- ABP Framework version: v4.0.2
- UI type: MVC
- DB provider: EF Core
- Tiered (MVC) or Identity Server Seperated (Angular): yes
I have a tiered solution which createds 3 separate docker images
- Identity Server
- API
- Web Site
I have them running on 3 seperate VMs hosted behind an NGINX reverse proxy (4 VMs in total). My domain name points to the nginx server, which routes them 4 subdomains to their various components.
- identity.domain.com.au
- api.domain.com.au
- web.domain.com.au
The reverse proxy forces SSL infront of the proxy, but communicates over port 80 to the various site components. Both the Identity Server and API work perfectly and are able to login correctly and return data, but the website fails when I click the login button.
Initially it had compolained about an obscure microsoft issue relating to enforcing the scheme to be https for each request. I added the code as suggested by microsoft but it is still failing somewhere in the pipeline. Any ideas?
3 Answer(s)
-
0
Hello @ihugo,
It is probably related with IdentityServer published on http instead of https. IdentityServer must be deployed to https. Can you check issuer under /.well-known/openid-configuration?
You can check here about how to set it.
If that is not the case, can you share the logs under your Logs folder by executing into your container?
-
0
This is a snippet of the identity server logs (formatted)
First log entry When clicking the login button 2021-01-12 00:36:10.160 +00:00 [INF] Request starting HTTP/1.0 GET http://identityserver.mydomain.com.au/connect/authorize? client_id=ACME_Swagger &redirect_uri=https%3A%2F%2Fwebsite.mydomain.com.au%2Fsignin-oidc &response_type=code%20id_token &scope=openid%20profile%20role%20email%20phone%20ACME &response_mode=form_post &nonce=637460085700247970.NTdiZWFkNWYtMTY0MS00MjY2LWE1NjMtMGYyMmZiMWQwZDUxMjBmNmY2ODctZDEyZS00NDAwLTgzMTUtZjI1M2I4NjRkZGM1 &state=CfDJ8M1sREtLfp9HtU4hP4gPDTVW3bvsBw6HcSYKun2hru60z84PnY2jB9vcXp1WVS3_EyZ5AHhMmhrJGfe2jddyZiXdqhz6tDpEeIfbCOrP11N5K4waG_tB-mMulgdbjD0QefAy2RWJ8lJ1JbN8lH2Jj6HHa1eEhZPa7I8Yk254gCXPjTDZNcTUagetAY2YKlA2JE_CBOW9YGs9CALfTWRKAVVGLCFUdLRKIvBNfgZYnbF0IGyKDYgNEXwFAjRqJCNmiliche-k9EsbFSRij1LusJKpLCR1Wv2wTzoYt-mlDUOgFWIdHen0se_ymmr8iePo2hpCtrJ18Ng3SxkpJP_7ChM &x-client-SKU=ID_NETSTANDARD2_0 &x-client-ver=6.7.1.0 - -
second log entry 2021-01-12 00:36:10.177 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
third log entry 2021-01-12 00:36:10.281 +00:00 [ERR] Invalid redirect_uri: https://website.mydomain.com.au/signin-oidc { "ClientId":"ACME_Swagger", "ClientName":"ACME_Swagger", "RedirectUri":null, "AllowedRedirectUris":["https://api.mydomain.com.au/swagger/oauth2-redirect.html","https://localhost:44358/swagger/oauth2-redirect.html"], "SubjectId":"anonymous", "ResponseType":null, "ResponseMode":null, "GrantType":null, "RequestedScopes":"", "State":null, "UiLocales":null, "Nonce":null, "AuthenticationContextReferenceClasses":null, "DisplayMode":null, "PromptMode":"", "MaxAge":null, "LoginHint":null, "SessionId":null, "Raw": { "client_id":"ACME_Swagger", "redirect_uri":"https://website.mydomain.com.au/signin-oidc", "response_type":"code id_token", "scope":"openid profile role email phone ACME", "response_mode":"form_post", "nonce":"637460085700247970.NTdiZWFkNWYtMTY0MS00MjY2LWE1NjMtMGYyMmZiMWQwZDUxMjBmNmY2ODctZDEyZS00NDAwLTgzMTUtZjI1M2I4NjRkZGM1", "state":"CfDJ8M1sREtLfp9HtU4hP4gPDTVW3bvsBw6HcSYKun2hru60z84PnY2jB9vcXp1WVS3_EyZ5AHhMmhrJGfe2jddyZiXdqhz6tDpEeIfbCOrP11N5K4waG_tB-mMulgdbjD0QefAy2RWJ8lJ1JbN8lH2Jj6HHa1eEhZPa7I8Yk254gCXPjTDZNcTUagetAY2YKlA2JE_CBOW9YGs9CALfTWRKAVVGLCFUdLRKIvBNfgZYnbF0IGyKDYgNEXwFAjRqJCNmiliche-k9EsbFSRij1LusJKpLCR1Wv2wTzoYt-mlDUOgFWIdHen0se_ymmr8iePo2hpCtrJ18Ng3SxkpJP_7ChM", "x-client-SKU":"ID_NETSTANDARD2_0", "x-client-ver":"6.7.1.0" }, "$type":"AuthorizeRequestValidationLog" }
fourth log entry 2021-01-12 00:36:10.281 +00:00 [ERR] Request validation failed
-
0
third log entry 2021-01-12 00:36:10.281 +00:00 [ERR] Invalid redirect_uri: https://website.mydomain.com.au/signin-oidc { "ClientId":"ACME_Swagger", "ClientName":"ACME_Swagger", "RedirectUri":null, "AllowedRedirectUris":["https://api.mydomain.com.au/swagger/oauth2-redirect.html","https://localhost:44358/swagger/oauth2-redirect.html"], "SubjectId":"anonymous", "ResponseType":null, "ResponseMode":null, ...
Your redirect uri doesn't match. You should add https://website.mydomain.com.au/signin-oidc to your redirect uri for that client.