Doesn't this introduce security vulnerabilities because we don't validate the token?
The configuration is exactly correct per the documentation you mentioned.
I have removed all the external dependencies and it can now run without an azure connection.
Repo is updated.
The steps are this:
The auth server is embeded in the API. The workflow project is not needed for this repro.
At this point login should be possible, but when using the sefdemo.localhost url which corresponds to one of our tenants it does not work.
That is not my repository. My repro can be found here https://github.com/ddelamare/abpAuthIssue
That nuget package is not in our repository. The prefixes should be TOG. And SEF.
But here are the steps
So the main issue that I have is that the login does not work when each tenant has their own client id. Tenant is determined by url, so you'll have to register a local host dmrerirect in hosts file. You can use sefdemo.localhost as it's a host configured in the sender. Based on the feedback above, we need to register an oidc scheme per tenant, but that does not seem to work.
Ultimately, what we need is a login scheme thay works for all tenants when each tenant has their own unique url, configuration, and Database but all run on a single instance.
Additionally, we have an issue where controllers with third party base classes in the api host project return 401 when forwarded a seemingly valid token via yarp.
I have created the repo and invited you.
AddAbpOpenIdConnect with tenant specific identifiers and updated the login button to redirect based on the tenant. It selects the correct scheme, but first it complains about not being able to protect the state. Some googling determines that this is because the callback paths are all the same. So I updated those as well, however now the server is rejecting the URL becauseThe response was successfully returned as a plain-text document: {
"error": "invalid_request",
"error_description": "The specified 'redirect_uri' is not valid for this client application.",
"error_uri": "https://documentation.openiddict.com/errors/ID2043",
"culture": "en",
"ui-culture": "en"
}.
Here is the relevant url
https://sefdemo-api.localhost:44392/connect/authorize?client_id=TOG_Blazor_sefdemo.localhost&redirect_uri=https%3A%2F%2Fsefdemo.localhost%3A44346%2Fauthentication%2Flogin-callback-test&response_type=code&scope=openid%20profile%20roles%20email%20phone%20TOG&code_challenge=A0ICrKQp24UZCHIA5cvNdbngRM3_oDsDCXUDB9XyrQ0&code_challenge_method=S256&response_mode=form_post&nonce=639023934276655883.OWY1OGYxZjEtYWM5MS00NGQxLTg5MWItMTI4MDRmODZkZDE4MDVhODNhMDYtM2I4Yi00MjczLThmOTctNzM5ZjhhZTcwYzE4&state=CfDJ8JJBz11WLB9Do83s_QYJ8pa9Sa2Fct1CkwfNhrCGMgIetC3QVxV_j8g7iMFmqgJsgB20I3xDEJrkjPDS8tAmMspsJ6p01NbvNzAtRYcXCqb_0iCg7gpe11E4mVnH0QsD4Oszs3ri5lv7IvFHLh8TA6JjO_vCk6t5sgjJY0TPkCQ7XUJgoc-xDiAUpi9aEmQz_rHV3wv1lqVHJqXu93mSjfQ5UdD1xe-KzTU7Qs_s8kJ9aV6WCZM9G48ziMrHeqllRTSa_mZHVa783DJmPDtLo-OOn17jtxZA3uhn2VsUjTCN5W1EcJ-yrPfXXyl9N3kKChIOasQrPrca7rlbtUF7SnEjlWNWHfKIOj8o9v2_pWf4tFW4VLu4VRrpsQ_eE2ZhXfsDJJw2eeYnrDLlnTWw_iXN90Nnl4cDrjozbPc3C_pg&x-client-SKU=ID_NET10_0&x-client-ver=8.14.0.0
And here are the values for this client_id in the OpenIdConnectApplications tables
b633bf6a-6a55-5d25-0eaa-3a1bb1ebe100,TOG_Blazor_sefdemo.localhost,,implicit,Blazor Application (Test),,"[""ept:end_session"",""gt:authorization_code"",""rst:code"",""ept:authorization"",""ept:token"",""ept:revocation"",""ept:introspection"",""scp:address"",""scp:email"",""scp:phone"",""scp:profile"",""scp:roles"",""scp:TOG""]","""[https://sefdemo.localhost:44346/authentication/logout-callback-test""]",,"""[https://sefdemo.localhost:44346/authentication/login-callback-test""]",,public,https://sefdemo.localhost:44346,/images/clients/blazor.svg,{},af1a27245e36434283b4d3d86e1b52ae,2025-08-12 12:25:53.8442911,,2025-12-26 16:43:26.9281946,,false,,,,,,
Followup errors:
ctx.Options.ClientId causes authentication for clients to fail with the errorThe response was successfully returned as a JSON document: {
"error": "invalid_grant",
"error_description": "The specified authorization code cannot be used by this client application.",
"error_uri": "https://documentation.openiddict.com/errors/ID2069"
}.
