- ABP Framework version: v7.2.1
- UI Type: Blazor WASM
- Database System: EF Core (PostgreSQL)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes (commecial micro services)
- Exception message and full stack trace:
- Steps to reproduce the issue: Hello, I want to get user access token using password flow. When I post data (client_id,client_secret,grant_type,username,sope,password) to /connect/token endpoint of authserver, I successfuly get access token of the user for the host site. But I could not figure out how to get access_token for the tenant site. Is there any way to get access token by providing tenant_id using password-flow? Thanks.
5 Answer(s)
-
0
hi
You can add a new post data.
__tenant: TenantName
-
0
Thanks
-
0
Hi again. I tested the __tenant header. Here are my test results;
1 - I have created new tenant named "Test" with admin password 1.
2 - I set __tenant header to "Test" and username to admin and password to 1 and successfuly received the accesstoken.
3 - I removed the __tenant header, and reposted the last payload with password 1 and still got the access token. (on host site admin password is 1q2w3E*). When I look into the access_token, I still see the tenantId claim set. This behaviour is suspicious.
4 - I set __tenant header to "XX" and password to 1 and result was a warning about missing tenant.
5 - I removed the __tenant header once more and sent 1 as password, I got a warning about invalid credentials.
6 - I set password to ABP default admin password, and get the access_token for host site.
As summary, when I set __tenant header, it is cached and until an unsuccessful attempt made, the cache remains still.
Can you confirm that?
-
0
hi
As summary, when I set __tenant header, it is cached and until an unsuccessful attempt made, the cache remains still.
Can you share a simple project to reproduce this?
liming.ma@volosoft.com
-
0
Hi,
I have tested tenant header using Postman.
I figured out that postman adds a header named cookie.
This header also includes a field named __tenant which stores the last successfuly gathered tenantid.
This header is hidden by default on the postman app, which you can not figure out easily.
When I remove my very own __tenant header, Postman keeps adding the hidden header to the request which results as the strange behaviour that I already told before.
So, there is no problem with ABP but the test tool POSTMAN.
Below you can see header named Cookie added by the tool.
