The problem is that when I set the tenant and click Login, it always tries to log in as the host. It doesn't seem to pass the tenant. I followed this git to replace the components.
https://gist.github.com/mehmet-erim/dac82931935a465a48802447de501032
My environment.ts is
import { Environment } from '@abp/ng.core';
const baseUrl = 'http://localhost:4200';
const oAuthConfig = { issuer: 'https://...../', redirectUri: baseUrl, clientId: 'Angular', scope: 'offline_access address roles openid profile email phone AuthServer IdentityService AdministrationService AuditLoggingService GdprService SaasService LanguageService OfficeService', requireHttps: false, impersonation: { tenantImpersonation: true, userImpersonation: true, } };
export const environment = { production: false, googleMapsApiKey: 'AIzaSyBsYU6NzW63ZGx_l3vDvtPsQ-ix_NHgPtI', application: { baseUrl, name: 'routilia', }, localization: { defaultResourceName: 'routilia' }, oAuthConfig, apis: { default: { url: 'https://.......', rootNamespace: 'dm.routilia', }, // OfficeService: { // url: 'http://......', // rootNamespace: 'dm.routilia', // }, AbpAccountPublic: { url: oAuthConfig.issuer, rootNamespace: 'AbpAccountPublic', }, }, } as Environment;
15 Answer(s)
-
0
To ensure the tenant is correctly passed during login in an ABP Angular application, you must configure both the backend and frontend to resolve and transmit the tenant information. If you replace the login component but do not handle tenant resolution and transmission, the login will default to the host.
Solution Steps:
Frontend (Angular) Configuration:
- The Angular app must send the
__tenantheader with each request. This is handled automatically if you use the{0}placeholder in yourbaseUrland configure the backend for domain/subdomain tenant resolution. - If you are not using domain-based tenant resolution, you must ensure the login component sets the tenant explicitly. Use the
SessionStateServiceto set the tenant before login, or pass the__tenantparameter when callingauthService.navigateToLogin().
Example:
- The Angular app must send the
import { AuthService, SessionStateService } from '@abp/ng.core'; // ... constructor(private authService: AuthService, private sessionState: SessionStateService) {} login() { const tenantId = this.sessionState.getTenant().id; this.authService.navigateToLogin({ __tenant: tenantId }); }- Backend Configuration:
- Ensure your backend is configured to resolve tenants from the
__tenantheader or query string:
- Ensure your backend is configured to resolve tenants from the
Configure<AbpTenantResolveOptions>(options => { options.AddHeaderTenantResolver(); options.AddQueryStringTenantResolver(); // Add domain resolver if using subdomains });Check Environment Configuration:
- If you are not using domain-based tenant resolution, do not use
{0}in yourbaseUrl. Instead, ensure the tenant is set in the session and passed during login.
- If you are not using domain-based tenant resolution, do not use
Disable Tenant Switcher (Optional):
- If you want to prevent users from switching tenants, hide or remove the tenant switcher component from your login UI.
Summary:
- Use
SessionStateServiceto set/get the tenant. - Pass the tenant to
navigateToLoginas shown above. - Ensure backend resolves tenants from headers or query string.
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
With the proposal provided it still doesn't work
-
0
Hello,
Thank you for providing extra details about your problem. I have tried the same approach on my side. However, I could not produce the same issue on my end. Here is how I have tried logging in as a tenant:
If you think that I have made a mistake while trying to produce the problem, you can guide me. You can also send a minimal, reproducible example to my e-mail address: sumeyye.kurtulus@volosoft.com
Thank you for your cooperation.
-
0
Hi,
Could you show me how the environment and the Angular client are configured?
Thanks
-
0
Hello again,
I have followed the instructions you have shared above. Then, changed the authorization flow to password instead of code like this
//angular/src/environments/environment.ts //... const oAuthConfig = { issuer: 'https://localhost:44366/', redirectUri: baseUrl, clientId: 'Ticket9991_App', // responseType: 'code', comment out or make it 'password' scope: 'offline_access Ticket9991', requireHttps: true, impersonation: { tenantImpersonation: true, userImpersonation: true, }, };I am also sharing a sample project that may guide you: https://drive.google.com/file/d/1yFZRSyyuvxtCOHmrGEA1zauEWKBsxe7C/view?usp=drive_link
-
0
I tried implementing it as per your code, but I still get the same error. Could you show me how the clientId is configured: 'Ticket9991_App'?
-
0
Hello,
Here is the modal showing the application details.
I want to remind that I am just customizing the login pages and do not make any other modification on the application. If you have made another change, this may trigger an error.
-
0
I started all the services locally from Auth, Gateway, Identity, and Administration, and I see that login works properly. Using the published services doesn't work, but I have the reported issue. The published services are aligned with the local ones.
-
0
- Solution Based on your last note, the issue only occurs with the published (deployed) services, while everything works locally. In ABP Angular + OpenIddict, this almost always comes down to tenant resolution not being forwarded correctly to the Auth Server or lost at the reverse proxy/gateway. Use the checklist below to make the deployed setup behave exactly like local.
- Ensure the auth redirect includes the tenant in query string If you replaced the login component or call navigateToLogin yourself, pass the current tenant explicitly so the Auth Server doesn’t default to host:
import { AuthService, SessionStateService } from '@abp/ng.core'; import { inject } from '@angular/core'; export class HomeComponent { private authService = inject(AuthService); private session = inject(SessionStateService); login() { const tid = this.session.getTenant()?.id; if (tid) { this.authService.navigateToLogin({ __tenant: String(tid) }); } else { this.authService.navigateToLogin(); } } }Notes:
SessionStateService uses application-configuration to populate current tenant. If your Angular app is behind a gateway or CDN, ensure the initial GETs to AbpApplicationConfiguration endpoint include and preserve the tenant context (see proxy/gateway section).
Configure tenant resolvers on AuthServer and Gateway/Host The Auth Server must resolve the tenant from the incoming request. Add both Header and QueryString resolvers (and Domain if you use subdomains):
using Volo.Abp.MultiTenancy; Configure<AbpTenantResolveOptions>(options => { options.AddHeaderTenantResolver(); // __tenant header options.AddQueryStringTenantResolver(); // ?__tenant=<id or name> // Add domain resolver if you use subdomain-based tenancy: // options.AddDomainTenantResolver("*.your-domain.com"); // example });Make sure your reverse proxy and the API gateway forward the __tenant header Typical cause in production: the gateway/proxy strips custom headers. Ensure:
- Nginx: proxy_set_header __tenant $http___tenant;
- YARP/Envoy/Ingress: allow and forward the __tenant header.
- If you only send the tenant via query string, ensure the proxy does not rewrite/strip the query. Keep ?__tenant=… when redirecting to AuthServer.
- If you rely on domain resolver, verify Host header is preserved end-to-end.
Validate OpenIddict client configuration in AuthServer matches the deployed domains For the Angular app client (e.g., Ticket9991_App):
- Allowed flows: code or password (as you tested). If you use code flow in production, keep “Allow authorization code flow” and “Allow refresh token flow” checked.
- Redirect URIs must include your deployed Angular domain(s), exactly:
- https://your-angular-app-domain/
- If you have multiple tenants/domains, list each redirect URI explicitly. Avoid wildcards for redirect URIs.
- Post-logout redirect URIs the same way.
- CORS: include Angular domains; don’t rely on overly broad wildcards.
- If your AuthServer is behind a reverse proxy/HTTPS terminator, set the correct Authority/Issuer to the public HTTPS URL and trust headers (so redirects use public URLs).
Align Angular environment with production hosts Example when using a single AuthServer and single API for all tenants:
- Angular app per tenant domain: https://{0}.your-app.com
- oAuthConfig.issuer: https://auth.your-domain.com/
- apis.default.url: https://api.your-domain.com
- If you need tenant isolation by subdomain, keep application.baseUrl and redirectUri using {0} so Angular auto-detects tenant from subdomain. If you are not using subdomains, don’t use {0} and rely on __tenant forwarding as shown above.
If tenant switching appears on AuthServer login UI in production, pass a fixed tenant or enforce domain resolver
- Passing __tenant in navigateToLogin removes the need to switch.
- If the AuthServer itself determines tenant by domain, configure AddDomainTenantResolver accordingly and ensure the AuthServer public URL matches the domain pattern so it auto-picks the tenant.
- If you must disable tenant switch UI, keep the login flow always receiving a concrete tenant (via query or domain) so the switcher is not shown.
Common deployment pitfalls to check
- HTTPS offloading: Ensure the application thinks it is HTTPS. Configure ForwardedHeaders so OpenIddict builds correct redirect URIs.
- Mismatched Authority: AuthServer Authority must be the public URL users see (not internal container DNS).
- Cookie/SameSite: If you customized cookies, keep SameSite=None; Secure for cross-site redirects.
- Clock skew: If you see loops, check time sync between Angular host and AuthServer machines.
For code-flow: include tenant in the first authorize redirect ABP’s Angular OAuth code-flow strategy already appends extra params you pass to navigateToLogin. Your call with { __tenant: tid } ensures the authorize request contains __tenant and OpenIddict can resolve tenant before rendering login.
- Sources
- ABP Angular multi-tenancy basics: https://abp.io/docs/latest/framework/ui/angular/multi-tenancy
- ABP multi-tenancy overview: https://abp.io/docs/latest/framework/architecture/multi-tenancy
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
The AI solution doesn't work. The problem arises when I connect to the remote authentication server locally. It seems the __tenant cookie isn't being passed to the remote authentication server. The remote authentication server is running on nginx.
-
0
Thank you for providing extra details. Could you share the error log for the problem if exists?
-
0
The error is invalid username or password because in host the admin password is another.
This is the problem
1 - I set tenant from switch tenant modal 2- Set username and password of user tenant ( username => admin ) 3- The authServer not receive the tenant and try login to host but the password is not valid because is admin password of tenant
-
0
Thank you again for sharing these steps. If you have configured a different password for your tenant, you need to use the configured password while switching.
Here, I have set a password for
tenant-1as1q2w3E***and I use this while logging in as admin to the tenant-1 account.
-
0
Maybe I explained myself badly.
I run frontend from local with authserver remote ( into nginx )
The credential for admin host are 1- Username => admin 2- Password => 1q2w3e*
The credential for tenant ( exambple tenant1 ) are 1- username => admin 2- Password => tenant1!
When i try to login with tenant1 and i insert the correct credential ( admin and tenant1! ), the auth service respond with username or password invalid. But if i try to login with tenant1 and insert the credential of host ( admin and 1q2w3e* ) the uath server authenticate user correctly but in host and not in tenant1. The login page doesn't seem to pass the tenant to the auth server.
-
0
Thank you again for explaining the problem. I was able to produce it on my end.
If you are using lepton theme and replace the account layout with the key below
this.replaceableComponentsService.add({ key: eThemeLeptonComponents.AccountLayout, component: AccountLayoutComponent, });You may be missing an import in your
AccountLayoutComponentforThemeSharedModule.—
If you are using the lepton-x theme and replace the same component using the key below:
this.replaceableComponentsService.add({ key: eThemeLeptonXComponents.AccountLayout, component: AccountLayoutComponent, });You will also need to replace the
TenantBoxcomponent like this:this.replaceableComponentsService.add({ key: eAccountComponents.TenantBox, component: MyTenantBoxComponent, });Here is how tenant box component should look like until we publish a fix for this switch problem
import { AsyncPipe } from '@angular/common'; import { Component, inject } from '@angular/core'; import { FormsModule } from '@angular/forms'; import { AutofocusDirective, LocalizationPipe } from '@abp/ng.core'; import { ButtonComponent, ModalCloseDirective, ModalComponent } from '@abp/ng.theme.shared'; import { TenantBoxService } from '@volo/abp.ng.account.core'; import { TenantBoxComponent } from '@volosoft/abp.ng.theme.lepton-x/account'; @Component({ selector: 'my-tenant-box', template: ` @if ((service.currentTenant$ | async) || {}; as currentTenant) { <hr /> <div> <div class="tenant-switch-box"> <div class="row"> <div class="col pr-1 pb-2"> <h6 class="m0"> {{ 'AbpUiMultiTenancy::Tenant' | abpLocalization }} </h6> <i>{{ currentTenant.name || ('AbpUiMultiTenancy::NotSelected' | abpLocalization) }}</i> </div> <div class="col-auto pl-1"> <a id="abp-tenant-switch-link" class="btn btn-sm btn-outline-primary float-end pointer" (click)="service.onSwitch()" href="javascript:void(0)" > {{ 'AbpUiMultiTenancy::Switch' | abpLocalization }} </a> </div> </div> </div> </div> <hr /> <abp-modal [(visible)]="service.isModalVisible" [busy]="service.modalBusy" size="md"> <ng-template #abpHeader> <h5>{{ 'AbpUiMultiTenancy::SwitchTenant' | abpLocalization }}</h5> </ng-template> <ng-template #abpBody> <form (ngSubmit)="service.save()"> <div class="mt-2"> <div class="form-group"> <label for="name">{{ 'AbpUiMultiTenancy::Name' | abpLocalization }}</label> <input [(ngModel)]="service.name" type="text" id="name" name="tenant" class="form-control" autofocus /> </div> <p>{{ 'AbpUiMultiTenancy::SwitchTenantHint' | abpLocalization }}</p> </div> </form> </ng-template> <ng-template #abpFooter> <button abpClose type="button" class="btn btn-outline-primary"> {{ 'AbpAccount::Cancel' | abpLocalization }} </button> <abp-button type="abp-button" iconClass="fa fa-check" (click)="service.save()" [disabled]="currentTenant?.name === service.name" > {{ 'AbpAccount::Save' | abpLocalization }} </abp-button> </ng-template> </abp-modal> } `, imports: [ ModalCloseDirective, ModalComponent, ButtonComponent, LocalizationPipe, AutofocusDirective, AsyncPipe, FormsModule, ], providers: [TenantBoxService], }) export class MyTenantBoxComponent extends TenantBoxComponent { protected readonly service = inject(TenantBoxService); }You can let us know if you need further assistance. Thank you for your cooperation.
