I created new applications under OpenID > Applications, and SSO is working correctly. For example, I can sign in to my Next.js application using abp.io accounts.
Now I’d like to update the flow so that when users click the SSO sign-in button from the Next.js application, the abp.io site automatically switches to a specific tenant—for example, the tenant “NextJs”—when the user lands on the /Account/Register page.
I noticed that the Next.js app invokes /connect/authorize?client_id=Next_app. So I’m wondering: can we add server-side logic in abp.io to automatically switch to the “NextJs” tenant when client_id equals Next_app?
Is this a good solution? If so, how should it be implemented? Or is there a better recommended approach for tenant resolution in this case?
2 Answer(s)
-
0
- Solution
Recommended approach: Resolve the tenant using a standard tenant resolver (domain/subdomain, route, header, or query string) instead of deriving it from client_id. ABP’s multi-tenancy pipeline is designed to determine the current tenant before MVC/OpenIddict endpoints run. Tying tenant selection to client_id is brittle (one client may serve multiple tenants; client names can change; it bypasses ABP’s resolvers). Prefer:
- Subdomain/domain resolver (e.g., https://nextjs.yoursite.com)
- Route resolver (e.g., https://yoursite.com/nextjs/Account/Register)
- Query string or header (e.g., __tenant=NextJs)
If you still want to implement a client_id-to-tenant mapping: add a custom ITenantResolveContributor that checks the request when OpenIddict’s authorize/login/register endpoints are hit and sets the tenant from a mapping dictionary. Ensure you register it very early in the resolver pipeline and only apply it for the authorize/login/register paths, so you don’t affect other requests.
Code: Domain/route (recommended)
- Domain/subdomain resolver:
// In YourProjectNameHttpApiHostModule (or AuthServer module if separated) using Volo.Abp.MultiTenancy; public override void ConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); Configure<AbpTenantResolveOptions>(options => { // Example: https://{0}.yourdomain.com options.AddDomainTenantResolver("{0}.yourdomain.com"); }); }- Route resolver:
- Add {__tenant} to the Account pages/routes or globally, then the authorize/login flows will carry the tenant in the route and ABP will resolve it automatically. See the community article technique to add a route convention if you want it globally.
Code: Custom contributor mapping client_id -> tenant (if you must)
using System.Threading.Tasks; using Microsoft.AspNetCore.Http; using Microsoft.Extensions.Primitives; using Volo.Abp.DependencyInjection; using Volo.Abp.MultiTenancy; public class ClientIdTenantResolveContributor : HttpTenantResolveContributorBase, ITransientDependency { public const string ContributorName = "ClientIdTenant"; public override string Name => ContributorName; protected override Task<string?> GetTenantIdOrNameFromHttpContextOrNullAsync( ITenantResolveContext context, HttpContext httpContext) { // Only act on OIDC endpoints to avoid side effects var path = httpContext.Request.Path.Value ?? ""; if (!path.StartsWith("/connect/authorize") && !path.StartsWith("/Account/Login") && !path.StartsWith("/Account/Register")) { return Task.FromResult<string?>(null); } // Read client_id from query (OpenIddict authorize request) if (httpContext.Request.Query.TryGetValue("client_id", out StringValues clientIds)) { var clientId = clientIds.ToString(); // Your mapping: client_id => tenant name // Example: Next_app => "NextJs" var tenantName = MapClientIdToTenantName(clientId); if (!tenantName.IsNullOrWhiteSpace()) { return Task.FromResult<string?>(tenantName); } } return Task.FromResult<string?>(null); } private static string? MapClientIdToTenantName(string clientId) { return clientId switch { "Next_app" => "NextJs", // add other mappings here _ => null }; } }Register it early in the pipeline (before others that you want it to override):
public override void ConfigureServices(ServiceConfigurationContext context) { Configure<AbpTenantResolveOptions>(options => { // Put it at the beginning if you want it to take precedence options.TenantResolvers.Insert(0, new ClientIdTenantResolveContributor()); }); }- Notes and caveats:
- client_id can be reused by multiple tenants in many deployments; mapping it to a single tenant may force the wrong tenant.
- If you adopt domain or route resolver, the Account UI will already know the tenant, and OpenIddict authorize will honor it consistently.
- For Angular/Next.js SPAs, also ensure your frontend sends the tenant via domain or adds __tenant in the query/header automatically. For Angular, navigateToLogin can accept __tenant; for custom Next.js redirects you can include __tenant in the authorize URL if you use query-string tenant resolver.
- Sources
- https://abp.io/docs/latest/framework/architecture/multi-tenancy
- https://abp.io/docs/latest/framework/architecture/multi-tenancy#tenant-resolution
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
hi
You can pass a
__tenantparameter when you log in to your NextJS client.&__tenant=NextJseg:
https://account.abp.io/connect/authorize?client_id=www-web-client&__tenant=NextJs&redirect_uri=https%3A%2F%2Fabp.io%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20abpio&response_mode=form_post&nonce=xxxxx&x-client-SKU=ID_NET9_0&x-client-ver=8.14.0.0Thanks.
