Redirect / login problems using Blazor WASM and React Native apps #10074

5 Answer(s)

• 

  0

  AI-Bot created 21 days ago

  Support Team ABP Agent

  1. Solution The timeout and “Failed to refresh remote claims” logs come from ABP’s Dynamic Claims feature. In UI/microservice apps, ABP uses WebRemoteDynamicClaimsPrincipalContributor to fetch/update claims from the Auth Server via HTTP. If that internal HTTP call can’t reach the Auth Server (wrong URL, blocked by network/proxy, DNS, or service name mismatch), it retries until HttpClient’s default 100s timeout and you see net_http_request_timedout.

  Fix it by verifying and applying the steps below:

  • Confirm the RemoteRefreshUrl and BaseUrl

    • The UI (Blazor WASM host API) and each microservice must be able to reach the Auth Server internally.
    • Ensure AbpClaimsPrincipalFactoryOptions.RemoteRefreshUrl points to the Auth Server endpoint and is reachable.
    • Ensure RemoteServices:Default (or named) BaseUrl for the Auth Server is correct (schema/host/port) and resolvable from inside your cluster/pods.
    • If you are on Kubernetes and using service names (e.g., http://authserver), verify the service DNS and the namespace. Cross-namespace calls may require FQDN like http://authserver.identity.svc.cluster.local.

  • Put MultiTenancy and Authentication in correct middleware order (server apps)

    • ABP resolves tenant and then uses auth – wrong order can break tenant-aware remote claim refresh.
    • In each server/microservice: app.UseRouting(); app.UseCors(); app.UseAuthentication(); app.UseMultiTenancy(); app.UseAuthorization(); app.UseEndpoints(...);

  • Check proxy/gateway and CORS

    • If you use an API Gateway/Ingress, allow the internal remote-claims call route to pass through. Ensure no auth challenge or rewrite blocks the call.
    • If the remote URL is cross-origin (for SPA), CORS must allow it. For server-to-server (internal) calls, CORS isn’t involved, but the gateway must route correctly.

  • Kubernetes/NGINX specifics

    • Verify readiness/liveness and that the Auth Server isn’t restarting during refresh.
    • If using NGINX/Ingress, confirm service timeouts aren’t lower than 100s and that HTTP/2 or keep-alive settings aren’t prematurely closing idle connections.

  • Increase/override the distributed HTTP client timeout (optional)

    • ABP remote claims uses an HttpClient under the hood. You can increase timeout to mitigate transient delays:

  Configure<AbpHttpClientBuilderOptions>(options =>
    {
        options.ProxyClientBuildActions.Add((remoteServiceName, client) =>
        {
            if (remoteServiceName == "Default" || remoteServiceName == "AuthServer")
            {
                client.Timeout = TimeSpan.FromSeconds(300);
            }
        });
    });
  

  This should not replace fixing connectivity, but helps if your auth service occasionally takes longer.

  • Temporarily disable remote dynamic claims (to validate root cause)
    • If you disable RemoteDynamicClaims and the timeout disappears, it confirms the issue is the remote claims HTTP reachability.

  Configure<AbpClaimsPrincipalFactoryOptions>(opts =>
    {
        opts.IsDynamicClaimsEnabled = false;
    });
  

  Alternatively, provide your own IAbpDynamicClaimsPrincipalContributor that doesn’t call remote. Only use as a diagnostic step.

  • Blazor WASM specifics

    • The WASM app runs in the browser; remote claims fetching happens on the host (server API) that serves as a backend for WASM. Ensure that host can reach the Auth Server using the configured internal URL (not the public browser URL if it’s not routable inside the cluster).
    • Ensure OpenIddict/OIDC settings for the WASM client have correct redirect URIs, post-logout URIs, and that the Authority is the public URL for the browser, while the server-to-server BaseUrl is the internal reachable URL for remote claims.

  • React Native specifics

    • Use the public Authority in the mobile app for OIDC.
    • The backend (APIs) still needs internal reachability to the Auth Server for remote claims as above.

  If the above is correctly configured and you still see refresh timeouts:

  • Verify DNS resolution from the failing pod: kubectl exec into the administration pod and curl the Auth Server RemoteRefreshUrl (or its base) to confirm it connects quickly.
  • Check Auth Server logs for the corresponding requests. If none are logged, traffic isn’t reaching it (routing or DNS).
  • Ensure there is no circular redirect on the remote refresh endpoint (infinite 302s can stall).

  2. Sources

  • ABP Dynamic Claims overview (explains WebRemoteDynamicClaimsPrincipalContributor and RemoteRefreshUrl):
    • https://abp.io/docs/latest/framework/fundamentals/dynamic-claims

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  carl.hallqvist created 21 days ago

  The browser hangs during this URL:

  https://myproject.io/authentication/login-callback?code=dRaPkBDLoVlStStG3swES4WTWzePnTrfuOLz4iRH7Yo&state=98c45b8f76234a2a8a7c50f90ee98d8b&iss=https%3A%2F%2Fauth.myproject.io%2F&culture=sv&ui-culture=sv

  

  Save Cancel
• 

  0

  maliming created 20 days ago

  Support Team Fullstack Developer

  hi

  Can you try setting RemoteRefreshUrl from https to http in the myproject-administration project that is deployed to the Kubernetes environment?

  PostConfigure<AbpClaimsPrincipalFactoryOptions>(options =>
  {
      if (!string.IsNullOrEmpty(options.RemoteRefreshUrl))
      {
          options.RemoteRefreshUrl = 
              options.RemoteRefreshUrl.Replace("https://", "http://", StringComparison.OrdinalIgnoreCase);
      }
  });
  

  ---

  The default value of RemoteRefreshUrl is the same as AuthServer:Authority. What is its value in your environment?

  Thanks.

  Save Cancel
• 

  0

  carl.hallqvist created 15 days ago

  Thanks,

  Sorry for late reply. Don’t know what the problem is. However, I was restoring the database back in time and then it worked.

  Save Cancel
• 

  0

  maliming created 15 days ago

  Support Team Fullstack Developer

  ok, maybe the cache problem.

  Thanks.

  Save Cancel