Open Closed

How can I get access_token using password flow for a tenant? #5485


User avatar
0
mgurer created
  • ABP Framework version: v7.2.1
  • UI Type: Blazor WASM
  • Database System: EF Core (PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes (commecial micro services)
  • Exception message and full stack trace:
  • Steps to reproduce the issue: Hello, I want to get user access token using password flow. When I post data (client_id,client_secret,grant_type,username,sope,password) to /connect/token endpoint of authserver, I successfuly get access token of the user for the host site. But I could not figure out how to get access_token for the tenant site. Is there any way to get access token by providing tenant_id using password-flow? Thanks.

5 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can add a new post data.

    __tenant: TenantName
    

  • User Avatar
    0
    mgurer created

    Thanks

  • User Avatar
    0
    mgurer created

    Hi again. I tested the __tenant header. Here are my test results;

    1 - I have created new tenant named "Test" with admin password 1.

    2 - I set __tenant header to "Test" and username to admin and password to 1 and successfuly received the accesstoken.

    3 - I removed the __tenant header, and reposted the last payload with password 1 and still got the access token. (on host site admin password is 1q2w3E*). When I look into the access_token, I still see the tenantId claim set. This behaviour is suspicious.

    4 - I set __tenant header to "XX" and password to 1 and result was a warning about missing tenant.

    5 - I removed the __tenant header once more and sent 1 as password, I got a warning about invalid credentials.

    6 - I set password to ABP default admin password, and get the access_token for host site.

    As summary, when I set __tenant header, it is cached and until an unsuccessful attempt made, the cache remains still.

    Can you confirm that?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    As summary, when I set __tenant header, it is cached and until an unsuccessful attempt made, the cache remains still.

    Can you share a simple project to reproduce this?

    liming.ma@volosoft.com

  • User Avatar
    0
    mgurer created

    Hi,

    I have tested tenant header using Postman.

    I figured out that postman adds a header named cookie.

    This header also includes a field named __tenant which stores the last successfuly gathered tenantid.

    This header is hidden by default on the postman app, which you can not figure out easily.

    When I remove my very own __tenant header, Postman keeps adding the hidden header to the request which results as the strange behaviour that I already told before.

    So, there is no problem with ABP but the test tool POSTMAN.

    Below you can see header named Cookie added by the tool.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 10, 2024, 06:38