We have a Saas web application written in Vue JS that uses our Abp Microservice solution for the backend. Each tenant will have their own domain like https://client1.mydomain, https://client2.mydomain.dev, etc.
We added this to the auth server module PreconfigureServices PreConfigure(options => { options.EnableWildcardDomainSupport = true; // Development environment domains options.WildcardDomainsFormat.Add("https://{0}.mydomain.dev/signin-oidc"); options.WildcardDomainsFormat.Add("https://{0}.mydomain.dev/silent-refresh"); options.WildcardDomainsFormat.Add("https://{0}.mydomain.dev/auth/login"); options.WildcardDomainsFormat.Add("https://{0}.mydomain.dev/auth/signout-callback-oidc"); });
In the Identity database OpenIddictApplications table we manually updated the RedirectUris and PostLogoutRedirectUris with the wildcard character '*'
[
{
"id": "9335f213-8a0d-7ce3-f069-3a1b786183db",
"ClientId": "CloverleafCMS",
"RedirectUris": "["https://*.mydomain.dev/signin-oidc","https://*.mydomain.dev/auth/silent-refresh"]",
"PostLogoutRedirectUris": "["https://.cloverleafcms.us/auth/login"]"
}
]
The issue is that the OpenIddictApplications table is reseeded every time the Identity service is restarted. So we have to manually update the redirect Uris with the wildcard manually
I tried adding the wildcard in the Identity data seeder but it through a malformed url error.
I read this article https://abp.io/docs/latest/guides/ms-multi-tenant-domain-resolving but not sure that will fix our problem since our client application is written in Vue.
How do we get around this? <br>
5 Answer(s)
-
0
To properly configure multi-tenant domain resolution for your Vue.js app using the ABP microservice backend, you should leverage ABP's wildcard domain support for OpenIddict, as described in the official documentation. This approach is independent of the frontend framework (Vue, Angular, etc.) and is handled entirely on the backend (AuthServer).
Here’s how to set it up so you do not need to manually update the OpenIddictApplications table after each reseed:
- In your AuthServer module's PreConfigureServices, enable wildcard domain support and add your domain formats:
PreConfigure<AbpOpenIddictWildcardDomainOptions>(options => { options.EnableWildcardDomainSupport = true; options.WildcardDomainsFormat.Add("https://{0}.mydomain.dev"); // Add other formats as needed, e.g.: // options.WildcardDomainsFormat.Add("https://{0}.mydomain.dev/signin-oidc"); // options.WildcardDomainsFormat.Add("https://{0}.mydomain.dev/auth/silent-refresh"); // etc. });- In your AuthServer's appsettings.json, add the wildcard domain formats:
"WildCardDomains": { "VueApp": "https://{0}.mydomain.dev" }Then, in PreConfigureServices, load these from configuration:
var configuration = context.Services.GetConfiguration(); PreConfigure<AbpOpenIddictWildcardDomainOptions>(options => { options.EnableWildcardDomainSupport = true; options.WildcardDomainsFormat.Add(configuration["WildCardDomains:VueApp"]); });Do NOT manually edit the OpenIddictApplications table to add wildcards. Instead, ensure your OpenIddict client seeding (usually in your data seeder or migration) does NOT hardcode tenant-specific redirect URIs. The wildcard support will allow any subdomain matching the pattern to be accepted for redirect and post-logout URIs.
When seeding clients, use a base URL (e.g., "https://{0}.mydomain.dev") in your configuration, and let the wildcard domain support handle the rest. You do not need to list every possible tenant domain.
This approach works regardless of your frontend technology (Vue, Angular, React, etc.), as the redirect URI validation is handled by the backend.
If you are using multiple environments (dev, prod), add the appropriate domain patterns for each.
By following these steps, you will not need to manually update the OpenIddictApplications table after each reseed, and your multi-tenant Vue.js app will work seamlessly with ABP's domain-based tenant resolution.
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
We've already done the above. We added "https://{0}.mydomain.dev/" to the appsettings in the Identity service and it threw an error that it's a malformed url in the CreateOrUpdateApplicationAsync of OpenIddictDataSeeder.cs.
-
0
hi
What error/exception did you get now?
Thanks.
-
0
Hi,
In the Identity service OpenIddictDataSeeder on this block of code:
if (!Uri.TryCreate(redirectUri, UriKind.Absolute, out var uri) || !uri.IsWellFormedOriginalString()) { throw new ApplicationException("Invalid redirect URI: " + redirectUri); }We get:
Exception has occurred: CLR/System.ApplicationException An exception of type 'System.ApplicationException' occurred in System.Private.CoreLib.dll but was not handled in user code: 'Invalid redirect URI: https://{0}.mydomain.dev/signin-oidc' at CloverleafCMS.IdentityService.Data.OpenIddictDataSeeder.<CreateOrUpdateApplicationAsync>d__15.MoveNext() in /Users/rogerhopkins/App_Development/CodeRepositories/CloverleafCMS-Microservices/services/identity/CloverleafCMS.IdentityService/Data/OpenIddictDataSeeder.cs:line 627 at CloverleafCMS.IdentityService.Data.OpenIddictDataSeeder.<CreateClientsAsync>d__14.MoveNext() in /Users/rogerhopkins/App_Development/CodeRepositories/CloverleafCMS-Microservices/services/identity/CloverleafCMS.IdentityService/Data/OpenIddictDataSeeder.cs:line 354 at CloverleafCMS.IdentityService.Data.OpenIddictDataSeeder.<SeedAsync>d__9.MoveNext() in /Users/rogerhopkins/App_Development/CodeRepositories/CloverleafCMS-Microservices/services/identity/CloverleafCMS.IdentityService/Data/OpenIddictDataSeeder.cs:line 57 at Castle.DynamicProxy.AsyncInterceptorBase.<ProceedAsynchronous>d__13.MoveNext() at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapter.<ProceedAsync>d__7.MoveNext() at Volo.Abp.Uow.UnitOfWorkInterceptor.<InterceptAsync>d__2.MoveNext() at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.<InterceptAsync>d__2.MoveNext() at CloverleafCMS.IdentityService.Data.IdentityServiceDataSeeder.<SeedOpenIddictAsync>d__12.MoveNext() in /Users/rogerhopkins/App_Development/CodeRepositories/CloverleafCMS-Microservices/services/identity/CloverleafCMS.IdentityService/Data/IdentityServiceDataSeeder.cs:line 105 at CloverleafCMS.IdentityService.Data.IdentityServiceDataSeeder.<SeedAsync>d__9.MoveNext() in /Users/rogerhopkins/App_Development/CodeRepositories/CloverleafCMS-Microservices/services/identity/CloverleafCMS.IdentityService/Data/IdentityServiceDataSeeder.cs:line 52 at CloverleafCMS.IdentityService.Data.IdentityServiceRuntimeDatabaseMigrator.<SeedAsync>d__2.MoveNext() in /Users/rogerhopkins/App_Development/CodeRepositories/CloverleafCMS-Microservices/services/identity/CloverleafCMS.IdentityService/Data/IdentityServiceRuntimeDatabaseMigrator.cs:line 35 at Volo.Abp.EntityFrameworkCore.Migrations.EfCoreRuntimeDatabaseMigratorBase`1.<LockAndApplyDatabaseMigrationsAsync>d__35.MoveNext() -
0
hi
You don't need to add a wildcard domain to the database; you only need add it to
WildcardDomainsFormatThanks
PreConfigure<AbpOpenIddictWildcardDomainOptions>(options => { options.EnableWildcardDomainSupport = true; options.WildcardDomainsFormat.Add("https://{0}.our.app"); });
