Open Closed

Domain-Based Tenant Resolver Issue in ABP 9.0.4 – Infinite Login Loop (Localhost) & Tenant Login Failure (Deployed) #10383

User avatar
0
Rishi1532 created

Hello ABP Support Team,

We are facing issues with Domain-Based Tenant Resolution while using ABP Framework 9.0.4 (Angular + OpenIddict).

We followed the official ABP community article below **exactly **to implement the domain-based tenant resolver:

https://abp.io/community/articles/how-to-use-domainbased-tenant-resolver-in-abp-with-angular-and-openiddict-v9y8da7v

⚠️ Note: The sample source code provided in the article is based on ABP 10.0.2, while our application is using ABP 9.0.4.

Environment Details

  • ABP Version: 9.0.4

  • Frontend: Angular

  • Authentication: OpenIddict

  • Tenant Resolution: Domain-based tenant resolver

  • Hosting: Localhost (custom domains) / Deployed environment

Source Code (Public Repository)

GitHub repository with full source code and configuration:

https://github.com/RISHI-KH-2611/Test/tree/sourcecode

We recreated a demo project in **ABP 9.0.4 **and followed the exact same implementation and steps as mentioned in the article and the sample project.

Public Deployed URL (For Testing)

https://dentpalqaaumtech.org/

  • Username / Password: ABP default credentials

Issues Observed

1️⃣** Localhost + Custom Domains**

Issue: Infinite login redirect loop

Steps:

  • Run the application locally

  • Configure and access the app using custom domains

  • Attempt to log in as a tenant user

Observed Behavior:

  • Login page continuously redirects

  • Authentication never completes

  • Results in an infinite login loop

2️⃣** Deployed Environment**

Issue: Tenant users cannot log in (Host admin works)

Observed Behavior:

  • Host Admin can log in successfully

  • Tenant users are unable to log in

  • Login either redirects back to the login screen or fails silently after authentication

Expected Behavior:

  • Tenant users should be able to log in based on domain resolution

  • Authentication flow should work consistently for both host and tenants

Request for Assistance

Could you please help us understand:

  1. Whether domain-based tenant resolution behaves differently in ABP 9.0.4
  2. If any additional configuration is required for Angular + OpenIddict in ABP 9.x
  3. Whether this is a known issue or limitation in ABP 9.x
  4. Recommended workaround or fix if upgrading to 10.x is the only solution
Go to accepted answer
2 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    • In ABP 9.0.x (Angular + OpenIddict), domain/subdomain tenant resolution commonly breaks the OIDC code flow unless you also enable wildcard domain support for OpenIddict and ensure the issuer/redirect/cors/client configuration matches the tenant-specific domain(s). Symptoms are exactly what you described: infinite login loop (Angular keeps trying to complete code flow but token/config validation fails) or tenant login works for host only.

    • The community article you followed includes the key ABP-side requirement (wildcard support) via AbpOpenIddictWildcardDomainOptions. You must apply it in ABP 9.0.4 too (in your *.HttpApi.Host module), and you must also make sure your client URLs / redirect allowed URLs / CORS origins are compatible with subdomains.

    1) Backend (HttpApi.Host): enable wildcard domain support + domain tenant resolver

    In your HttpApiHostModule (ABP 9.0.4), configure both:

    using Volo.Abp.MultiTenancy;
using Volo.Abp.OpenIddict.WildcardDomains;

public override void PreConfigureServices(ServiceConfigurationContext context)
{
    PreConfigure<AbpOpenIddictWildcardDomainOptions>(options =>
    {
        options.EnableWildcardDomainSupport = true;

        // IMPORTANT: Add formats matching your real UI domain(s)
        // Example (production):
        options.WildcardDomainsFormat.Add("https://{0}.dentpalqaaumtech.org");

        // Example (local):
        // options.WildcardDomainsFormat.Add("http://{0}.multitenancydemo.local:4200");
    });
}

public override void ConfigureServices(ServiceConfigurationContext context)
{
    Configure<AbpTenantResolveOptions>(options =>
    {
        options.AddDomainTenantResolver("{0}.dentpalqaaumtech.org");
        // local example: options.AddDomainTenantResolver("{0}.multitenancydemo.local");
    });
}

    If your localhost custom domain testing is done over HTTP, you must also disable the transport security requirement for OpenIddict server in DEBUG (as shown in the article), otherwise the flow will fail/loop:

    #if DEBUG
PreConfigure<OpenIddictServerBuilder>(options =>
{
    options.UseAspNetCore().DisableTransportSecurityRequirement();
});
#endif

    2) Angular: baseUrl/redirectUri must use {0} pattern (and HTTPS requirement must match)

    Your Angular environment.ts (or dynamic env) must match the tenant domain pattern you use:

    • application.baseUrl should be https://{0}.dentpalqaaumtech.org (or your localhost domain pattern)
    • oAuthConfig.redirectUri should usually be the same baseUrl pattern
    • If you are testing locally with http, set requireHttps: false

    This is required so Angular computes tenant context correctly from the URL and completes the code flow without bouncing.

    3) Production/deployed: fix “host works but tenant users can’t login”

    This almost always indicates redirect uri / CORS / authority mismatch between:

    • the URL the browser is on (https://tenant1.dentpalqaaumtech.org)
    • what the auth server thinks is valid (RedirectAllowedUrls, client redirect URIs, CORS origins)
    • and OpenIddict issuer validation across subdomains (wildcard support)

    Ensure your appsettings.json has tenant-compatible entries (examples):

    • App:SelfUrl should be the actual backend URL (not tenant-subdomain unless you truly host backend per-tenant)
    • App:CorsOrigins should include your tenant subdomain pattern as supported by ABP’s wildcard cors helpers (don’t invent formats OpenIddict/ABP can’t parse)
    • App:RedirectAllowedUrls must include tenant UI domains that will receive the authorization code callback (e.g. https://*.dentpalqaaumtech.org style rules depending on your setup)

    Also, after changing these, run DbMigrator (or otherwise update OpenIddict/clients in DB) so redirect URI/cors/client settings are not stale.

    4) Why you see an infinite loop specifically

    In ABP Angular, the app will try to exchange the code for tokens and then load the application configuration. If issuer/redirect/CORS/wildcard-domain support is not correctly aligned for the tenant domain, the exchange/config call fails, and Angular navigates back to login again → loop.

    This behavior is consistent with ABP support cases where a misconfigured OpenIddict certificate or issuer also causes loops, but in domain-tenant scenarios the most frequent root cause is missing wildcard domain support and/or mismatched allowed redirect/CORS/client settings.

    Sources (validated)

    • https://abp.io/community/articles/how-to-use-domainbased-tenant-resolver-in-abp-with-angular-and-openiddict-v9y8da7v
    • https://abp.io/docs/latest/framework/ui/angular/multi-tenancy

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Do not open-source your repository, please make it private and invite me as a contributor.

    https://github.com/maliming

Assignee
User avatar maliming
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.2.0-preview. Updated on February 02, 2026, 07:17
1
ABP Assistant
🔐 You need to be logged in to use the chatbot. Please log in first.