Template: microservice
Created ABP Studio Version: 1.0.2
Current ABP Studio Version: 1.2.2
Multi-Tenancy: Yes
UI Framework: mvc
Theme: leptonx
Theme Style: system
Theme Menu Placement: side
Run Install Libs: Yes
Database Provider: ef
Database Management System: sqlserver
Mobile Framework: none
Public Website: No
Social Login: Yes
Include Tests: Yes
Dynamic Localization: Yes
Kubernetes Configuration: Yes
Grafana Dashboard: Yes
Use Local References: No
Optional Modules:
GDPR
TextTemplateManagement
AuditLogging
OpenIddictAdmin
Selected Languages: English, English (United Kingdom), Español
Default Language: English
Create Command: abp new CloverleafCMS -t microservice --ui-framework mvc --database-provider ef --database-management-system sqlserver --theme leptonx --skip-migrator --without-cms-kit --dont-run-bundling -no-file-management -no-language-management
We're using the microservice template and using the auth-server app for authentication. The auth-server application has been slightly modified for custom branding. We are running the authserver and microservices in Azure Kubernetes.
Exception message and full stack trace: The scenerio is we have a multi-tenant app and we are testing the confirm email and reset password processes and are getting the error below when we change to a new tenant. We are deriving the tenant from the url in the form of 'auth.tenantname.cloverleafcms.dev'. Our tenant resolver interrogates the httpContext host and resolves the tenant and sets the context.TenantIdOrName property. We are getting a 404 Page not found (no entity for IdentityUser) error after we register a new user then confirm email'.
After making the suggestions to correct the tenant aware email url that is produced by the email generator, I'm still getting the 404 user not found for identity guid error. Here was the AI bot generated response for ticket #9843. ***The issue you are experiencing is due to the email confirmation and reset password links being generated with the wrong base URL (e.g., https://authserver.cloverleafcms.dev instead of the required tenant-specific subdomain like https://auth.homefree.cloverleafcms.dev). This causes the tenant resolver to fail, resulting in a 404 error because the user cannot be found in the wrong tenant context.
To resolve this, you need to ensure that the URLs generated for email confirmation and password reset are tenant-aware and use the correct subdomain format that your HostTenantResolveContributor expects.***
- Exception message and full stack trace: [14:18:04 INF] Request starting HTTP/1.1 GET http://auth.cooptrustcu.cloverleafcms.dev/Account/EmailConfirmation?userId=7c35ab2c-1f30-b33f-1b3a-3a1c93671327&__tenant=7a5bc172-edda-3f19-78f6-3a1c7aa58661&confirmationToken=CfDJ8JgaA0MlWwBBhj6j207cixmu5y42jSy4ry8ycfDDBf%2BCXXc5yitosQCqt4qxGl1LuArwH0ucsbBbkxMfm1HwybHVP5NvjKRFg2Fl%2BbKwOd8HD7iMGufmXfRvDTvYLEzzRximE00AEz5WL5qCWsrru2b0e92EYxkW0IqkMItTuQSV7tTJpV136o3SOkfeZmY10Su731vOVAUkEFdLohNw58W7mEmLtZxf4Q%2Bc29yAmOciNHIj7nNuAGKmxnT3Y5wfxQ%3D%3D&returnUrl=%2fconnect%2fauthorize%3fclient_id%3dcloverleafcms%26redirect_uri%3dhttps%253A%252F%252Fcooptrustcu.cloverleafcms.dev%252Fsignin-oidc%26response_type%3dcode%26scope%3daddress%2520email%2520phone%2520profile%2520roles%2520ActionItemService%2520AdministrationService%2520AIService%2520AuditLoggingService%2520AuthServer%2520ClientService%2520ClientServicesQuery%2520CommunicationsTemplateService%2520ContactService%2520DocTemplateService%2520DocumentService%2520EngagementLogService%2520FinancialService%2520GdprService%2520GuardianshipService%2520HousingService%2520HudService%2520IdentityService%2520LanguageService%2520MemberConfigService%2520NoteService%2520SaasService%2520ServicesService%2520SMSService%2520StaffService%2520TokenService%2520WorkshopService%26state%3d057a9c327a884cb4b4986b97b30e279f%26code_challenge%3dq_0a68W7EJ3fcOqZi_qDBr8TdB2rqQVwsdd80-HL1ok%26code_challenge_method%3dS256%26response_mode%3dquery - null null Host from request: authserver.cloverleafcms.dev. AuthServer subdomain detected, returning null for prefix.Tenant prefix after GetPrefixFromHost is: .Tenant prefix not found in the host. [14:18:04 INF] Executing endpoint '/Account/EmailConfirmation' [14:18:04 INF] Route matched with {page = "/Account/EmailConfirmation", area = "", action = "", controller = ""}. Executing page /Account/EmailConfirmation [14:18:04 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy [14:18:04 INF] Built connection string for AbpLanguageManagement [14:18:04 INF] Connection string: Server=xxx.xxx.xxx.xxx;User ID=XXXXX;Password=XXXXXX;Database=DBName_Language;TrustServerCertificate=true;Connect Timeout=30;Connection Lifetime=600;Load Balance Timeout=300; [14:18:04 INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.EmailConfirmationModel.OnGetAsync - ModelState is Valid [14:18:04 INF] Built connection string for AbpIdentity [14:18:04 INF] Connection string: Server=xxx.xxx.xxx.xxx;User ID=XXXXX;Password=XXXXXX;Database=DBName_Identity;TrustServerCertificate=true;Connect Timeout=30;Connection Lifetime=600;Load Balance Timeout=300; [14:18:04 ERR] ---------- RemoteServiceErrorInfo ---------- 2025-09-25T14:18:04.357224629Z { 2025-09-25T14:18:04.357228409Z "code": null, 2025-09-25T14:18:04.357231966Z "message": "There is no entity IdentityUser with id = 7c35ab2c-1f30-b33f-1b3a-3a1c93671327!", 2025-09-25T14:18:04.357236144Z "details": null, 2025-09-25T14:18:04.357238670Z "data": null, 2025-09-25T14:18:04.357241628Z "validationErrors": null 2025-09-25T14:18:04.357254894Z } 2025-09-25T14:18:04.357258307Z [14:18:04 ERR] There is no such an entity. Entity type: Volo.Abp.Identity.IdentityUser, id: 7c35ab2c-1f30-b33f-1b3a-3a1c93671327 Volo.Abp.Domain.Entities.EntityNotFoundException: There is no such an entity. Entity type: Volo.Abp.Identity.IdentityUser, id: 7c35ab2c-1f30-b33f-1b3a-3a1c93671327 at Volo.Abp.Identity.IdentityUserManager.GetByIdAsync(Guid id)
Image of the Kubernetes Authserver pod environment variables for SelfUrl and Authority.
Image of the user in the Identity database to show that it exists under the tenant.
Image of the tenant 'cooptrustcu' in the SaasTenants table.
I need to find out where or how the 'host' from the httpContext request is still 'authserver.cloverleafcms.dev'. If I change the AuthServer__Authority to 'https://auth.{0}.cloverleafcms.dev' then the authserver throughs an error and will not start because it cannot parse the authority url. Bottom line is I need to get the Email Confirmation and Password Reset process to work before we can go live. Can we get credit for ticket #9843 or reopen it?
4 Answer(s)
-
0
To resolve the 404 error for email confirmation and password reset links in your multi-tenant ABP microservice solution, you must ensure that:
- The URLs generated for email confirmation and password reset are tenant-aware and use the correct subdomain (e.g., auth.{tenant}.cloverleafcms.dev).
- The AuthServer is configured to resolve the tenant from the subdomain and not from the host-only domain (e.g., authserver.cloverleafcms.dev).
Key Points and Solution
1. Environment Variable Configuration
Your current environment variables show:
App__SelfUrl = https://auth.{0}.cloverleafcms.devAuthServer__Authority = https://authserver.cloverleafcms.dev
The
AuthServer__Authorityshould also use the{0}placeholder for tenant resolution:
AuthServer__Authority = https://auth.{0}.cloverleafcms.devThis allows the system to generate tenant-specific URLs.
2. Tenant Resolver
- Ensure your tenant resolver is correctly extracting the tenant from the subdomain (e.g., cooptrustcu from auth.cooptrustcu.cloverleafcms.dev).
- The resolver should not return null for the prefix if the subdomain is present.
3. URL Generation for Emails
- When generating email confirmation and reset password links, use the tenant-specific URL format.
- The ABP framework uses the
App:SelfUrlandAuthServer:Authoritysettings to generate these links. Both must be tenant-aware.
4. Kubernetes and AppSettings
- In your Kubernetes deployment, set both
App__SelfUrlandAuthServer__Authorityto use the{0}placeholder. - Example:
"App": { "SelfUrl": "https://auth.{0}.cloverleafcms.dev" }, "AuthServer": { "Authority": "https://auth.{0}.cloverleafcms.dev" }5. ABP Multi-Tenant Domain Resolving
Follow the official ABP documentation for multi-tenant domain resolving in microservice solutions:
- https://abp.io/docs/latest/guides/ms-multi-tenant-domain-resolving
Ensure your configuration matches the documented approach, especially for subdomain-based tenant resolution.
6. Restart and Test
- After updating the environment variables and configuration, restart your AuthServer and related services.
- Register a new user and confirm that the email confirmation link uses the correct tenant subdomain.
- The link should look like:
https://auth.cooptrustcu.cloverleafcms.dev/Account/EmailConfirmation?userId=...- The tenant resolver should now correctly resolve the tenant, and the user should be found in the correct context.
Summary:
Update yourAuthServer__Authorityto use the{0}placeholder for tenant subdomains, ensure your tenant resolver is subdomain-aware, and verify your email link generation uses tenant-specific URLs. Follow the ABP multi-tenant domain resolving guide for full details.Sources (validated):
- https://abp.io/docs/latest/guides/ms-multi-tenant-domain-resolving
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
Here is the generated email confirmation link. It does look like suggested in Step 6 above. https://auth.cooptrustcu.cloverleafcms.dev/Account/EmailConfirmation?userId=7c35ab2c-1f30-b33f-1b3a-3a1c93671327&__tenant=7a5bc172-edda-3f19-78f6-3a1c7aa58661&confirmationToken=CfDJ8JgaA0MlWwBBhj6j207cixmu5y42jSy4ry8ycfDDBf%2BCXXc5yitosQCqt4qxGl1LuArwH0ucsbBbkxMfm1HwybHVP5NvjKRFg2Fl%2BbKwOd8HD7iMGufmXfRvDTvYLEzzRximE00AEz5WL5qCWsrru2b0e92EYxkW0IqkMItTuQSV7tTJpV136o3SOkfeZmY10Su731vOVAUkEFdLohNw58W7mEmLtZxf4Q%2Bc29yAmOciNHIj7nNuAGKmxnT3Y5wfxQ%3D%3D&returnUrl=%2fconnect%2fauthorize%3fclient_id%3dCloverleafCMS%26redirect_uri%3dhttps%253A%252F%252Fcooptrustcu.cloverleafcms.dev%252Fsignin-oidc%26response_type%3dcode%26scope%3daddress%2520email%2520phone%2520profile%2520roles%2520ActionItemService%2520AdministrationService%2520AIService%2520AuditLoggingService%2520AuthServer%2520ClientService%2520ClientServicesQuery%2520CommunicationsTemplateService%2520ContactService%2520DocTemplateService%2520DocumentService%2520EngagementLogService%2520FinancialService%2520GdprService%2520GuardianshipService%2520HousingService%2520HudService%2520IdentityService%2520LanguageService%2520MemberConfigService%2520NoteService%2520SaasService%2520ServicesService%2520SMSService%2520StaffService%2520TokenService%2520WorkshopService%26state%3d057a9c327a884cb4b4986b97b30e279f%26code_challenge%3dq_0a68W7EJ3fcOqZi_qDBr8TdB2rqQVwsdd80-HL1ok%26code_challenge_method%3dS256%26response_mode%3dquery
When I click on the link I get the 404 error because the httpContext host is 'authserver.cloverleafcms.dev' and not from the url which has the correct tenant.
-
0
I get this error when I change the AuthServer__Authority to 'https://auth.{0}.cloverleafcms.dev'
[16:27:50 INF] Starting CloverleafCMS.AuthServer 2025-09-25T16:27:51.304356585Z CloverleafCMS.AuthServer terminated unexpectedly! 2025-09-25T16:27:51.312983837Z Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=9.2.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details. 2025-09-25T16:27:51.313015436Z ---> System.UriFormatException: Invalid URI: The hostname could not be parsed. 2025-09-25T16:27:51.313019508Z at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions) 2025-09-25T16:27:51.313023141Z at System.Uri..ctor(String uriString) 2025-09-25T16:27:51.313026845Z at CloverleafCMS.AuthServer.CloverleafCMSAuthServerModule.<>c__DisplayClass3_0.<PreConfigureOpenIddict>b__1(OpenIddictServerBuilder serverBuilder) in D:\CodeRepositories\CloverleafCMS-Microservices-Abp\apps\auth-server\CloverleafCMS.AuthServer\CloverleafCMSAuthServerModule.cs:line 253 2025-09-25T16:27:51.313031158Z at Volo.Abp.Options.PreConfigureActionList
1.Configure(TOptions options) 2025-09-25T16:27:51.313034387Z at Microsoft.Extensions.DependencyInjection.ServiceCollectionPreConfigureExtensions.ExecutePreConfiguredActions[TOptions](IServiceCollection services, TOptions options) 2025-09-25T16:27:51.313037294Z at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder) 2025-09-25T16:27:51.313040180Z at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action1 configuration) 2025-09-25T16:27:51.313043087Z at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services) 2025-09-25T16:27:51.313045733Z at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context) 2025-09 -25T16:27:51.313048583Z at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context) 2025-09-25T16:27:51.313051602Z at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() 2025-09-25T16:27:51.313054693Z --- End of inner exception stack trace --- 2025-09-25T16:27:51.313057457Z at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() 2025-09-25T16:27:51.313059913Z at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) 2025-09-25T16:27:51.313062722Z at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) 2025-09-25T16:27:51.313065556Z at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action1 optionsAction) at CloverleafCMS.AuthServer.Program.Main(String[] args) in D:\CodeRepositories\CloverleafCMS-Microservices-Abp\apps\auth-server\CloverleafCMS.AuthServer\Program.cs:line 58 2025-09-25T16:27:51.313136379Z at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync() 2025-09-25T16:27:51.313141099Z at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) 2025-09-25T16:27:51.313145918Z at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action1 optionsAction) 2025-09-25T16:27:51.313148621Z at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action1 optionsAction) 2025-09-25T16:27:51.313151609Z at CloverleafCMS.AuthServer.Program.Main(String[] args) in D:\CodeRepositories\CloverleafCMS-Microservices-Abp\apps\auth-server\CloverleafCMS.AuthServer\Program.cs:line 58I realize the {0} in the uri make it not a FQDN and that is the error - not parsing. So how do I get the correct tenant from the Email Confirmation link?
-
0
Found this line of code in our AuthServer service. It was added to try to fix the issue with the the 'discovery document' not returning as https. see #9849 https://abp.io/support/questions/9849/Error-retrieving-discovery-document-Endpoint-does-not-use-HTTPS-httpauthservermydomaindevconnectauthorize
// Force HTTPS scheme for AKS/ingress scenarios - must be early in pipeline if (!env.IsDevelopment()) { app.Use((httpContext, next) => { httpContext.Request.Scheme = "https"; // Set the host to the authority from configuration, removing the scheme if present httpContext.Request.Host = new HostString(configuration["AuthServer:Authority"]!.Replace("https://", "").Replace("http://", "")); return next(); }); }Added this line of code to NOT overwrite the url when the HttpContext.Request is not coming from the 'authserver.domain.dev'.
// Force HTTPS scheme for AKS/ingress scenarios - must be early in pipeline if (!env.IsDevelopment()) { app.Use((httpContext, next) => { httpContext.Request.Scheme = "https"; if (httpContext.Request.Host.HasValue && httpContext.Request.Host.Value.Contains("authserver")) { // Set the host to the authority from configuration, removing the scheme if present httpContext.Request.Host = new HostString(configuration["AuthServer:Authority"]!.Replace("https://", "").Replace("http://", "")); } return next(); }); }This seems to have fixed the case where we are doing the EmailConfirmation and PasswordReset links that have the 'tenant' as part of the uri. I need to test now to see if I can still get a token via our token service as in #9849.
