Login loop after upgrading to 9.2.3 #9684

12 Answer(s)

• 

  0

  AI-Bot created one month ago

  Support Team ABP Agent

  • After upgrading both the front-end and back-end to ABP 9.2.3, a login redirect loop typically indicates a misconfiguration or incompatibility in authentication, especially in tiered or separated Auth Server setups.

  To resolve this issue, follow these steps:

  1. Check Migration Guide
     Review and apply all steps in the official ABP 9.2 migration guide, as there are breaking changes that may affect authentication and token handling:

     • ABP Version 9.2 Migration Guide

  2. Certificate Synchronization
     If you are using OpenIddict, ensure that the openiddict.pfx certificate and its passphrase are identical and present in both the AuthServer and the API Host. A mismatch or missing certificate can cause token validation failures, resulting in redirect loops.

  3. Check for SecurityTokenSignatureKeyNotFoundException
     In similar cases, a SecurityTokenSignatureKeyNotFoundException (IDX10503) due to a kid mismatch between AuthServer and backend was the root cause. Regenerate and synchronize the certificate if needed.

  4. Update All Packages
     Make sure all ABP NuGet and NPM packages are updated to 9.2.3 in both backend and frontend projects. Mixed versions can cause authentication issues.

  5. Clear Browser Cache and Cookies
     After upgrade, old cookies or tokens may cause issues. Clear them before testing.

  6. Check Application Configuration

     • Ensure the Authority, ClientId, and Scopes in your Angular environment and backend match the AuthServer configuration.
     • Verify that the allowed scopes and grant types are correctly set for your client in the OpenIddict data seed.

  7. Review Deployment Environment
     If running behind IIS or a reverse proxy, ensure forwarded headers are configured correctly. See:

     • Microsoft Docs: Forwarded Headers Middleware

  8. Check for Errors in Browser Console and Network Tab
     Look for failed requests or error messages during the login process, especially to /connect/authorize, /connect/token, or /api/abp/application-configuration.

  If you have recently cloned or deployed the project, ensure the openiddict.pfx file is not missing (it is git-ignored by default and must be copied manually).

  If the above steps do not resolve the issue, consult the following resolved support ticket for a similar scenario:

  • ABP Support: Infinite Redirect Loop due to Certificate Mismatch

  Sources:

  • ABP Version 9.2 Migration Guide
  • ABP Support: Infinite Redirect Loop due to Certificate Mismatch
  • Getting Started with ABP

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  pablo@ccalp.net created one month ago

  I've looked at all that the AI is suggesting already, I still need help with this issue ASAP

  Save Cancel
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  hi

  What is your UI type?

  Can you share a GIF to show the problem?

  Can you share the logs.txt file?

  https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

  liming.ma@volosoft.com

  Thanks

  Save Cancel
• 

  0

  pablo@ccalp.net created one month ago

  Sorry for the late response,

  This is an Angular UI.

  I think that the issue is that I had a guard in the default (empty) route, which was working fine in 8.3, but now it is causing login loops. I assume it is a timing issue.

  I implemented a solution to perform auto login and I think it's more robust now.

  In any case, it would be good if you can confirm that adding the "authGuard" to the Home route will cause that behaviour, and why was it working before without any issues.

  { path: '', pathMatch: 'full', title: 'Home', loadChildren: () => import('./home/home.module').then(m => m.HomeModule), canActivate: [authGuard], <--- This is removed now },

  Save Cancel
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  hi

  See https://github.com/abpframework/abp/issues/23286#issuecomment-3117644521

  Thanks.

  Save Cancel
• 

  0

  pablo@ccalp.net created one month ago

  Yeah, I saw that alread, got the guard code from the branch and tested it, didn't work.

  Save Cancel
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  hi

  I will ask our angular team.

  Thanks.

  Save Cancel
• 

  0

  fahrigedik created one month ago

  Support Team Angular Expert

  [pablo@ccalp.net] said: Yeah, I saw that alread, got the guard code from the branch and tested it, didn't work.

  Hi Pablo,

  Thanks for the details you've shared so far.

  Could you please share the example where you tested the asyncAuthGuard?
  This guard was specifically designed to help prevent the login redirect loop issue, especially after upgrading to v9.2.x.

  We’d like to review your usage and see if anything might be missing or misaligned with the intended pattern.

  A minimal example (GitHub repo or zip) would be very helpful.

  Thanks,
  Angular Team @ Volosoft

  Save Cancel

  2 1
• 

  0

  pablo@ccalp.net created one month ago

  With the current workload and complexity of the application, I don't think a sample is feasible. I will try to provide a video of the issue. I cannot replicate it locally; it only happens when it is deployed to our Azure environment and we access the application using a subdomain for the tenant. If we log in as the host and impersonate, we don't see the issue.

  Save Cancel
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  hi

  it only happens when it is deployed to our Azure environment and we access the application using a subdomain for the tenant.

  Can you share a website URL, so that we can reproduce it online?

  Thanks.

  Save Cancel
• 

  0

  mharnos created one month ago

  Hi,

  we had a similar issue, where if the returnUrl points to a guarded route (the default points to / / rootUrl and is not configurable) then the authGuard code would run in parallel to the angular-oauth2-oidc authentication code resulting in a loop if the authGuard was faster than the authentication code: https://github.com/manfredsteyer/angular-oauth2-oidc/issues/861

  Our solution was to create an additional route in angular oauth/code that has no authGuard and just displays a placeholder with the empty layout (no menus) eLayoutType.empty, and the angular-oauth2-oidc code handles the redirect to the redirectUrl (not returnUrl) when it is finished with authentication. The redirectUrl can be authGuarded as you would expect.

  We had to update the oAuthConfig in our environment.ts files (redirectUri: baseUrl + '/oauth/code') and extend the OpenIddictDataSeedContributor where the redirectUri in CreateApplicationAsync is always set to be the rootUrl, i.e. redirectUris: new List<string> { consoleAndAngularClientRootUrl } needs to be changed to include /oauth/code as well.

  That resolved our issue, but it would've made it significantly easier to configure, if the "OpenIddict:Applications" config would include the RedirectUris and PostLogoutRedirectUris options instead of assuming they're RootUrl or point to a ABP configured, non-AuthGuard-ed route per default.

  Hope this helps, Marc

  Save Cancel

  1
• 

  0

  maliming created one month ago

  Support Team Fullstack Developer

  Thanks mharnos 👍

  Save Cancel