How to configure tenant resolver in order to determine current tenant by the whole domain? #5650

datdv1 created 2 years ago

Hi ABP Support Team!
We a using abp commercial

UI framework: angular

ABP Version: 7.3.2

Data access: MongoDB

Deployment: Azure Kubenetes Service

Template type: Application template, separate Authen Project

Currently, I'm Following and configured in angular application with document: https://docs.abp.io/en/abp/latest/UI/Angular/Multi-Tenancy

When access to host tenant, it is working, however when access on tenant, it is not working. It cannot resolver issuer domain.
Can you help me for this?
I think because the Authen project has set config issuer domain, is that the problem?

Here is the configmap authen:

Here is the configmap angular:

Here is the configmap Host project:

Here is the configmap Authproject:

datdv1 created 2 years ago

Hi mahmut.gundogdu!
Can you help me for this?

mahmut.gundogdu created 2 years ago

Hi mahmut.gundogdu!
Can you help me for this?

Hi I am trying to produce.I have produced. In my senario, the backend did not resolve the tenant. So I am looking the issue. I will send the solution.

datdv1 created 2 years ago

Hi mahmut.gundogdu!
Can you help me for this?

Hi I am trying to produce.I have produced. In my senario, the backend did not resolve the tenant. So I am looking the issue. I will send the solution.

I'm looking forward to your response!
Thank you verry much!

datdv1 created 2 years ago

Hi mahmut.gundogdu
Currentlt, I'm using PreConfigure with AbpOpenIddictWildcardDomainOptions.
when access to tenant, It is woking resolver issuer with current tenant, However it is not https protocol.

code is my solution:

do you think it work?

maliming created 2 years ago

Support Team Fullstack Developer

I will confirm this. : )

maliming created 2 years ago

Support Team Fullstack Developer

You can try only to keep one domain, It works for me.

datdv1 created 2 years ago

Hi maliming!

In my case, api server are working as expected
However, angular from tenant cannot resolve issuer domain.
Please support me about this case

Here the configure in Angular application:

maliming created 2 years ago

Support Team Fullstack Developer

The below JSON response means the tenant resolves is works. Can you share an online website URL so we can test it online?

datdv1 created 2 years ago

Hi maliming!
I send for you my domain information.

host : ticoplatform.com
tenant: ticogroup.com

maliming created 2 years ago

Support Team Fullstack Developer

What is the angular url?

I need to reproduce the issue.

datdv1 created 2 years ago

this is angular url:
host : https://ticoplatform.com
tenant: https://ticogroup.com

maliming created 2 years ago

Support Team Fullstack Developer

btw you can only call AddDomainTenantResolver once.
Otherwise one of them will not work

datdv1 created 2 years ago

Hi maliming!
Can you explain it to me in more detail?

maliming created 2 years ago

Support Team Fullstack Developer

The DomainTenantResolveContributor always breaks the resolve process. It always has a tenant value.

So the second one will not be working anymore.

https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore.MultiTenancy/Volo/Abp/AspNetCore/MultiTenancy/DomainTenantResolveContributor.cs#L36

You can add your DomainTenantResolveContributor to change this behavior.

datdv1 created 2 years ago

Hi maliming!
Yea, I added custom resolver domain class

Here is the my code:

Can you help me see it?

maliming created 2 years ago

Support Team Fullstack Developer

The key point is: If you confirm you have found a valid tenant, then set context.Handled = true; and return a tenant name.

datdv1 created 2 years ago

Hi maliming!
Yea, I'm sure Handle variable has set value equals true and return a tenant name.

You can see the screen shot!

datdv1 created 2 years ago

Hi maliming!
I add this like below code.
But I'm having problem on anglar application.
Still the same problem I mentioned above.

Can you help me for this?

maliming created 2 years ago

Support Team Fullstack Developer

You don't need to clear all the resolvers.

You can add your Contributor after CurrentUserTenantResolveContributor

options.TenantResolvers.InsertAfter(
    r => r is CurrentUserTenantResolveContributor,
    new DomainTenantResolveContributor(domainFormat)
);

Please output some logs in your Contributor then check the logs to see what happened.

datdv1 created 2 years ago

Hi maliming
Before, I used Template Application when crete solution with single tenant. When angular application get API /.well-known/openid-configuration, the reponse is urls

example:

"issuer": "http://testing-auth.ticogroup.com/",
"authorization_endpoint": "http://testing-auth.ticogroup.com/connect/authorize",
"token_endpoint": "http://testing-auth.ticogroup.com/connect/token",
"introspection_endpoint": "http://testing-auth.ticogroup.com/connect/introspect",
"end_session_endpoint": "http://testing-auth.ticogroup.com/connect/logout",
"revocation_endpoint": "http://testing-auth.ticogroup.com/connect/revocat",
"userinfo_endpoint": "http://testing-auth.ticogroup.com/connect/userinfo",
"device_authorization_endpoint": "http://testing-auth.ticogroup.com/device",
"jwks_uri": "http://testing-auth.ticogroup.com/.well-known/jwks",

As you see, all url have http protocol.
So I configure PreConfigure OpenIddictServerBuilder to set fixed value urls with https protocol

Here is the my code:

builder
.SetAuthorizationEndpointUris(configuration["AuthServer:Authority"] + "/connect/authorize", "/connect/authorize", configuration["AuthServer:Authority"] + "/connect/authorize/callback", "/connect/authorize/callback")
// /.well-known/oauth-authorization-server
// /.well-known/openid-configuration
//.SetConfigurationEndpointUris()
// /.well-known/jwks
.SetCryptographyEndpointUris(configuration["AuthServer:Authority"] + "/.well-known/jwks", "/.well-known/jwks")
.SetDeviceEndpointUris(configuration["AuthServer:Authority"] + "/device", "/device")
.SetIntrospectionEndpointUris(configuration["AuthServer:Authority"] + "/connect/introspect", "/connect/introspect")
.SetLogoutEndpointUris(configuration["AuthServer:Authority"] + "/connect/logout", "/connect/logout")
.SetRevocationEndpointUris(configuration["AuthServer:Authority"] + "/connect/revocat", "/connect/revocat")
.SetTokenEndpointUris(configuration["AuthServer:Authority"] + "/connect/token", "/connect/token")
.SetUserinfoEndpointUris(configuration["AuthServer:Authority"] + "/connect/userinfo", "/connect/userinfo")
.SetVerificationEndpointUris(configuration["AuthServer:Authority"] + "/connect/verify", "/connect/verify");

Currently, My Project is implementing multiteancy and resolver tenant with domain.

Host:
angualr: https://ticoplatform.com
authen: https://testing-auth.ticoplatform.com
api: https://testing-api.ticoplatform.com

tenant:
angualr: https://ticogroup.com
authen: https://testing-auth.ticogroup.com
api: https://testing-api.ticogroup.com

So above code cannot work, Because above code has fixed value.
Can you guild for me any solution for automatic resolve value with tenant and https protocol.
Because domain not contains https protocol the angular application have blocked domain.

maliming created 2 years ago

Support Team Fullstack Developer

As you see, all url have http protocol.

You can add a middleware force set the scheme as https

app.Use((httpContext, next) =>
{
    httpContext.Request.Scheme = "https";
    return next();
});

datdv1 created 2 years ago

Hi maliming!
Thank you for supporting me!
My Authen service can automaticaly resolve issuer with tenant name and protocol is https
But I cannot login on tenant (angular application).
After that login successfully, you can see API get token is successfully.
But I cannot redirect to home page on angular application.

Host:
angualr: https://ticoplatform.com
authen: https://testing-auth.ticoplatform.com
api: https://testing-api.ticoplatform.com

tenant:
angualr: https://ticogroup.com
authen: https://testing-auth.ticogroup.com
api: https://testing-api.ticogroup.com