Technically adding Authorization
header with Bearer
token should work as documented in https://learn.microsoft.com/en-us/aspnet/core/grpc/authn-and-authz?view=aspnetcore-7.0
If you check with wireshark or similar tools, does your gRPC request to YARP contain this header? Can you pinpoint the exact problem if it is about the request to YARP or after the YARP? You may need to route the header manually perhaps https://microsoft.github.io/reverse-proxy/articles/header-routing.html
I don't have a sample for this scenario unfortunatelly. I have it on backlog and check it whenever I find time.
Check you appsettings.json
file. AbpAccountPublic
under RemoteServices
should point to AuthServer:
"RemoteServices": {
"Default": {
"BaseUrl": "https://localhost:44305"
},
"AbpAccountPublic": {
"BaseUrl": "https://localhost:44305" -> This should be authserver URL
}
},
This is not related to ABP but docker compose volume mounting.
I also can't understand the escape characters:
\- ASPNETCORE\_Kestrel\_\_Certificates\_\_Default\_\_Path=/https/mydomain\.authserver\.pfx
Do you really need to escape the _
and .
characters in the yaml file? I remember running docker-compose file in CentOS but I don't remember using any escape characters.
My suggestion is creating a cert
folder inside your solution and generate your pfx files under it and mount that first. After seeing it successfuly works, you can alter the path. You can create a new tiered application in version 7.1 and check the template docker-compose file as a sample.
Since this is a generic question about docker-compose volume mounting; you can also ask it on StackOverflow aswell to reach a wider audiance since we have limited knowledge on third party tools.
You can check https://github.com/abpframework/abp/issues/15601 for swagger ui authorization issue.
However your problem seems that gateway is still trying to redirect to localhost for AccountService, maybe you have missed overriding the configmap of gateways for production.
You can also check the Azure deployment scripts and values for eShopOnAbp sample https://github.com/abpframework/eShopOnAbp/tree/main/etc/k8s that i can provide for a sample.
You can not generate SSL for containers, they need to be DNS. If you are already mapping the host names to ip address (like usings hosts file in windows), you can generate SSL certificate for them.
However I can not see how you have mapped the volume. If you have generated the file, just keep it in a folder and mount the file. That should work for kestrel environment variable.
Did you generate the pfx files?
Use dotnet dev-certs https -v -ep my-file.pfx -p MY_PASSWORD -t
command to generate a pfx file under a folder. Then you can mount this file with path.
Template has a sample for it that generates after using etc/docker/run-docker.sh
script. You can also compare generated docker-compose file to see how it is volumed and mounted.
Edit For linux, pfx is problematic as far as i know. You can use OpenSSL to generate self-signed certificate.
Can you check the PreConfigureServices
method of your AuthServerModule.
Do you have the configuration below to set the issuer:
PreConfigure<OpenIddictServerBuilder>(builder =>
{
builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
builder.SetIssuer(new Uri(configuration["AuthServer:Authority"])); //this line
});
There was an issue about OpenIddict localization is located in different layer causing localization of OpenIddict not working and not able to override. That issue is fixed and will be available in the next release.
For seeding permissions, you can inject IPermissionDataSeeder
in the your microservice data seeder. Please examine the IdentityServiceDataSeeder under the IdentityService.HttpApi.Host
. You can create a similar data seeder and inject it to the DatabaseMigrationChecker
to seed it after database migration.
[09:17:53 ERR] Sequence contains more than one element
This error is about duplicate key trying to get inserted. It may happen because of the race conditions. It is not important, eventually it will be inserted and consistent.
The error indicates dockerfile could not find the related folder to create image. docker-compose
would not work without building the images first since the dockerfiles are not multi-staged dockerfiles.
You need to run etc/build/build-images-locally.ps1
to create the images first than run etc/docker/run-docker.ps1
.
I don't recommend altering database manually, ever.
Application must handle this since this information is cached. If you manually alter it from the database, application won't know it and you will still get error since the cache is not invalidated. Secondly, it is complicated and all the list information is held as in a string by the OpenIdDict library which is very prune to manual typos or missing commas that can be very hard to troubleshoot.
You can examine the environment variables of the DbMigrator service to see which data is overridden.
In tiered solution, there are basically 2 different clients/applications:
Web application runs on https://localhost:44353 SwaggerUI is on Http.Api.Host which runs on https://localhost:44354