Open Closed

Multitenant on separated IDS #3924


User avatar
0
andmattia created
  • ABP Framework version: v5.3.1
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes

I try to use this scenario in multi tenant env: Angular IDS API

We follow the guide https://support.abp.io/QA/Questions/1552/Better-Documentation-for-Multi-Tenant-Subdomain-Resolver but not work.

We are able to login in IDS tenant (es t1.auth.mydomain.com) and open Api in tenant (t1.api.mydomain.com) but when I try to authorize my api client the auth login url is auth.mydomain.com and not t1.auth.mydomain.com so the authentication move to host and not to correct tenant.

on appsettings.json

 For IDS
 "SelfUrl": "https://{0}.auth.mydomain.com",
 "TenantResolver": "https://{0}.auth.maydomain.com"
 


For API
 "SelfUrl": "https://api.mydomain.com",
 "TenantResolver": "https://{0}.api.maydomain.com"
 
    "AuthServer": {
        "Authority": "https://auth.maydomain.com",
        "RequireHttpsMetadata": "true",
        "SwaggerClientId": "client_Swagger",
        "SwaggerClientSecret": "1234567"
    },

on IDS ConfigService we put on top of module

       .....
        context.Services.AddAbpStrictRedirectUriValidator();
        context.Services.AddAbpClientConfigurationValidator();
        context.Services.AddAbpWildcardSubdomainCorsPolicyService();
        Configure<AbpTenantResolveOptions>(options =>
        {
            options.AddDomainTenantResolver(configuration["App:TenantResolver"]);
        });

        Configure<IdentityServerOptions>(options =>
        {
            options.IssuerUri = configuration["App:SelfUrl"];
        });
        
       ....

and on HttpApiHost

        ....
        Configure<AbpTenantResolveOptions>(options =>
        {
            options.AddDomainTenantResolver(configuration["App:TenantResolver"]);
        });
        .....


12 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you reproduce the problem via DomainTenantResolver

  • User Avatar
    0
    andmattia created

    Hi

    I can't because not existing this configuration.

    The NG has identity server is not separated

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok, I see, I will add the new project to DomainTenantResolver

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    https://github.com/abpframework/abp/issues/14435

  • User Avatar
    0
    andmattia created

    I think the problem is related to auth. This is the information the API try to use to authorize.

    oauth2 (OAuth2, authorizationCode) Authorization URL: https://auth.mydomain.com/connect/authorize Token URL: https://auth.mydomain.com/connect/token Flow: authorizationCode

    Is it correct?

    About the git repo, your request is to clone the repo and reproduce the issue?

  • User Avatar
    0
    andmattia created

    I re check all configuration on my module and work (partially on Angular).

    I need to add to environment.ts

    skipIssuerCheck: true
    

    After Add this my app will be redirect to correct Auth Server (es Tenant 1 (t1) -> https://t1.auth.mydomain.com) but I use the custom login into angular with customize Login/register page

    export class AppComponent {
      constructor(private replaceableComponentsService: ReplaceableComponentsService) {}
    
      ngOnInit() {
        this.replaceableComponentsService.add({
          key: eAccountComponents.Login,
          component: LoginComponent,
        });
        this.replaceableComponentsService.add({
          key: eAccountComponents.Register,
          component: RegisterComponent,
        });
        this.replaceableComponentsService.add({
          key: eThemeLeptonComponents.AccountLayout,
          component: AccountLayoutComponent,
        });
      }
    }
    

    This work fine if I don't use a normal tenant selector but in tenant rosolve by name when I click login I'll be redirect to Auth (Mvc page and not to angular route). I doesn't work on tenant/host side

    I look into the call /.well-known/openid-configuration and I see that and i console I read an error that

    main.fbfd4e772f61baa1.js:1 invalid issuer in discovery document expected: https://t1.mydomain.com current: https://auth.mydomain.com

    "issuer": "https://auth.mydomain.com",
    "jwks_uri": "https://t1.auth.mydomain.com/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "https://t1.auth.mydomain.com/connect/authorize",
    "token_endpoint": "https://t1.auth.mydomain.com/connect/token",
    "userinfo_endpoint": "https://t1.auth.mydomain.com/connect/userinfo",
    "end_session_endpoint": "https://t1.auth.mydomain.com/connect/endsession",
    "check_session_iframe": "https://t1.auth.mydomain.com/connect/checksession",
    "revocation_endpoint": "https://t1.auth.mydomain.com/connect/revocation",
    "introspection_endpoint": "https://t1.auth.mydomain.com/connect/introspect",
    "device_authorization_endpoint": "https://t1.auth.mydomain.com/connect/deviceauthorization",
    "frontchannel_logout_supported": true,
    "frontchannel_logout_session_supported": true,
    "backchannel_logout_supported": true,
    "backchannel_logout_session_supported": true,
    
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    main.fbfd4e772f61baa1.js:1 invalid issuer in discovery document expected: https://t1.mydomain.com current: https://auth.mydomain.com

    I see the /oauth-service.ts code and it should throw error when if (!this.skipIssuerCheck && doc.issuer !== this.issuer) {

    https://github.com/manfredsteyer/angular-oauth2-oidc/blob/d95d7da788e2c1390346c66de62dc31f10d2b852/projects/lib/src/oauth-service.ts#L639

    You have set skipIssuerCheck: true so the error should not throw.

  • User Avatar
    0
    andmattia created

    Hi

    I see the same and it works but redirect me to IDS page e not to my local login in angular why?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I will add a sample.

    https://github.com/abpframework/abp/issues/14435

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Here is my angular config and I tested, It works.

    import { Environment } from '@abp/ng.core';
    
    const baseUrl = 'https://{0}.ng.getabp.net:4200';
    
    const oAuthConfig = {
      issuer: 'https://{0}.ids.getabp.net:44301',
      redirectUri: baseUrl,
      clientId: 'BookStore_App',
      responseType: 'code',
      scope: 'offline_access BookStore',
      requireHttps: true,
    };
    
    export const environment = {
      production: false,
      application: {
        baseUrl,
        name: 'BookStore',
      },
      oAuthConfig,
      apis: {
        default: {
          url: 'https://{0}.api.getabp.net:44302',
          rootNamespace: 'BookStore',
        },
        AbpAccountPublic: {
          url: oAuthConfig.issuer,
          rootNamespace: 'AbpAccountPublic',
        },
      },
    } as Environment;
    
    
  • User Avatar
    0
    andmattia created

    Hi

    from my side it not works but I found this post and I remove

     responseType: 'code',
    

    After that my login on angular side work I dont redirect me to IDS login page.

    The issue still exists on API if I try to login from swagger the app redirect me to base auth and not to tenant auth

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I didn't change the swagger behavior. So it does not support the subdomain.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09