Open Closed

Configuration of authentication and authorization server and client projects #9822


User avatar
0
user5.abpio created

Hello; I have opened multiple MVC+Postgresql+Tiered projects. Their tasks are:

  1. Auth Server (A)
  2. Lab Management (L)
  3. n+

I want all applications to use the Auth Server for authentication and authorization. I filled in the AuthServer section in appsettings.json in the projects (web and host). I added the relevant project names to the AuthServer openiddict tables. I even disabled DynamicClaims. However, the clients' web applications cannot obtain permissions from the AuthServer.

Is there an article, video, or sample client/server project that explains this topic from the beginning?


15 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To configure multiple ABP MVC applications to use a single AuthServer for authentication and authorization in a tiered setup, follow these steps:

    1. Ensure each client application's appsettings.json (both Web and HttpApi.Host) has the correct AuthServer section pointing to your AuthServer's URL:
    "AuthServer": {
         "Authority": "https://your-auth-server-url",
         "RequireHttpsMetadata": "true",
         "ClientId": "YourClientAppName",
         "ClientSecret": "YourClientSecret"
       }
    
    1. In your AuthServer, register each client application in the OpenIddict Applications table. Each client should have:

      • A unique ClientId (matching the ClientId in the client appsettings).
      • The correct redirect URIs for MVC (e.g., https://your-client-app/signin-oidc).
      • The required permissions and scopes.
    2. In each client application's Startup or module configuration, ensure authentication is set up to use OpenId Connect and points to the AuthServer.

    3. Make sure the client applications reference the AuthServer's authority and use the correct scopes (e.g., openid, profile, email, and any custom API scopes).

    4. If permissions are not being loaded, ensure:

      • The client app references the Application.Contracts of the modules that define permissions.
      • The permission providers are registered in the client app's module.
      • The AuthServer is running and accessible from the client apps.
    5. For troubleshooting:

      • Check network connectivity between client apps and AuthServer.
      • Review logs for authentication/authorization errors.
      • Ensure clock synchronization between servers.

    For a full example and step-by-step guide, see the official ABP documentation on tiered application setup:

    Sources

    This approach aligns with common ABP conventions for centralized authentication and authorization in a tiered architecture.


    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    user5.abpio created

    I checked that permissions exist on both the client and the auth server. However, even if I grant permission for a role assigned to a user on the auth server, the relevant menu does not appear on the client side of the web.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can your web app get the access token from the auth server?

    Login(web app) => redirect to authserver => login by username and password => redirect to your web app

    Thanks.

  • User Avatar
    0
    user5.abpio created

    Yes it works

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Can you share an access token?

    What is the output if you use the access token to request the profile endpoint?

    GET /api/account/my-profile

  • User Avatar
    0
    user5.abpio created

    Admin User Access Token (This token is taken from LabManagement)

    eyJhbGciOiJSUzI1NiIsImtpZCI6IjdGRUQzRDEzOUM4MzQwRkYxNjM1QjlBNDQ1MzA3OUEyMTBGMTU0NjQiLCJ4NXQiOiJmLTA5RTV5RFFQOFdOYm1rUlRCNW9oRHhWR1EiLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDM4OC8iLCJleHAiOjE3NTYzNjM5OTQsImlhdCI6MTc1NjM2MDM5NCwiYXVkIjoiTGFiTWFuYWdlbWVudCIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgcm9sZXMgZW1haWwgcGhvbmUgTGFiTWFuYWdlbWVudCIsImp0aSI6IjExYmY1NDM5LWYyMGUtNGI3OC04YzFhLTkwYWFjYjY3ZTJhYiIsInN1YiI6IjNhMWIzOGRkLThkZWEtNzU3YS00ZDYxLTUwYzQ1M2U4MjJmZCIsInNlc3Npb25faWQiOiIxZWE0ZTc5Yy1hZTY3LTRjYjMtOThhZS05ZGZkMDkzYTZhZGYiLCJ1bmlxdWVfbmFtZSI6ImFkbWluIiwib2lfcHJzdCI6IkxhYk1hbmFnZW1lbnRfV2ViIiwib2lfYXVfaWQiOiIzYTFiMzlhZC1jM2U1LTNkNmMtOWMzZS02ZDcxNWU3MDljYTEiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJhZG1pbiIsImdpdmVuX25hbWUiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImVtYWlsIjoiYWRtaW5AYWJwLmlvIiwiZW1haWxfdmVyaWZpZWQiOiJGYWxzZSIsInBob25lX251bWJlcl92ZXJpZmllZCI6IkZhbHNlIiwiY2xpZW50X2lkIjoiTGFiTWFuYWdlbWVudF9XZWIiLCJvaV90a25faWQiOiIzYTFjMDE2OS05ZWEwLTkwMDgtNzIzMC00N2U5M2JjOTk5MGYifQ.sZhVQw9wTYr_jvVouR5cg9lkpkJ_ydkdPdhPqdT2x4LlE_z5zF3N-YcMlUOSCOT8S26hnmjFm9C6ffUu_s_GmG9CvFDtK513_VihJuRvAVFeLhvrm6l8dcotBXV28QLpOPXea8nCMm7VP94wHr0qQvDfJBzIijo3MrruZDipcRpuwus-LSbmqgeOs_mt_v9R40xoPSB6cmvj4SXX0BFJx2MBe5Hsv2B-iyGunoNiiEYHVrezm1zuAuFqPxrEFI3WycrMc5_1SOb6519me-JfqQgHUtgSt3XVGo2I_xkG9KcntLXAjUOVPnxOlfQqthw4OEH6aEr4VDC2N2i3BzoopQ

    (Main - Auth Server) https://localhost:44388/api/account/my-profile

    Response : 401 Unauthrozied

    (LabManagement) https://localhost:44365/api/account/my-profile Response : 400 Not Found { "error": { "code": null, "message": "There is no entity IdentityUser with id = 3a1b38dd-8dea-757a-4d61-50c453e822fd!", "details": null, "data": null, "validationErrors": null } }


    Admin User Access Token (This token is taken from Main Api)

    eyJhbGciOiJSUzI1NiIsImtpZCI6IjdGRUQzRDEzOUM4MzQwRkYxNjM1QjlBNDQ1MzA3OUEyMTBGMTU0NjQiLCJ4NXQiOiJmLTA5RTV5RFFQOFdOYm1rUlRCNW9oRHhWR1EiLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDM4OC8iLCJleHAiOjE3NTYzNjgzOTksImlhdCI6MTc1NjM2NDc5OSwiYXVkIjoiTWFpbiIsInNjb3BlIjoiTWFpbiIsImp0aSI6IjRjY2MwY2M1LTQzN2YtNGMzYi05ZThhLWZhMTk4MzZhZDQyZCIsInN1YiI6IjNhMWIzOGRkLThkZWEtNzU3YS00ZDYxLTUwYzQ1M2U4MjJmZCIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiZW1haWwiOiJhZG1pbkBhYnAuaW8iLCJyb2xlIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiYWRtaW4iLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOiJGYWxzZSIsImVtYWlsX3ZlcmlmaWVkIjoiRmFsc2UiLCJzZXNzaW9uX2lkIjoiNTMyN2Q1MDQtN2ViNC00ZTUzLTg4YjEtMGYyMGI0ZWJjMGRlIiwidW5pcXVlX25hbWUiOiJhZG1pbiIsIm9pX3Byc3QiOiJNYWluX0FwcCIsImNsaWVudF9pZCI6Ik1haW5fQXBwIiwib2lfdGtuX2lkIjoiM2ExYzAxYWMtZDU3ZS1lZmJjLTkxOGQtYzNmZGE2N2EzODg2In0.TMRBw-ubouuigi5cLXUOWt91HMmHX_Zc28ksc9gM6p3vdVnj1aNMqob72v1yjhPJDEfIceVOAAMdawGjSlqdfc1DYCxeQT0j4PYNQyN5UlZHpP7d1JY3CP8a7JxK6R2-9C4zYp9lRPcp5J8fNDWwnv7y-f_s2RaCQYrxwltUhS4WdRN6nJvFmU9T-kJpKW5MZyylBzHdwWpg-KV_eBE2SK2qdTRrTfVKwITObA0_P-RNQxHBJqlaRITUyAk0lBndHvWywd_kU-S926kqYALO-C96pBtCyTs_SIxhaM98vlRiZyck2CdK5PQleCZ1lXVIF1Hm-laGj-ZD0BBc6AeMOw

    (Main - Auth Server) https://localhost:44388/api/account/my-profile Response : 200 { "userName": "admin", "email": "admin@abp.io", "emailConfirmed": false, "name": "admin", "surname": null, "phoneNumber": null, "phoneNumberConfirmed": false, "isExternal": false, "hasPassword": true, "supportsMultipleTimezone": false, "timezone": "Unspecified", "concurrencyStamp": "3b39179b58a249ea923a934e917dee09", "extraProperties": {} }

    (LabManagement) https://localhost:44365/api/account/my-profile

    Response : 401 Unauthrozied

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    All projects should get a token from the Auth Server.

    And the token will be validated by Auth Server website.


    Will all your projects use the same identity users database?

    Thanks.

  • User Avatar
    0
    user5.abpio created

    Yes, that's exactly what I wanted to do. All projects will get tokens from the Main(Auth) server, all users will be in this server's database, and this server will also have roles and permissions. Other applications will work by getting identity management and permissions from a single place.

    In the projects I set up, I entered the authserver information in appsettings as the Main(Auth) application's information. Login and Redirect work fine on the web. I also added the Permission information for other projects to the Main application. I even wrote the information for other projects in the application section. I also made the additions to the Scopes section.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share two simple projects to reproduce the 401 error?

    liming.ma@volosoft.com

    Thanks.

  • User Avatar
    0
    user5.abpio created

    I sent three projects.

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I have downloaded your projects. can you also share the steps?

    Thanks.

  • User Avatar
    0
    user5.abpio created

    Hello,

    The main project is the Auth server. Donor and Lab are client projects. If you log in with the Administrator (admin role), you can see the TestSample menu button on the web side of the Lab project. You can create a new role as a user. Then, you can grant permission for the TestSample menu in the Main project. After that, if you log in to the Lab project with a user belonging to this role, the TestSample button that you granted permission for in the Main project should appear, but it does not.

    Thanks.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can create a new role as a user. Then, you can grant permission for the TestSample menu in the Main project. After that, if you log in to the Lab project with a user belonging to this role, the TestSample button that you granted permission for in the Main project should appear, but it does not.

    Your web app(SCS.LabManagement.Web) will get an access token from the authserver(SCS.Main.Web) and then use this access token to request the API(SCS.LabManagement.HttpApi.Host).

    The API will return the granted permissions of the current user to your web app based on the access token you provide.

    BUT, the current user is from the authserver, which doesn't exist in your API app database.

    The API database doesn't have your custom role, user and the permissions.

    All of your apps should use the same database.

    Thanks.

  • User Avatar
    0
    user5.abpio created

    Hello Each application needs to operate with its own separate database. In this case, how can I handle both authentication and authorization through a single auth server? How do you handle this in microservice architectures? What is your recommendation?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Your application can use its own database. But the Identity module should use the Authserver's database.

    In the ABP microservices template, a single service can have a separate datatable, but it will use a common database. Eg User. Setting. Permissions.

    See:

    https://abp.io/docs/latest/framework/fundamentals/connection-strings https://abp.io/community/articles/multitenancy-with-separate-databases-in-dotnet-and-abp-51nvl4u9#gsc.tab=0

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.0.0-preview. Updated on September 01, 2025, 08:37