Hi, I’ve resolved the infinite redirect loop issue in WF2025 (ABP v9.1.1, Angular tiered) independently. The problem stemmed from a SecurityTokenSignatureKeyNotFoundException (IDX10503) due to a kid mismatch between the AuthServer (192.168.200.18:44310) and backend (192.168.200.18:44321). I fixed it by syncing the CertificatePassPhrase with the one configured in the AuthServer and generating a new openiddict.pfx for the backend. The issue is resolved, and the app works with both FE at localhost:4200 and FE hosted at wwwRoot. Please close this ticket.
Thanks, Kien
More information, this is the code where it logs the errors at the Frontend site:
AND
This is the response from https://192.168.200.18:44310/.well-known/openid-configuration
{
"issuer": "https://192.168.200.18:44310/",
"authorization_endpoint": "https://192.168.200.18:44310/connect/authorize",
"token_endpoint": "https://192.168.200.18:44310/connect/token",
"introspection_endpoint": "https://192.168.200.18:44310/connect/introspect",
"end_session_endpoint": "https://192.168.200.18:44310/connect/logout",
"revocation_endpoint": "https://192.168.200.18:44310/connect/revocat",
"userinfo_endpoint": "https://192.168.200.18:44310/connect/userinfo",
"device_authorization_endpoint": "https://192.168.200.18:44310/device",
"jwks_uri": "https://192.168.200.18:44310/.well-known/jwks",
"grant_types_supported": [
"authorization_code",
"implicit",
"password",
"client_credentials",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"LinkLogin",
"Impersonation",
"ApiKeyExtensionGrant"
],
"response_types_supported": [
"code",
"code id_token",
"code id_token token",
"code token",
"id_token",
"id_token token",
"token",
"none"
],
"response_modes_supported": [
"form_post",
"fragment",
"query"
],
"scopes_supported": [
"openid",
"offline_access",
"email",
"profile",
"phone",
"roles",
"address",
"WF2025",
"Orgchart",
"eRequest"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"subject_types_supported": [
"public"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"introspection_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"revocation_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"device_authorization_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"claims_parameter_supported": false,
"request_parameter_supported": false,
"request_uri_parameter_supported": false,
"authorization_response_iss_parameter_supported": true
}
Additional information, the version of the AuthServer is 8.3.2. I've manually added some columns in one/more table for it to make the main backend run normally.
The AuthServer is working fine for one site hosted at port 44360, using ABP version 8.3.2. So the problem may not be related to IIS. For this project, I could run everything normally from FE, BE and AuthServer. The issue only appears after deployed to IIS. Also, the backend can be ran in Swagger normally, such as Authorize and execute the endpoints. For more context, we used the same configuration for Front-end and Backend as the previously working site (8.3.2). We also adjusted the web.config to host the Angular app inside wwwRoot:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<location path="." inheritInChildApplications="false">
<system.webServer>
<handlers>
<add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModuleV2" resourceType="Unspecified" />
</handlers>
<aspNetCore processPath="dotnet" arguments=".\MEVN.FA.WF2025.HttpApi.Host.dll" stdoutLogEnabled="false" stdoutLogFile=".\Logs\stdout" hostingModel="inprocess">
<environmentVariables>
<environmentVariable name="ASPNETCORE_ENVIRONMENT" value="Production" />
</environmentVariables>
</aspNetCore>
</system.webServer>
</location>
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="x-powered-by" />
</customHeaders>
</httpProtocol>
<rewrite>
<rules>
<!-- Explicitly pass backend routes to ASP.NET Core -->
<rule name="Backend Routes" stopProcessing="true">
<match url="^(app|abp|api|swagger|connect|Account|_vs|.well-known)(.*)$" />
<action type="None" />
</rule>
<!-- Serve static assets for Angular -->
<rule name="Static Assets" stopProcessing="true">
<match url="([\S]+\.(html|htm|svg|js|css|png|gif|jpg|jpeg|eot|ttf|woff2|svg|xlsx|ico|txt))" />
<action type="Rewrite" url="/{R:1}" />
</rule>
<!-- Route frontend requests to Angular index.html -->
<rule name="AngularRouter Routes" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_URI}" pattern="^/api(.*)$" negate="true" />
<add input="{REQUEST_URI}" pattern="^/.well-known(.*)$" negate="true" />
<add input="{REQUEST_URI}" pattern="^/Account(.*)$" negate="true" />
<add input="{REQUEST_URI}" pattern="/Error\?(.*)$" negate="true" />
<add input="{REQUEST_URI}" pattern="/connect(.*)$" negate="true" />
<add input="{REQUEST_URI}" pattern="/swagger(.*)$" negate="true" />
<add input="{REQUEST_URI}" pattern="/_vs(.*)$" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
</conditions>
<action type="Rewrite" url="/wwwRoot/index.html" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Please let me know if you need more information. Thank you
