Hello; I have opened multiple MVC+Postgresql+Tiered projects. Their tasks are:
- Auth Server (A)
- Lab Management (L)
- n+
I want all applications to use the Auth Server for authentication and authorization. I filled in the AuthServer section in appsettings.json in the projects (web and host). I added the relevant project names to the AuthServer openiddict tables. I even disabled DynamicClaims. However, the clients' web applications cannot obtain permissions from the AuthServer.
Is there an article, video, or sample client/server project that explains this topic from the beginning?
15 Answer(s)
-
0
To configure multiple ABP MVC applications to use a single AuthServer for authentication and authorization in a tiered setup, follow these steps:
- Ensure each client application's
appsettings.json
(both Web and HttpApi.Host) has the correctAuthServer
section pointing to your AuthServer's URL:
"AuthServer": { "Authority": "https://your-auth-server-url", "RequireHttpsMetadata": "true", "ClientId": "YourClientAppName", "ClientSecret": "YourClientSecret" }
In your AuthServer, register each client application in the OpenIddict Applications table. Each client should have:
- A unique
ClientId
(matching theClientId
in the client appsettings). - The correct redirect URIs for MVC (e.g.,
https://your-client-app/signin-oidc
). - The required permissions and scopes.
- A unique
In each client application's
Startup
or module configuration, ensure authentication is set up to use OpenId Connect and points to the AuthServer.Make sure the client applications reference the AuthServer's authority and use the correct scopes (e.g.,
openid
,profile
,email
, and any custom API scopes).If permissions are not being loaded, ensure:
- The client app references the Application.Contracts of the modules that define permissions.
- The permission providers are registered in the client app's module.
- The AuthServer is running and accessible from the client apps.
For troubleshooting:
- Check network connectivity between client apps and AuthServer.
- Review logs for authentication/authorization errors.
- Ensure clock synchronization between servers.
For a full example and step-by-step guide, see the official ABP documentation on tiered application setup:
Sources
This approach aligns with common ABP conventions for centralized authentication and authorization in a tiered architecture.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
- Ensure each client application's
-
0
I checked that permissions exist on both the client and the auth server. However, even if I grant permission for a role assigned to a user on the auth server, the relevant menu does not appear on the client side of the web.
-
0
hi
Can your web app get the access token from the auth server?
Login(web app) => redirect to authserver => login by username and password => redirect to your web app
Thanks.
-
0
Yes it works
-
0
Can you share an access token?
What is the output if you use the access token to request the
profile
endpoint?GET /api/account/my-profile
-
0
Admin User Access Token (This token is taken from LabManagement)
eyJhbGciOiJSUzI1NiIsImtpZCI6IjdGRUQzRDEzOUM4MzQwRkYxNjM1QjlBNDQ1MzA3OUEyMTBGMTU0NjQiLCJ4NXQiOiJmLTA5RTV5RFFQOFdOYm1rUlRCNW9oRHhWR1EiLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDM4OC8iLCJleHAiOjE3NTYzNjM5OTQsImlhdCI6MTc1NjM2MDM5NCwiYXVkIjoiTGFiTWFuYWdlbWVudCIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgcm9sZXMgZW1haWwgcGhvbmUgTGFiTWFuYWdlbWVudCIsImp0aSI6IjExYmY1NDM5LWYyMGUtNGI3OC04YzFhLTkwYWFjYjY3ZTJhYiIsInN1YiI6IjNhMWIzOGRkLThkZWEtNzU3YS00ZDYxLTUwYzQ1M2U4MjJmZCIsInNlc3Npb25faWQiOiIxZWE0ZTc5Yy1hZTY3LTRjYjMtOThhZS05ZGZkMDkzYTZhZGYiLCJ1bmlxdWVfbmFtZSI6ImFkbWluIiwib2lfcHJzdCI6IkxhYk1hbmFnZW1lbnRfV2ViIiwib2lfYXVfaWQiOiIzYTFiMzlhZC1jM2U1LTNkNmMtOWMzZS02ZDcxNWU3MDljYTEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImdpdmVuX25hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AYWJwLmlvIiwiZW1haWxfdmVyaWZpZWQiOiJGYWxzZSIsInBob25lX251bWJlcl92ZXJpZmllZCI6IkZhbHNlIiwiY2xpZW50X2lkIjoiTGFiTWFuYWdlbWVudF9XZWIiLCJvaV90a25faWQiOiIzYTFjMDE2OS05ZWEwLTkwMDgtNzIzMC00N2U5M2JjOTk5MGYifQ.sZhVQw9wTYr_jvVouR5cg9lkpkJ_ydkdPdhPqdT2x4LlE_z5zF3N-YcMlUOSCOT8S26hnmjFm9C6ffUu_s_GmG9CvFDtK513_VihJuRvAVFeLhvrm6l8dcotBXV28QLpOPXea8nCMm7VP94wHr0qQvDfJBzIijo3MrruZDipcRpuwus-LSbmqgeOs_mt_v9R40xoPSB6cmvj4SXX0BFJx2MBe5Hsv2B-iyGunoNiiEYHVrezm1zuAuFqPxrEFI3WycrMc5_1SOb6519me-JfqQgHUtgSt3XVGo2I_xkG9KcntLXAjUOVPnxOlfQqthw4OEH6aEr4VDC2N2i3BzoopQ
(Main - Auth Server) https://localhost:44388/api/account/my-profile
Response : 401 Unauthrozied
(LabManagement) https://localhost:44365/api/account/my-profile Response : 400 Not Found { "error": { "code": null, "message": "There is no entity IdentityUser with id = 3a1b38dd-8dea-757a-4d61-50c453e822fd!", "details": null, "data": null, "validationErrors": null } }
Admin User Access Token (This token is taken from Main Api)
eyJhbGciOiJSUzI1NiIsImtpZCI6IjdGRUQzRDEzOUM4MzQwRkYxNjM1QjlBNDQ1MzA3OUEyMTBGMTU0NjQiLCJ4NXQiOiJmLTA5RTV5RFFQOFdOYm1rUlRCNW9oRHhWR1EiLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDM4OC8iLCJleHAiOjE3NTYzNjgzOTksImlhdCI6MTc1NjM2NDc5OSwiYXVkIjoiTWFpbiIsInNjb3BlIjoiTWFpbiIsImp0aSI6IjRjY2MwY2M1LTQzN2YtNGMzYi05ZThhLWZhMTk4MzZhZDQyZCIsInN1YiI6IjNhMWIzOGRkLThkZWEtNzU3YS00ZDYxLTUwYzQ1M2U4MjJmZCIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBhYnAuaW8iLCJyb2xlIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiYWRtaW4iLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOiJGYWxzZSIsImVtYWlsX3ZlcmlmaWVkIjoiRmFsc2UiLCJzZXNzaW9uX2lkIjoiNTMyN2Q1MDQtN2ViNC00ZTUzLTg4YjEtMGYyMGI0ZWJjMGRlIiwidW5pcXVlX25hbWUiOiJhZG1pbiIsIm9pX3Byc3QiOiJNYWluX0FwcCIsImNsaWVudF9pZCI6Ik1haW5fQXBwIiwib2lfdGtuX2lkIjoiM2ExYzAxYWMtZDU3ZS1lZmJjLTkxOGQtYzNmZGE2N2EzODg2In0.TMRBw-ubouuigi5cLXUOWt91HMmHX_Zc28ksc9gM6p3vdVnj1aNMqob72v1yjhPJDEfIceVOAAMdawGjSlqdfc1DYCxeQT0j4PYNQyN5UlZHpP7d1JY3CP8a7JxK6R2-9C4zYp9lRPcp5J8fNDWwnv7y-f_s2RaCQYrxwltUhS4WdRN6nJvFmU9T-kJpKW5MZyylBzHdwWpg-KV_eBE2SK2qdTRrTfVKwITObA0_P-RNQxHBJqlaRITUyAk0lBndHvWywd_kU-S926kqYALO-C96pBtCyTs_SIxhaM98vlRiZyck2CdK5PQleCZ1lXVIF1Hm-laGj-ZD0BBc6AeMOw
(Main - Auth Server) https://localhost:44388/api/account/my-profile Response : 200 { "userName": "admin", "email": "admin@abp.io", "emailConfirmed": false, "name": "admin", "surname": null, "phoneNumber": null, "phoneNumberConfirmed": false, "isExternal": false, "hasPassword": true, "supportsMultipleTimezone": false, "timezone": "Unspecified", "concurrencyStamp": "3b39179b58a249ea923a934e917dee09", "extraProperties": {} }
(LabManagement) https://localhost:44365/api/account/my-profile
Response : 401 Unauthrozied
-
0
hi
All projects should get a token from the
Auth Server
.And the token will be validated by
Auth Server
website.
Will all your projects use the same identity users database?
Thanks.
-
0
Yes, that's exactly what I wanted to do. All projects will get tokens from the Main(Auth) server, all users will be in this server's database, and this server will also have roles and permissions. Other applications will work by getting identity management and permissions from a single place.
In the projects I set up, I entered the authserver information in appsettings as the Main(Auth) application's information. Login and Redirect work fine on the web. I also added the Permission information for other projects to the Main application. I even wrote the information for other projects in the application section. I also made the additions to the Scopes section.
-
0
hi
Can you share two simple projects to reproduce the 401 error?
liming.ma@volosoft.com
Thanks.
-
0
I sent three projects.
Thanks
-
0
hi
I have downloaded your projects. can you also share the steps?
Thanks.
-
0
Hello,
The main project is the Auth server. Donor and Lab are client projects. If you log in with the Administrator (admin role), you can see the TestSample menu button on the web side of the Lab project. You can create a new role as a user. Then, you can grant permission for the TestSample menu in the Main project. After that, if you log in to the Lab project with a user belonging to this role, the TestSample button that you granted permission for in the Main project should appear, but it does not.
Thanks.
-
0
hi
You can create a new role as a user. Then, you can grant permission for the TestSample menu in the Main project. After that, if you log in to the Lab project with a user belonging to this role, the TestSample button that you granted permission for in the Main project should appear, but it does not.
Your web app(
SCS.LabManagement.Web
) will get an access token from the authserver(SCS.Main.Web
) and then use this access token to request the API(SCS.LabManagement.HttpApi.Host
).The API will return the granted permissions of the current user to your web app based on the access token you provide.
BUT, the current user is from the authserver, which doesn't exist in your API app database.
The API database doesn't have your custom role, user and the permissions.
All of your apps should use the same database.
Thanks.
-
0
Hello Each application needs to operate with its own separate database. In this case, how can I handle both authentication and authorization through a single auth server? How do you handle this in microservice architectures? What is your recommendation?
-
0
hi
Your application can use its own database. But the Identity module should use the Authserver's database.
In the ABP microservices template, a single service can have a separate datatable, but it will use a common database. Eg User. Setting. Permissions.
See:
https://abp.io/docs/latest/framework/fundamentals/connection-strings https://abp.io/community/articles/multitenancy-with-separate-databases-in-dotnet-and-abp-51nvl4u9#gsc.tab=0