Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.
- ABP Framework version: v4.2.0
- UI type: Angular
- DB provider: MongoDB
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace: Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'System.String'. Did not match: validationParameters.ValidIssuer: 'System.String' or validationParameters.ValidIssuers: 'System.String'. at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuer(String issuer, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
- Steps to reproduce the issue: After logging in at the identity server, I'm redirected to the correct 'subdomain.mydomain.com' but I'm not in fact logged at the UI and the exception above is listed on identity server logs.txt. Cheking 'identityserver.subdomain.mydomain.com' it's possible to see 'myuser' logged at the correct tenant/subdomain. I'm using 'Tenant Specific Remote Endpoints' from https://docs.abp.io/en/abp/latest/UI/Angular/Multi-Tenancy at the front-end and 'Subdomain Tenant Resolvers' from 'https://docs.abp.io/en/abp/latest/Multi-Tenancy' for both the HttpApi.Host ({0}.api.domain.com) and IdentityServer ({0}.is.domain.com).
Do you think this is something related to the way urls are setup?
Another potential issue and something I'm not able to address right now is how to add RedirectUri objects for the subdomains, right now I'm hardcoding a 'subdomain.domain.com' redirect uri. Is there any way to dynamically redirect according to the current tenant?
7 Answer(s)
-
0
hi
You can take a look this https://github.com/abpframework/abp/issues/5589#issuecomment-722084689
-
0
I couldn't make your suggestion work.
The only way I was able to get rid of the exception and login into the ui by setting the ValidateIssuer to false as in https://github.com/abpframework/abp/issues/3304#issuecomment-609030329 but this is just a work-around as it may raise some security issues.
Regarding the RedirectUris, how can I have them defined dynamically? As I mentioned earlier I set 'subdomain.domain.com' as a redirect uri for the 'ClientelePortal_App' client directly on the database.
-
0
For Identity Server,
RedirectUris
is fixed, I will try to found a way to make it dynamicall. -
0
You can check this https://github.com/abpframework/abp/pull/7783
-
0
Hi maliming, this proposed code change 7783 didn't work. I still need to manually add the redirect url at the database. Is some config needed?
-
0
hi
It's has been updated.
https://github.com/abpframework/abp/blob/48c52625f4c4df007f04d5ac6368b07411aa7521/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/AbpStrictRedirectUriValidator.cs#L39
-
0
This question has been automatically marked as stale because it has not had recent activity.