Hello,
I have deployed my abp.io with blazor server ui microservice solution in aws. When i click login button from ui, I redirected to auth, I complete the authorization process but when i redirected back to ui, I get error https://app.dreamlist.gr/Error?httpStatusCode=400 If I go to https://auth.dreamlist.gr and login from there then I have access to all the services through the swagger ui, but I cannot login from ui as after authentication I go to https://app.dreamlist.gr/Error?httpStatusCode=400
My app is at https://app.dreamlist.gr Auth Server https://auth.dreamlist.gr Web gateway https://webgateway.dreamlist.gr
Please use the default abp.io admin account credentials to reproduce the problem. admin 1q2w3E*
Abp Studio Solution Configuration
- Template: microservice
- Created ABP Studio Version: 0.9.26
- Current ABP Studio Version: 1.0.1
- Multi-Tenancy: Yes
- UI Framework: blazor-server
- Theme: leptonx
- Theme Style: light
- Theme Menu Placement: side
- Run Install Libs: Yes
- Database Provider: ef
- Database Management System: sqlserver
- Mobile Framework: maui
- Public Website: No
- Social Login: Yes
- Include Tests: Yes
- Dynamic Localization: Yes
- Kubernetes Configuration: Yes
- Grafana Dashboard: Yes
- Use Local References: No
- Optional Modules:
- GDPR
- FileManagement
- TextTemplateManagement
- AuditLogging
- Chat
- OpenIddictAdmin
- Create Command: abp new YsdPlatform -t microservice --ui-framework blazor-server --mobile maui --database-provider ef --database-management-system sqlserver --theme leptonx --skip-migrator --without-cms-kit --dont-run-bundling -no-language-management -chat
[OpenIddictApplications] ClientId = 'BlazorServer' ["https://app.dreamlist.gr/signout-callback-oidc"] ["https://app.dreamlist.gr/signin-oidc"]
Blazor Server app.settings { "App": { "Name": "YSD Logic", "SelfUrl": "https://app.dreamlist.gr", "EnablePII": false, "HealthCheckUrl": "/health-status", "BasePath": "" }, "AuthServer": { "Authority": "https://auth.dreamlist.gr", "RequireHttpsMetadata": true, "ClientId": "BlazorServer", "ClientSecret": "1q2w3e*", "IsOnK8s": "false", "MetaAddress": "https://auth.dreamlist.gr" }, "Logging": { "LogLevel": { "Default": "Information", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } }, "AllowedHosts": "*", "RemoteServices": { "Default": { "BaseUrl": "https://webgateway.dreamlist.gr" }, "CrmService": { "BaseUrl": "https://crm.dreamlist.gr" }, "FileManagementService": { "BaseUrl": "https://file.dreamlist.gr" } }, ... }
- Exception message and full stack trace:
- Steps to reproduce the issue:
3 Answer(s)
-
0
When you encounter an HTTP 400 error after authentication in an ABP microservice solution (Blazor Server UI) deployed on AWS, the most common causes are related to misconfiguration of redirect URIs, cookie settings, or OpenIddict client registration.
Here are the steps to resolve this issue:
Check Redirect URIs in OpenIddict Application Registration
- Ensure that the
RedirectUriandPostLogoutRedirectUrifor yourBlazorServerclient in the OpenIddict application registration exactly match the URLs used by your Blazor Server app:https://app.dreamlist.gr/signin-oidchttps://app.dreamlist.gr/signout-callback-oidc
- These must be set both in your OpenIddict data seed and in the AuthServer's database.
- Ensure that the
Verify AppSettings Configuration
- In your Blazor Server app's
appsettings.json, confirm:"AuthServer": { "Authority": "https://auth.dreamlist.gr", "RequireHttpsMetadata": true, "ClientId": "BlazorServer", "ClientSecret": "1q2w3e*" } "App": { "SelfUrl": "https://app.dreamlist.gr" } - The
SelfUrlmust match the actual public URL of your Blazor Server app.
- In your Blazor Server app's
Check Cookie and SameSite Settings
- In cloud environments, especially with multiple subdomains, you must ensure cookies are set with the correct domain and SameSite policy. In your Blazor Server app, configure cookies as follows:
Configure<CookiePolicyOptions>(options => { options.MinimumSameSitePolicy = SameSiteMode.Lax; }); - If you are using multiple subdomains, set the cookie domain explicitly:
services.ConfigureApplicationCookie(options => { options.Cookie.Domain = ".dreamlist.gr"; options.Cookie.SameSite = SameSiteMode.Lax; });
- In cloud environments, especially with multiple subdomains, you must ensure cookies are set with the correct domain and SameSite policy. In your Blazor Server app, configure cookies as follows:
Check for Valid Redirect URI in AuthServer Logs
- A 400 error after login often means the redirect URI sent by the client does not match any registered URI in the AuthServer. Check the AuthServer logs for errors related to invalid or unregistered redirect URIs.
Check for Proxy or Load Balancer Headers
- If you are behind a load balancer or reverse proxy (common in AWS), ensure forwarded headers are configured so the app knows the correct external URL:
app.UseForwardedHeaders(new ForwardedHeadersOptions { ForwardedHeaders = ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto }); - Also, set
ASPNETCORE_FORWARDEDHEADERS_ENABLED=truein your environment variables.
- If you are behind a load balancer or reverse proxy (common in AWS), ensure forwarded headers are configured so the app knows the correct external URL:
Clear Browser Cookies and Test Again
- Old or invalid cookies can cause 400 errors. Clear cookies for your domain and try again.
Check for HTTPS Everywhere
- All URLs (app, auth, gateway) must use HTTPS. Mixed content or HTTP redirects can cause authentication failures.
If you follow these steps and ensure all URLs and settings are consistent, the 400 error after login should be resolved.
No verified source available for this specific query.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
I have checked all the possible problems above and I can't fix it. When I click on the login option from the Blazor UI, I noticed that the redirect URL is in http and it is forwarded to https.
Also the openid config json file is
{ "issuer": "https://auth.dreamlist.gr/", "authorization_endpoint": "http://auth.dreamlist.gr/connect/authorize", "token_endpoint": "http://auth.dreamlist.gr/connect/token", "introspection_endpoint": "http://auth.dreamlist.gr/connect/introspect", "end_session_endpoint": "http://auth.dreamlist.gr/connect/endsession", "revocation_endpoint": "http://auth.dreamlist.gr/connect/revocat", "userinfo_endpoint": "http://auth.dreamlist.gr/connect/userinfo", "device_authorization_endpoint": "http://auth.dreamlist.gr/device", "jwks_uri": "http://auth.dreamlist.gr/.well-known/jwks", "grant_types_supported": [ "authorization_code", "implicit", "password", "client_credentials", "refresh_token", "urn:ietf:params:oauth:grant-type:device_code", "LinkLogin", "Impersonation" ], "response_types_supported": [ "code", "code id_token", "code id_token token", "code token", "id_token", "id_token token", "token", "none" ], "response_modes_supported": [ "query", "form_post", "fragment" ], "scopes_supported": [ "openid", "offline_access", "email", "profile", "phone", "roles", "address", "AuthServer", "IdentityService", "AdministrationService", "CrmService", "SaasService", "AuditLoggingService", "GdprService", "FileManagementService", "LanguageService", "ChatService" ], "claims_supported": [ "aud", "exp", "iat", "iss", "sub" ], "id_token_signing_alg_values_supported": [ "RS256" ], "code_challenge_methods_supported": [ "plain", "S256" ], "subject_types_supported": [ "public" ], "prompt_values_supported": [ "consent", "login", "none", "select_account" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ], "introspection_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ], "revocation_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ], "device_authorization_endpoint_auth_methods_supported": [ "client_secret_post", "private_key_jwt", "client_secret_basic" ], "claims_parameter_supported": false, "request_parameter_supported": false, "request_uri_parameter_supported": false, "tls_client_certificate_bound_access_tokens": false, "authorization_response_iss_parameter_supported": true }I have checked all the appsettings and everything is in https. I've searched for the problem and it seems like everything is set up correctly on https. I don't know what else to look for to find what's wrong.
-
0
Hello,
I managed to solve the problem by adding this code to auth server to run in https.
if (!env.IsDevelopment()) { app.Use((ctx, next) => { /* This application should act like it is always called as HTTPS. * Because it will work in a HTTPS url in production, * but the HTTPS is stripped out in Ingress controller. */ ctx.Request.Scheme = "https"; return next(); }); }Also i change the health checks code in all services and apps to this.
settings.AddHealthCheckEndpoint("AuthServer Health Status", $"http://{Dns.GetHostName()}{healthCheckUrl}");
