Open Closed

Issue while redirecting tenant after identity server login (using subdomain tenant resolver) #924


User avatar
0
sergei.gorlovetsky@gmail.com created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • ABP Framework version: v4.2.0
  • UI type: Angular
  • DB provider: MongoDB
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace: Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'System.String'. Did not match: validationParameters.ValidIssuer: 'System.String' or validationParameters.ValidIssuers: 'System.String'. at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuer(String issuer, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
  • Steps to reproduce the issue: After logging in at the identity server, I'm redirected to the correct 'subdomain.mydomain.com' but I'm not in fact logged at the UI and the exception above is listed on identity server logs.txt. Cheking 'identityserver.subdomain.mydomain.com' it's possible to see 'myuser' logged at the correct tenant/subdomain. I'm using 'Tenant Specific Remote Endpoints' from https://docs.abp.io/en/abp/latest/UI/Angular/Multi-Tenancy at the front-end and 'Subdomain Tenant Resolvers' from 'https://docs.abp.io/en/abp/latest/Multi-Tenancy' for both the HttpApi.Host ({0}.api.domain.com) and IdentityServer ({0}.is.domain.com).

Identity server is logged in.

Ui is not logged in.

Do you think this is something related to the way urls are setup?

Another potential issue and something I'm not able to address right now is how to add RedirectUri objects for the subdomains, right now I'm hardcoding a 'subdomain.domain.com' redirect uri. Is there any way to dynamically redirect according to the current tenant?


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can take a look this https://github.com/abpframework/abp/issues/5589#issuecomment-722084689

  • User Avatar
    0
    sergei.gorlovetsky@gmail.com created

    I couldn't make your suggestion work.

    The only way I was able to get rid of the exception and login into the ui by setting the ValidateIssuer to false as in https://github.com/abpframework/abp/issues/3304#issuecomment-609030329 but this is just a work-around as it may raise some security issues.

    Regarding the RedirectUris, how can I have them defined dynamically? As I mentioned earlier I set 'subdomain.domain.com' as a redirect uri for the 'ClientelePortal_App' client directly on the database.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    For Identity Server, RedirectUris is fixed, I will try to found a way to make it dynamicall.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    You can check this https://github.com/abpframework/abp/pull/7783

  • User Avatar
    0
    sergei.gorlovetsky@gmail.com created

    Hi maliming, this proposed code change 7783 didn't work. I still need to manually add the redirect url at the database. Is some config needed?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    It's has been updated.

    https://github.com/abpframework/abp/blob/48c52625f4c4df007f04d5ac6368b07411aa7521/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/AbpStrictRedirectUriValidator.cs#L39

  • User Avatar
    0
    ServiceBot created
    Support Team Automatic process manager

    This question has been automatically marked as stale because it has not had recent activity.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 12, 2024, 07:15