somehow remove
SetIssuer
and find a solution to the problem described above? or the only way is to bring it back and disable issuer validation?Many thanks for considering my request.
-
0
hi
Is it OK to disable the issuer validation on production?
I think it's ok.
https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/OpenIddict/NG/angular/src/environments/environment.ts#L16
However, I now face an issue when trying to log in with the admin user to mydomain.com as a "superadmin". I end up in an infinite loop because the /connect/token endpoint responds with a 400 error:
{ "error": "invalid_grant", "error_description": "The issuer associated to the specified token is not valid.", "error_uri": "https://documentation.openiddict.com/errors/ID2088" }
Can you share a
access_token
in this error?