Open Closed

Infinite Loop Issue with Superadmin Login in Multitenant OpenIddict Configuration #7332


User avatar
0
anurag.tyagi created
  • ABP Framework version: v8.0.2
  • UI Type: Angular
  • Database System: EF Core (MySQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): no
  • Exception message and full stack trace: infinite loop, with no errors in the logs
  • Steps to reproduce the issue: enable multitenancy, try to login as superadmin

I enabled multitenancy based on this example: ABP Framework Sample.

Later, I encountered an issue where the issuer endpoint was set to the main domain (mydomain.com) instead of the tenant subdomain (tenant.mydomain.com).

To resolve this, I had to comment out the following line in the configuration:

PreConfigure<OpenIddictServerBuilder>(builder =>
{
    builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
    builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
    // builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
});

After commenting out this line, the multitenancy worked correctly for tenant1.mydomain.com, tenant2.mydomain.com, etc.

However, I now face an issue when trying to log in with the admin user to mydomain.com as a "superadmin". I end up in an infinite loop because the /connect/token endpoint responds with a 400 error:

{
  "error": "invalid_grant",
  "error_description": "The issuer associated to the specified token is not valid.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2088"
}

In your forums, I found this topic: Local Docker Installation which suggests that the issue may be caused by the aforementioned commented-out line. However, my multitenancy setup does not work with that line included.

Additionally, there are no errors in the logs, and the logs are clean.

How can I fix this issue where the main domain login for the superadmin ends up in an infinite loop due to the invalid issuer token, while still maintaining the correct issuer endpoint for tenant subdomains?

Thank you.


5 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    What are error logs when builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));?

  • User Avatar
    0
    anurag.tyagi created

    Hi,

    Thanks for your response.

    There are no backend logs on this issue, on the frontend console I see:

    invalid issuer in discovery document expected: https://tenant.api.mydomain.com current: https://api.mydomain.com/

    and when I check the https://api.mydomain.com/.well-known/openid-configuration endpoint, I see the following configuration:

    {
      "issuer": "https://api.mydomain.com",
      "authorization_endpoint": "https://tenant.api.mydomain.com/connect/authorize",
      "token_endpoint": "https://tenant.api.mydomain.com/connect/token",
      "introspection_endpoint": "https://tenant.api.mydomain.com/connect/introspect",
      "end_session_endpoint": "https://tenant.api.mydomain.com/connect/logout"
    }
    

    FYI, this issue is not reproducible locally as soon as SetIssuer is in the if (!hostingEnvironment.IsDevelopment()) block.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The issuer is obtained by request.Scheme + Uri.SchemeDelimiter + host + request.PathBase if you don't call the SetIssuer method.

    invalid issuer in discovery document expected

    You could disable issuer validation using skipIssuerCheck. https://manfredsteyer.github.io/angular-oauth2-oidc/docs/classes/AuthConfig.html#skipIssuerCheck

  • User Avatar
    0
    anurag.tyagi created

    Hi,

    Is it OK to disable the issuer validation on production?

    also, without SetIssuer the login works just fine on all other tenants (tenant1.mydomain.com, tenant2.mydomain.com) but not for mydomain.com, it should work the same way for all URLs, right?

    Can I somehow remove SetIssuer and find a solution to the problem described above? or the only way is to bring it back and disable issuer validation?

    Many thanks for considering my request.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Is it OK to disable the issuer validation on production?

    I think it's ok.

    https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/OpenIddict/NG/angular/src/environments/environment.ts#L16

    However, I now face an issue when trying to log in with the admin user to mydomain.com as a "superadmin". I end up in an infinite loop because the /connect/token endpoint responds with a 400 error:

    {
      "error": "invalid_grant",
      "error_description": "The issuer associated to the specified token is not valid.",
      "error_uri": "https://documentation.openiddict.com/errors/ID2088"
    }
    

    Can you share a access_token in this error?

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11