Open Closed

OpendIdConnect Configuration with multitenant url #6712


User avatar
0
dipak.z created
  • ABP Framework version: v8.0.2
  • UI Type: MVC
  • Database System: EF Core ( PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Created Project using abp suite with public site, cms, Tired and Seprate Tenant Schema

i want diff urls for tenants like for that i config

in Auth Project PreConfigure<AbpOpenIddictWildcardDomainOptions>(options => { options.EnableWildcardDomainSupport = true; options.WildcardDomainsFormat.Add("https://{0}.auth.domain.com"); });

and

Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.auth.domain.com"); });

In Web Project Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.web.domain.com"); });

in HttpApi.Host

Configure<AbpTenantResolveOptions>(options => { options.AddDomainTenantResolver("{0}.api.domain.com"); });

now i want to add in openidcconnect

in this i added urls for Application Type : Web ClientUrl : https://web.domain.com/ Redirect Uris : https://web.domain.com/signin-oidc Post Logout Redirect Uris:https://web.domain.com/signout-callback-oidc

how to config dynamic tenant wise urls in this?


11 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.Web/BookStoreWebModule.cs#L145-L177

  • User Avatar
    0
    dipak.z created

    hi

    https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.Web/BookStoreWebModule.cs#L145-L177

    i have to add in web and Httpapi.Host both?

    .AddAbpOpenIdConnect("oidc", options => { options.Authority = configuration["AuthServer:Authority"]; options.RequireHttpsMetadata = configuration.GetValue<bool>("AuthServer:RequireHttpsMetadata"); options.ResponseType = OpenIdConnectResponseType.CodeIdToken;

    options.ClientId = configuration["AuthServer:ClientId"];
    options.ClientSecret = configuration["AuthServer:ClientSecret"];
    
    options.UsePkce = true;
    options.SaveTokens = true;
    options.GetClaimsFromUserInfoEndpoint = true;
    
    options.Scope.Add("roles");
    options.Scope.Add("email");
    options.Scope.Add("phone");
    options.Scope.Add("TestIdentity");
    
    options.Events.OnRedirectToIdentityProviderForSignOut = redirectContext =>
    {
        var currentTenant = redirectContext.HttpContext.RequestServices.GetRequiredService&lt;ICurrentTenant&gt;();
        if (currentTenant.IsAvailable)
        {
            //https://ids.getabp.net:44301
            redirectContext.ProtocolMessage.IssuerAddress =
                redirectContext.ProtocolMessage.IssuerAddress.Replace("ids",
                    $"{currentTenant.Name}.ids");
        }
    
        return Task.CompletedTask;
    };
    options.Events.OnRedirectToIdentityProvider = options.Events.OnRedirectToIdentityProviderForSignOut;
    

    });

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You only need to add AddAbpOpenIdConnect for the projects that use OpenIdConnect.

  • User Avatar
    0
    dipak.z created

    hi

    You only need to add AddAbpOpenIdConnect for the projects that use OpenIdConnect.

    i want like if i create tenant name smc then urls are smc.web.domain.com smc.auth.domain.com

    but its when i click login button from smc.web.domain.com then its redirect to auth.domain.com and throw 400 https://auth.domain.com/Error?httpStatusCode=400 In Auth Project Logs ->

    2024-02-21 13:38:35.147 +05:30 [INF] Request finished HTTP/1.1 GET https://auth.domain.com/.well-known/jwks - 200 1667 application/json;charset=UTF-8 14.1696ms 2024-02-21 13:38:39.349 +05:30 [INF] Request starting HTTP/2 GET https://auth.domain.com/connect/authorize?client_id=TestIdentity&redirect_uri=https%3A%2F%2Fsmc.web.domain.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20TestIdentity&response_mode=form_post&nonce=638440997151617322.ZTA2NTc1OWUtZTE0NS00ZjU0LWIyZjktZjU1ZWFlM2ExY2JhZDM0YjMxNGMtZWUwOC00YTJhLWE1NjgtM2M5ODU2NzhhNzIz&state=CfDJ8JByH2MkMuNNl3sV5fVf9nQ9ClPWZshJc5L3ihk5XA6cYJO8E0NXUtAdYFccsFRcCeSFIZ179gYHlU6firu6HkGCNjBlBiUM31kXS2GHJH2QLp7YOhtAa68iww6sv0wJOnntlRFQEIl8PFuhqGal5iLh6sFO10P3iMJ5frqaUiNEePfJfAEXUrp7hLp2457kLv6r82VdrGwEWqWloM_ZxOv9CA3lELinNxGPPl0gEyV77h96GfIlsOSloAV8G1y9XSzV-Nv43zfxOG5pTbe30bOasTmTNDJZdq6ha0i16I6oI1GP8nd8zyeLzxVyycZtbA&x-client-SKU=ID_NET8_0&x-client-ver=7.0.3.0 - null null 2024-02-21 13:38:39.351 +05:30 [INF] The request URI matched a server endpoint: "Authorization". 2024-02-21 13:38:39.356 +05:30 [INF] The authorization request was successfully extracted: { "client_id": "TestIdentity", "redirect_uri": "https://smc.web.domain.com/signin-oidc", "response_type": "code id_token", "scope": "openid profile roles email phone TestIdentity", "response_mode": "form_post", "nonce": "638440997151617322.ZTA2NTc1OWUtZTE0NS00ZjU0LWIyZjktZjU1ZWFlM2ExY2JhZDM0YjMxNGMtZWUwOC00YTJhLWE1NjgtM2M5ODU2NzhhNzIz", "state": "CfDJ8JByH2MkMuNNl3sV5fVf9nQ9ClPWZshJc5L3ihk5XA6cYJO8E0NXUtAdYFccsFRcCeSFIZ179gYHlU6firu6HkGCNjBlBiUM31kXS2GHJH2QLp7YOhtAa68iww6sv0wJOnntlRFQEIl8PFuhqGal5iLh6sFO10P3iMJ5frqaUiNEePfJfAEXUrp7hLp2457kLv6r82VdrGwEWqWloM_ZxOv9CA3lELinNxGPPl0gEyV77h96GfIlsOSloAV8G1y9XSzV-Nv43zfxOG5pTbe30bOasTmTNDJZdq6ha0i16I6oI1GP8nd8zyeLzxVyycZtbA", "x-client-SKU": "ID_NET8_0", "x-client-ver": "7.0.3.0" }. 2024-02-21 13:38:39.586 +05:30 [INF] Client validation failed because 'https://smc.web.domain.com/signin-oidc' was not a valid redirect_uri for TestIdentity. 2024-02-21 13:38:39.586 +05:30 [INF] The authorization request was rejected because the redirect_uri was invalid: 'https://smc.web.domain.com/signin-oidc'. 2024-02-21 13:38:39.597 +05:30 [INF] Request finished HTTP/2 GET https://auth.domain.com/connect/authorize?client_id=TestIdentity&redirect_uri=https%3A%2F%2Fsmc.web.domain.com%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20TestIdentity&response_mode=form_post&nonce=638440997151617322.ZTA2NTc1OWUtZTE0NS00ZjU0LWIyZjktZjU1ZWFlM2ExY2JhZDM0YjMxNGMtZWUwOC00YTJhLWE1NjgtM2M5ODU2NzhhNzIz&state=CfDJ8JByH2MkMuNNl3sV5fVf9nQ9ClPWZshJc5L3ihk5XA6cYJO8E0NXUtAdYFccsFRcCeSFIZ179gYHlU6firu6HkGCNjBlBiUM31kXS2GHJH2QLp7YOhtAa68iww6sv0wJOnntlRFQEIl8PFuhqGal5iLh6sFO10P3iMJ5frqaUiNEePfJfAEXUrp7hLp2457kLv6r82VdrGwEWqWloM_ZxOv9CA3lELinNxGPPl0gEyV77h96GfIlsOSloAV8G1y9XSzV-Nv43zfxOG5pTbe30bOasTmTNDJZdq6ha0i16I6oI1GP8nd8zyeLzxVyycZtbA&x-client-SKU=ID_NET8_0&x-client-ver=7.0.3.0 - 302 null null 247.1638ms 2024-02-21 13:38:39.600 +05:30 [INF] Request starting HTTP/2 GET https://auth.domain.com/Error?httpStatusCode=400 - null null

  • User Avatar
    0
    dipak.z created

    and when i open smc.auth.domain.com

    then its show all applcation in that web.domain.com is show how to change that tenant wise if smc.auth.domain.com then show smc.web.domain.com

    if auth.domain.com then show web.domain.com like that

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    [INF] Client validation failed because 'https://smc.web.domain.com/signin-oidc' was not a valid redirect_uri for TestIdentity.
    [INF] The authorization request was rejected because the redirect_uri was invalid: 'https://smc.web.domain.com/signin-oidc'.
    
    PreConfigure<AbpOpenIddictWildcardDomainOptions>(options =>
    {
        options.EnableWildcardDomainSupport = true;
        options.WildcardDomainsFormat.Add("https://{0}.auth.domain.com");
        options.WildcardDomainsFormat.Add("https://{0}.web.domain.com/signin-oidc");
       
    });
    

    Try to add https://{0}.web.domain.com/signin-oidc to WildcardDomainsFormat

  • User Avatar
    0
    dipak.z created

    Ok after adding this its working.Thank you for support. but if i open https://smc.auth.domain.com

    then show all applications in this when i open web application this open https://web.domain.com but i want if tenant open than directly open https://smc.web.domain.com this url.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    then show all applications in this when i open web application this open https://web.domain.com but i want if tenant open than directly open https://smc.web.domain.com this URL.

    I don't understand this very well. Can you explain in detail?

    Thanks

  • User Avatar
    0
    dipak.z created

    hi

    then show all applications in this when i open web application this open https://web.domain.com but i want if tenant open than directly open https://smc.web.domain.com this URL.

    I don't understand this very well. Can you explain in detail?

    Thanks

    when i create new tenant example name smc. then its urls are : https://smc.web.domain.com (Web Project) and for auth : https://smc.auth.domain.com (Auth Project)

    when we open https://auth.domain.com (Auth Project) it shows all application of openidconnect with urls , name and icons in this web project url shown as https://web.domain.com and when we open https://smc.auth.domain.com but its shown web url as https://web.domain.com instead of https://smc.web.domain.com this

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can replace these URLs on the index.cshtml page.

    Same as

    //https://ids.getabp.net:44301
    redirectContext.ProtocolMessage.IssuerAddress =
        redirectContext.ProtocolMessage.IssuerAddress.Replace("ids",
            $"{currentTenant.Name}.ids");
    

  • User Avatar
    0
    dipak.z created

    Thank you its working fine.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09