I'm getting a login redirect loop after upgrading the front-end to 9.2.3 The backend is 9.2.3, when rolling back to 8.3.0, it works fine.
12 Answer(s)
-
0
- After upgrading both the front-end and back-end to ABP 9.2.3, a login redirect loop typically indicates a misconfiguration or incompatibility in authentication, especially in tiered or separated Auth Server setups.
To resolve this issue, follow these steps:
Check Migration Guide
Review and apply all steps in the official ABP 9.2 migration guide, as there are breaking changes that may affect authentication and token handling:Certificate Synchronization
If you are using OpenIddict, ensure that theopeniddict.pfx
certificate and its passphrase are identical and present in both the AuthServer and the API Host. A mismatch or missing certificate can cause token validation failures, resulting in redirect loops.Check for SecurityTokenSignatureKeyNotFoundException
In similar cases, aSecurityTokenSignatureKeyNotFoundException
(IDX10503) due to akid
mismatch between AuthServer and backend was the root cause. Regenerate and synchronize the certificate if needed.Update All Packages
Make sure all ABP NuGet and NPM packages are updated to 9.2.3 in both backend and frontend projects. Mixed versions can cause authentication issues.Clear Browser Cache and Cookies
After upgrade, old cookies or tokens may cause issues. Clear them before testing.Check Application Configuration
- Ensure the
Authority
,ClientId
, andScopes
in your Angular environment and backend match the AuthServer configuration. - Verify that the allowed scopes and grant types are correctly set for your client in the OpenIddict data seed.
- Ensure the
Review Deployment Environment
If running behind IIS or a reverse proxy, ensure forwarded headers are configured correctly. See:Check for Errors in Browser Console and Network Tab
Look for failed requests or error messages during the login process, especially to/connect/authorize
,/connect/token
, or/api/abp/application-configuration
.
If you have recently cloned or deployed the project, ensure the
openiddict.pfx
file is not missing (it is git-ignored by default and must be copied manually).If the above steps do not resolve the issue, consult the following resolved support ticket for a similar scenario:
Sources:
- ABP Version 9.2 Migration Guide
- ABP Support: Infinite Redirect Loop due to Certificate Mismatch
- Getting Started with ABP
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
I've looked at all that the AI is suggesting already, I still need help with this issue ASAP
-
0
hi
What is your UI type?
Can you share a GIF to show the problem?
Can you share the logs.txt file?
https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems
liming.ma@volosoft.com
Thanks
-
0
Sorry for the late response,
This is an Angular UI.
I think that the issue is that I had a guard in the default (empty) route, which was working fine in 8.3, but now it is causing login loops. I assume it is a timing issue.
I implemented a solution to perform auto login and I think it's more robust now.
In any case, it would be good if you can confirm that adding the "authGuard" to the Home route will cause that behaviour, and why was it working before without any issues.
{ path: '', pathMatch: 'full', title: 'Home', loadChildren: () => import('./home/home.module').then(m => m.HomeModule), canActivate: [authGuard], <--- This is removed now },
-
0
hi
See https://github.com/abpframework/abp/issues/23286#issuecomment-3117644521
Thanks.
-
0
Yeah, I saw that alread, got the guard code from the branch and tested it, didn't work.
-
0
hi
I will ask our angular team.
Thanks.
-
0
[pablo@ccalp.net] said: Yeah, I saw that alread, got the guard code from the branch and tested it, didn't work.
Hi Pablo,
Thanks for the details you've shared so far.
Could you please share the example where you tested the
asyncAuthGuard
?
This guard was specifically designed to help prevent the login redirect loop issue, especially after upgrading to v9.2.x.We’d like to review your usage and see if anything might be missing or misaligned with the intended pattern.
A minimal example (GitHub repo or zip) would be very helpful.
Thanks,
Angular Team @ Volosoft -
0
With the current workload and complexity of the application, I don't think a sample is feasible. I will try to provide a video of the issue. I cannot replicate it locally; it only happens when it is deployed to our Azure environment and we access the application using a subdomain for the tenant. If we log in as the host and impersonate, we don't see the issue.
-
0
hi
it only happens when it is deployed to our Azure environment and we access the application using a subdomain for the tenant.
Can you share a website URL, so that we can reproduce it online?
Thanks.
-
0
Hi,
we had a similar issue, where if the
returnUrl
points to a guarded route (the default points to/
/rootUrl
and is not configurable) then the authGuard code would run in parallel to theangular-oauth2-oidc
authentication code resulting in a loop if the authGuard was faster than the authentication code: https://github.com/manfredsteyer/angular-oauth2-oidc/issues/861Our solution was to create an additional route in angular
oauth/code
that has no authGuard and just displays a placeholder with the empty layout (no menus)eLayoutType.empty
, and theangular-oauth2-oidc
code handles the redirect to theredirectUrl
(notreturnUrl
) when it is finished with authentication. TheredirectUrl
can be authGuarded as you would expect.We had to update the
oAuthConfig
in ourenvironment.ts
files (redirectUri: baseUrl + '/oauth/code'
) and extend theOpenIddictDataSeedContributor
where theredirectUri
inCreateApplicationAsync
is always set to be therootUrl
, i.e.redirectUris: new List<string> { consoleAndAngularClientRootUrl }
needs to be changed to include/oauth/code
as well.That resolved our issue, but it would've made it significantly easier to configure, if the
"OpenIddict:Applications"
config would include theRedirectUris
andPostLogoutRedirectUris
options instead of assuming they'reRootUrl
or point to a ABP configured, non-AuthGuard-ed route per default.Hope this helps, Marc
-
0
Thanks mharnos 👍