We have an application that is multitenant. We have enabled the tenant domain name resolver. However we use sign in with microsoft, meaning we have to register an app on azure and provide the redirect uri. if we provide the standard root of our app, we can login with no problem because the redirect uri is valid. when a tenant tries to login it says the redirect uri is invalid. In this case we would have to add a new redirect uri for each subdomain for each tenant, which is tedious and could hit a limit. What can we do in code to work around this and use the one root redirect uri for the auth part?
for example app.mydomain.com works tenant1.app.mydomain.com does not work after returning from microsoft login to our app
1 Answer(s)
-
0
- This is not something you can reliably “work around in code” on the ABP side, because the invalid redirect_uri is enforced by Microsoft (Azure AD): the
redirect_urisent in the OIDC request must exactly match one of the redirect URIs registered for the Azure AD app. - Since each tenant uses a different subdomain (
tenant1.app.mydomain.com), Azure AD will see a differentredirect_urithanapp.mydomain.comand reject it unless it is registered.
What you can do (ABP-supported approach): use wildcard subdomain support on the ABP/OpenIddict side (for ABP’s own AuthServer/OpenIddict validations), but note it does NOT remove Azure AD’s redirect URI requirement.
Option A (Recommended): Use a single, central redirect URI domain for the Microsoft login callback
- Register one redirect URI in Azure AD, e.g.
https://app.mydomain.com/signin-oidc(or whatever your callback path is)
- Always perform the external login callback on that host (the “root” / central host).
- After the callback completes, redirect the user back to the tenant domain, carrying tenant info (e.g., in a returnUrl or parameter) so ABP can resolve the tenant again.
This keeps Azure AD redirect URIs fixed and avoids registering per-tenant subdomains.
Option B: If you are using ABP AuthServer/OpenIddict and get
invalid redirect_urithere (not Azure)If the
invalid redirect_uriis coming from ABP’s OpenIddict/AuthServer (common in multi-tenant domain setups), enable ABP’s wildcard-domain support so ABP accepts tenant subdomains without seeding each one:In your AuthServer module
PreConfigureServices:using Volo.Abp.OpenIddict.WildcardDomains; public override void PreConfigureServices(ServiceConfigurationContext context) { var configuration = context.Services.GetConfiguration(); PreConfigure<AbpOpenIddictWildcardDomainOptions>(options => { options.EnableWildcardDomainSupport = true; options.WildcardDomainsFormat.Add("https://{0}.app.mydomain.com"); // add other app formats if needed }); }And configure tenant domain resolving:
using Volo.Abp.MultiTenancy; Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.app.mydomain.com"); });This prevents having to seed redirect URIs per-tenant for ABP/OpenIddict.
However, again: Azure AD still requires exact redirect URIs (so Option B alone won’t solve the Azure AD registration limitation).
Links (verified):
- https://abp.io/docs/latest/guides/ms-multi-tenant-domain-resolving
- https://abp.io/community/articles/v9y8da7v
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
- This is not something you can reliably “work around in code” on the ABP side, because the invalid redirect_uri is enforced by Microsoft (Azure AD): the
