Domain/Subdomain Tenant Resolver configuration issues #8157

• ABP Framework version: v8.3.2
• UI Type: Blazor Server
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Steps to reproduce the issue:

I'm trying to configure domain/subdomain tenant resolving. I'd like to do it on local environment and test it. I saw documentation about that: https://abp.io/docs/latest/framework/architecture/multi-tenancy#domain-subdomain-tenant-resolver and I did all needed changes but with no success.

Let's start to configure that on a new project.

1. Run abp cli to create blank project

abp new MainPortal -t app-pro -u blazor-server -d ef -csf --tiered

2. Modify all addresses to use custom domain, the same as in the docs - "mydomain.com" with the same ports as it was assigned at the beginning of created project.
3. Add all code changes that are presented in the docs: https://abp.io/docs/latest/framework/architecture/multi-tenancy#domain-subdomain-tenant-resolver
4. Add in windows hosts file:

127.0.0.1 mydomain.com
127.0.0.1 tenant1.mydomain.com

5. Run db migrator.
6. Run all 3 apps (blazor, auth, api.host). In the blazor web app error appears: "AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch". I suppose that this is connected only with local development environment. So in MainPortalBlazorModule/cs add:

public override void PreConfigureServices(ServiceConfigurationContext context)
...
    if (context.Services.GetHostingEnvironment().IsDevelopment())
    {
        PreConfigure<AbpHttpClientBuilderOptions>(options =>
        {
            options.ProxyClientBuildActions.Add((remoteServiceName, clientBuilder) =>
            {
                clientBuilder.ConfigurePrimaryHttpMessageHandler(() => new HttpClientHandler
                {
                    ClientCertificateOptions = ClientCertificateOption.Manual,
                    ServerCertificateCustomValidationCallback =
                    (httpRequestMessage, cert, cetChain, policyErrors) =>
                    {
                        return true;
                    }
                });
            });
        });
    }

7. Web portal works fine. After clicking on Login button the same error occurs: "AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch". So in MainPortalBlazorModule/cs add:

private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
...
    .AddAbpOpenIdConnect("oidc", options =>
    {
    ...
    
         if (context.Services.GetHostingEnvironment().IsDevelopment())
         {
             options.BackchannelHttpHandler = new HttpClientHandler
             {
                 ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
             };
         }

8. Now login process for host admin works fine. Unfortunately i can't see any menu options on the left side after successful login. It's because of the httpapi.host errors. So in MainPortalHttpApiHostModule.cs I have to add:

  private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
 {
     context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
         .AddAbpJwtBearer(options =>
		 ...
		 
    		 options.TokenValidationParameters.IssuerValidator = TokenWildcardIssuerValidator.IssuerValidator;
    			options.TokenValidationParameters.ValidIssuers = new[]
    			{
    				"https://{0}.mydomain.com:44320/",
    				"https://mydomain.com:44320/" // i had to add this line in order to make it work even though I set TokenWildcardIssuerValidator
    			};
    		 
    		 
    		  if (context.Services.GetHostingEnvironment().IsDevelopment())
    		 {
    			 options.TokenValidationParameters.ValidateIssuerSigningKey = false;
    			 options.TokenValidationParameters.SignatureValidator = delegate (string token, TokenValidationParameters parameters)
    			 {
    				 return new JsonWebToken(token);
    			 };
    		 }

I have no idea why TokenWildcardIssuerValidator does not correctly valid issuers and I had to add it manually - that's the important thing that is different than docs said.

9. Now menu items are correctly visible.
10. Add one tenant: "tenant1"
11. In blazor web app enter url: tenant1.mydomain.com:44383 (port assigned to web app) and click on login button. After redirection I noticed that auth server url is still without tenant name. And probably that's why after successful login i'm still logged in as a host admin instead of tenant admin. As I checked examples (there is no example for blazor, so I had to use example for mvc) https://github.com/abpframework/abp-samples/tree/master/DomainTenantResolver and https://github.com/abpframework/abp-samples/tree/master/DomainTenantResolver/MVC-TIERED In the example above we are redirected to auth server with tenant name int the url and after login we are logged in as tenant admin. There is nothing about that redirection in the docs, so I have no idea if there is something missing in the documentation or the issue is different.
12. I analyzed the examples and added in PortalBlazorModule.cs:

private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
...
	.AddAbpOpenIdConnect("oidc", options =>
	...
		options.Events.OnRedirectToIdentityProviderForSignOut = redirectContext =>
		{
			var currentTenant = redirectContext.HttpContext.RequestServices.GetRequiredService<ICurrentTenant>();
			if (currentTenant.IsAvailable)
			{
				redirectContext.ProtocolMessage.IssuerAddress =
					redirectContext.ProtocolMessage.IssuerAddress.Replace("https://", $"https://{currentTenant.Name}.");
			}

			return Task.CompletedTask;
		};
		options.Events.OnRedirectToIdentityProvider = options.Events.OnRedirectToIdentityProviderForSignOut;

13. Now when I try to login as a tenant i'm redirected to the auth server where url contains tenant name. But after login I get an error on the web portal:

SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'https://tenant1.mydomain.com:44320/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: 'null' or validationParameters.ConfigurationManager.CurrentConfiguration.Issuer: 'https://mydomain.com:44320/'

Port 44320 is assigned to the auth server. In my opinion there is something wrong with configuration - auth server probably should set issuer always as "'https://mydomain.com:44320/'" so without tenant name. In the mvc example (https://github.com/abpframework/abp-samples/tree/master/DomainTenantResolver/MVC-TIERED) in PortalAuthServerModule.cs there is a configuration which is probably responsible for this:

Configure<IdentityServerOptions>(options =>
{
    options.IssuerUri = configuration["App:SelfUrl"];
});

But as I said example is for mvc app and identity server and i've got blazor server and openid.

14. I tried to set in web portal custom ValidIssuers based on that error, but it didn' helped.

In my opinion something important is missing in the docs: https://abp.io/docs/latest/framework/architecture/multi-tenancy#domain-subdomain-tenant-resolver especially when I looked on example: https://github.com/abpframework/abp-samples/tree/master/DomainTenantResolver/MVC-TIERED

I would be really grateful for any help to solve that issue and make Domain/Subdomain Tenant Resolver work :)