Hi, this is related with our previous question, about WebAssembly login with tenant resolution: https://abp.io/support/questions/9431/Blazor-WebApp-login-issues-with-tenant-resolution-and-Wasm
After the solution, we put in staging and noticed that when is logged in a tenant, all tenants (and host) are also logged too. This happens only with WebAssembly. We tried different cookie options and also setting the tenant prefix in the RemoteServices like this, without success.
Sample solution: DELETED
Logged in one tenant. The other are authenticated too.
Thanks in advance.
7 Answer(s)
-
0
In ABP Blazor WebAssembly multi-tenant setups using subdomains, if logging into one tenant also authenticates you in all tenants (and host), the root cause is typically the authentication cookie's domain scope. By default, cookies are set for the parent domain (e.g.,
.local.test), making them accessible to all subdomains, which results in shared authentication across tenants.To ensure tenant isolation, you must configure the authentication cookie to be scoped to each subdomain (tenant) rather than the parent domain. In Blazor WASM, this is handled by the OIDC provider and the backend's cookie settings.
Solution Steps:
Set Cookie Domain Per Subdomain:
- In your backend (HttpApi.Host), configure the cookie domain to be the exact subdomain (e.g.,
t1.local.test,t2.local.test) instead of.local.test. - Example:
Configure<CookieAuthenticationOptions>(IdentityConstants.ApplicationScheme, options => { options.Cookie.Domain = null; // Do not set to .local.test }); - If you set
options.Cookie.Domain = null, the cookie will be scoped to the current subdomain.
- In your backend (HttpApi.Host), configure the cookie domain to be the exact subdomain (e.g.,
OIDC Redirect URIs:
- Ensure each tenant's OIDC client configuration uses the correct subdomain in the redirect URIs and post-logout URIs.
- Example in
appsettings.jsonfor each client:"RootUrl": "https://{0}.local.test:44334"
Blazor WASM RemoteServices Configuration:
- In your Blazor project, dynamically set the
AuthorityandBaseUrlto include the current tenant subdomain at runtime, as described in Step 5 of the referenced guide.
- In your Blazor project, dynamically set the
Clear Cookies and Test:
- After making these changes, clear your browser cookies and test logging in to different tenants in separate tabs. Each tenant should now have its own authentication context.
Summary:
The issue is caused by the authentication cookie being shared across subdomains. Scoping the cookie to each subdomain resolves the problem and ensures proper tenant isolation.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
I tried set Domain = null and set tenant prefix in RemoteServices and Authority, same problem.
-
0
hi
Try to remove this line
also update
App.razor@using System.Globalization @using Microsoft.Extensions.Hosting @using Volo.Abp.AspNetCore.Components.Server.LeptonXTheme.Bundling @using Volo.Abp.AspNetCore.Components.Server.LeptonXTheme.Components @using Volo.Abp.Localization @using Volo.Abp.AspNetCore.Components.Web.Theming.Bundling @using Volo.Abp.AspNetCore.Mvc.AntiForgery; @inject IHostEnvironment Env @{ var rtl = CultureHelper.IsRtl ? "rtl" : string.Empty; } <!DOCTYPE html> <html lang="@CultureInfo.CurrentCulture.Name" dir="@rtl"> <head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <title>DemoLogin</title> <base href="/" /> <AbpStyles BundleName="@BlazorLeptonXThemeBundles.Styles.Global" WebAssemblyStyleFiles="GlobalStyles" @rendermode="InteractiveAuto" /> <link href="DemoLogin.Blazor.styles.css" rel="stylesheet"/> <link href="DemoLogin.Blazor.Client.styles.css" rel="stylesheet"/> <HeadOutlet @rendermode="InteractiveAuto" /> @* <HeadOutlet @rendermode="InteractiveServer" /> *@ <AppearanceStyles/> </head> <body class="abp-application-layout @rtl"> <Routes @rendermode="InteractiveAuto" /> <div id="blazor-error-ui"> @if (Env.IsDevelopment()) { <text>An unhandled exception has occurred. See browser dev tools for details.</text> } else if (Env.IsStaging() || Env.IsProduction()) { <text>An error has occurred. This application may no longer respond until reloaded.</text> } <a href="" class="reload">Reload</a> <a class="dismiss">🗙</a> </div> <AbpScripts BundleName="@BlazorLeptonXThemeBundles.Scripts.Global" WebAssemblyScriptFiles="GlobalScripts" @rendermode="InteractiveAuto" /> <script src="_framework/blazor.web.js"></script> </body> </html> @code{ private List<string> GlobalStyles => [ "global.css" ]; private List<string> GlobalScripts => [ "global.js" ]; [Inject] private IAbpAntiForgeryManager AbpAntiForgeryManager { get; set; } protected override Task OnInitializedAsync() { AbpAntiForgeryManager.SetCookie(); return Task.CompletedTask; } } -
0
Thanks! This seems to solve all issues, we will test more and give the final feedback tomorrow.
-
0
ok 👍
-
0
Everything working as expected. Thanks!
-
0
Great
