Open Closed

Tenant header __tenant on k8s ingress #10078

User avatar
0
andmattia created

ABP 7.4.5

I try to do conncetion via authserv/connect/token in k8s but no tenant __tenant receive via k8s.

Can you provide us a configuration template tu use it in this scenario?

Go to accepted answer
1 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent
    1. Solution The __tenant header is blocked by many ingress controllers (NGINX, Azure App Gateway, etc.) because it contains underscores. ABP can resolve the current tenant from multiple sources; in Kubernetes you have two reliable options:

    A) Keep using the header, but allow underscores through your ingress

    • For NGINX Ingress Controller:

      • Add these annotations to your Ingress so NGINX accepts and forwards the __tenant header:
        • nginx.ingress.kubernetes.io/enable-underscores-in-headers: "true"
        • nginx.ingress.kubernetes.io/proxy-hide-headers: "" (ensures it doesn’t hide the header)
      • Example: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: auth-server annotations: nginx.ingress.kubernetes.io/enable-underscores-in-headers: "true" nginx.ingress.kubernetes.io/proxy-body-size: "10m" nginx.ingress.kubernetes.io/proxy-buffering: "off" # optionally preserve all headers nginx.ingress.kubernetes.io/proxy-hide-headers: "" spec: ingressClassName: nginx rules: - host: auth.mycompany.com http: paths: - path: / pathType: Prefix backend: service: name: auth-server port: number: 80

    • For plain NGINX (not ingress), ensure:

      • underscores_in_headers on;

      • and don’t use ignore_invalid_headers on; (or set off)

      • Reference config snippet: server { listen 443 ssl; server_name auth.mycompany.com;

        underscores_in_headers on;
# ignore_invalid_headers off;  # if you have it on, headers with underscore are dropped

location / {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://auth-server-svc;
}

        }

    • Ensure your ABP app still has the header resolver enabled (it is by default): Configure<AbpTenantResolveOptions>(options => { options.AddHeaderTenantResolver(); // default uses "__tenant" });

    • Then you can request tokens with the header set: POST https://auth.mycompany.com/connect/token Headers: __tenant: my-tenant Content-Type: application/x-www-form-urlencoded Body: grant_type=password&client_id=...&client_secret=...&username=...&password=...

    B) Avoid the header; use domain or query string based tenant resolution If your ingress cannot be changed, switch to a resolver that does not use underscores.

    • Subdomain/domain based resolution:

      • Configure ABP to resolve tenant from subdomain: Configure<AbpTenantResolveOptions>(options => { // e.g. my-tenant.auth.mycompany.com options.AddDomainTenantResolver("{0}.auth.mycompany.com"); });
      • Issue token requests to https://my-tenant.auth.mycompany.com/connect/token without any __tenant header.

    • Query string fallback (for non-browser/token scenarios):

      • ABP supports query-string resolution: Configure<AbpTenantResolveOptions>(options => { options.AddQueryStringTenantResolver(); // looks for ?__tenant=... });
      • Call: POST https://auth.mycompany.com/connect/token?__tenant=my-tenant

    Important ABP middleware order (for the token endpoint and all APIs)

    • Ensure multi-tenancy runs after authentication so the tenant can be resolved from claims/header: public void Configure(IApplicationBuilder app) { app.UseCorrelationId(); app.UseRouting(); app.UseAuthentication(); app.UseMultiTenancy(); app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); }

    Quick verification checklist

    • Ingress accepts underscores (Option A) or you use subdomain/query (Option B).
    • The client actually sends the tenant (header, subdomain, or query).
    • AuthServer and API services include AddHeaderTenantResolver/AddDomainTenantResolver/AddQueryStringTenantResolver as needed (in most cases defaults already include header/query).
    • Middleware order has UseMultiTenancy after UseAuthentication.
    1. Sources
    • NGINX core docs (underscores in headers):
      • http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
      • http://nginx.org/en/docs/http/ngx_http_core_module.html#ignore_invalid_headers
    • ABP source (Multi-tenancy ASP.NET Core options showing tenant key and resolvers):
      • https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.MultiTenancy/Volo/Abp/AspNetCore/MultiTenancy/AbpAspNetCoreMultiTenancyOptions.cs

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

Assignee
No one
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.1.0-preview. Updated on November 04, 2025, 06:41