Hi,
Thanks for your reply.
I have already implemented the provided configuration in our project at the time of creating this ticket. However, this solution does not resolve the issue.
Could you please provide further assistance or an alternative approach to dynamically handle tenant-specific redirect URIs?
Thanks in advance
Hi,
Is it OK to disable the issuer validation on production?
also, without SetIssuer the login works just fine on all other tenants (tenant1.mydomain.com, tenant2.mydomain.com) but not for mydomain.com, it should work the same way for all URLs, right?
Can I somehow remove SetIssuer and find a solution to the problem described above? or the only way is to bring it back and disable issuer validation?
Many thanks for considering my request.
Hi,
Thanks for your response.
There are no backend logs on this issue, on the frontend console I see:
invalid issuer in discovery document expected: https://tenant.api.mydomain.com current: https://api.mydomain.com/
and when I check the https://api.mydomain.com/.well-known/openid-configuration endpoint, I see the following configuration:
{
"issuer": "https://api.mydomain.com",
"authorization_endpoint": "https://tenant.api.mydomain.com/connect/authorize",
"token_endpoint": "https://tenant.api.mydomain.com/connect/token",
"introspection_endpoint": "https://tenant.api.mydomain.com/connect/introspect",
"end_session_endpoint": "https://tenant.api.mydomain.com/connect/logout"
}
FYI, this issue is not reproducible locally as soon as SetIssuer is in the if (!hostingEnvironment.IsDevelopment())
block.
Hi, thanks for the help. It got us quite far. I believe we only have one last issue before subdomains work for us:
we have a frontend angular method that establishes a connection to the backend but it reads the backend url from the appsettings and hence also contains the {0}, which is not resolved and not recognized by the backend.
private createConnection(): void {
this.hubConnection = new HubConnectionBuilder()
.withUrl(environment.apis.default.url + '/hubroute', { accessTokenFactory: () => localStorage.getItem('access_token') })
.withAutomaticReconnect()
.build();
}
is there an out of the box way to get the resolved tenant url in the frontend?
I added the code from that example to my project (v8.0.2) and deployed the version to an environment with an actual domain/subdomain, but it did not work. It has the issue that I described in the initial question.
can you maybe give some hints and ideas, on what could I check, and where I could have an issue?
Yes, I changed that file as well, but I am still encountering the same error. Can you please point out the configuration that will allow OpenIddict to hook the issuer from the subdomain?
From the documentation, it seems like this should achieve that:
// using Volo.Abp.OpenIddict.WildcardDomains
PreConfigure<AbpOpenIddictWildcardDomainOptions>(options =>
{
options.EnableWildcardDomainSupport = true;
options.WildcardDomainsFormat.Add("https://{0}.api.mydomain.com");
});
I have included this configuration as well, but the issuer still defaults to the main domain of the backend (api.mydomain.com) instead of the subdomain (tenant.api.mydomain.com).
Is there any other setting or configuration that I might be missing to ensure the issuer includes the tenant name in the subdomain?
I checked it and tried to include changes from https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/OpenIddict/NG/aspnet-core/src/BookStore.HttpApi.Host/BookStoreHttpApiHostModule.cs to my project, however, I still get the same result and the issuer is still wrong. from the commit history, I don't see if there are more changes to be done, maybe you can give a hint about which files to look?
Hi,
Thanks for your quick response.
I also found that example and based on my comparison, it seems like I have a similar setup (nevertheless the the example version I below my current version).
ah I see, thanks for that info. How can we override the form? Any hints would be appreciated.
Thanks for the support.