Open Closed

subdomain authentication - INVALID_REQUEST Identity Server setup #3094


0
agilmore created
  • ABP Framework version: v5.2.0
  • UI type: Blazor
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace: 500 internal server error INVALID_REQUEST response.
  • Steps to reproduce the issue:"

I'm trying to set up subdomain login for tenants. I have the following set up:

Blazor Project

Blazor Client running in an Azure Web app service. With the following configuration:

{ "App": { "SelfUrl": "https://test.mydomain.com" }, "AuthServer": { "Authority": "https://testmydomainhost.azurewebsites.net", "ClientId": "App_Blazor", "ResponseType": "code" }, "RemoteServices": { "Default": { "BaseUrl": "https://testmydomain.azurewebsites.net" } } ...... }

All certificates and DNS has been set up correctly for test.mydomain.com and *.test.mydomain.com

Host Project

The Host project is running in a seperate Azure App service.

The Host project ...HttpApi.Host has been modified like this:

At the end of the ConfigureServices method of the ...HttpApiHostModule class I've added:

        Configure<AbpTenantResolveOptions>(options =>
        {
            options.AddDomainTenantResolver("{0}.test.mydomain.com");
        });

In the appsettings for the HttpApi.Host project I have:

{ "App": { "SelfUrl": "https://testmydomainhost.azurewebsites.net", "AngularUrl": "https://testmydomainhost.azurewebsites.net:4200", "CorsOrigins": "https://.testmydomainblazor.azurewebsites.net,https://testmydomainblazor.azurewebsites.net,https://test.mydomain.com, https://.test.mydomain.com", "RedirectAllowedUrls": "https://testmydomainhost.azurewebsites.net:4200,https://testmydomainhost.azurewebsites.net,https://.testmydomainblazor.azurewebsites.net,https://testmydomainblazor.azurewebsites.net,https://test.mydomain.com, https://.test.mydomain.com" }, ....

"AuthServer": { "Authority": "https://testmydomainhost.azurewebsites.net", "RequireHttpsMetadata": "false", "SwaggerClientId": "App_Swagger", "SwaggerClientSecret": "...." }

.... }

Identity Server

In Identity Server I have these settings:

IdentityServerClients table:

Id ClientId 9F9E6713-3B8F-6F35-2A69-3A03AAAFAA28 App_Web_Public F372EC2E-2B89-0BF4-C9CC-3A03AAAFAB3D App_App 5A38608A-25E1-03D7-76E3-3A03AAAFABE8 App_Blazor 70C8527D-01EA-2F4B-D58F-3A03AAAFAD68 App_Swagger 10C10C0A-72F4-D0F4-FB1C-3A03DEB6C72E APP_Wildcard

IdentityServerClientCorsOrigins table:

ClientId Origin F372EC2E-2B89-0BF4-C9CC-3A03AAAFAB3D http://localhost:4200 5A38608A-25E1-03D7-76E3-3A03AAAFABE8 https://test.mydomain.com 70C8527D-01EA-2F4B-D58F-3A03AAAFAD68 https://testmydomainhost.azurewebsites.net 10C10C0A-72F4-D0F4-FB1C-3A03DEB6C72E https://*.test.mydomain.com

IdentityServerClientRedirectUris table:

ClientId RedirectUri 9F9E6713-3B8F-6F35-2A69-3A03AAAFAA28 https://localhost:44304/signin-oidc F372EC2E-2B89-0BF4-C9CC-3A03AAAFAB3D http://localhost:4200 5A38608A-25E1-03D7-76E3-3A03AAAFABE8 https://test.mydomain.com/authentication/login-callback 70C8527D-01EA-2F4B-D58F-3A03AAAFAD68 https://testmydomainhost.azurewebsites.net/swagger/oauth2-redirect.html 10C10C0A-72F4-D0F4-FB1C-3A03DEB6C72E https://*.test.mydomain.com/authentication/login-callback

I've tried lots of different combinations of urls, and can't get anything to work. I understand that this last configuration with App_Wilcard client is not having any impact because the Blazor app is using the App_Blazor clientId.

Now this is what is happening:

If I use test.mydomain.com, everything works fine.

I added a new client tenant with the name Test1. If I navigate to test1.test.mydomain.com, the site appears correctly, but when I try to login, I get the 500 internal server error INVALID_REQUEST response.

Can you please tell me what combination of Identity Server Urls or other configuration I would need to use to get subdomain authentication working. I've tried everything I can think of.


7 Answer(s)
  • 0
    gterdem created
    Support Team

    Share related application logs please. It is found under *Logs *folder as logs.txt file. If you are running on containers, you can also retry the process and check the container/pod logs.

  • 0
    agilmore created

    Here is the relevant log from the Host application. The key piece of information is: Error":"invalid_request","ErrorDescription":"Invalid redirect_uri","Category":"Token","Name":"Token Issued

    2022-05-18 01:01:27.848 +00:00 [INF] Request starting HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/connect/authorize?client_id=App_Blazor&redirect_uri=https%3A%2F%2Ftest1.test.schemasight.com%2Fauthentication%2Flogin-callback&response_type=code&scope=openid%20profile%20App%20role%20email%20phone&state=1da588d11341487a94642d2bed6eab20&code_challenge=qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI&code_challenge_method=S256&prompt=none&response_mode=query - - 2022-05-18 01:01:27.868 +00:00 [INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize 2022-05-18 01:01:27.895 +00:00 [ERR] Invalid redirect_uri: https://test1.test.schemasight.com/authentication/login-callback {"ClientId":"App_Blazor","ClientName":"App_Blazor","RedirectUri":null,"AllowedRedirectUris":["https://test.schemasight.com/authentication/login-callback"],"SubjectId":"a747cd62-452b-4a15-a5ef-3a03aaaf684a","ResponseType":null,"ResponseMode":null,"GrantType":null,"RequestedScopes":"","State":null,"UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":"","MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"App_Blazor","redirect_uri":"https://test1.test.schemasight.com/authentication/login-callback","response_type":"code","scope":"openid profile App role email phone","state":"1da588d11341487a94642d2bed6eab20","code_challenge":"qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI","code_challenge_method":"S256","prompt":"none","response_mode":"query"},"$type":"AuthorizeRequestValidationLog"} 2022-05-18 01:01:27.895 +00:00 [ERR] Request validation failed 2022-05-18 01:01:27.895 +00:00 [INF] {"ClientId":"App_Blazor","ClientName":"App_Blazor","RedirectUri":null,"AllowedRedirectUris":["https://test.schemasight.com/authentication/login-callback"],"SubjectId":"a747cd62-452b-4a15-a5ef-3a03aaaf684a","ResponseType":null,"ResponseMode":null,"GrantType":null,"RequestedScopes":"","State":null,"UiLocales":null,"Nonce":null,"AuthenticationContextReferenceClasses":null,"DisplayMode":null,"PromptMode":"","MaxAge":null,"LoginHint":null,"SessionId":null,"Raw":{"client_id":"App_Blazor","redirect_uri":"https://test1.test.schemasight.com/authentication/login-callback","response_type":"code","scope":"openid profile App role email phone","state":"1da588d11341487a94642d2bed6eab20","code_challenge":"qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI","code_challenge_method":"S256","prompt":"none","response_mode":"query"},"$type":"AuthorizeRequestValidationLog"} 2022-05-18 01:01:27.896 +00:00 [INF] {"ClientId":"App_Blazor","ClientName":"App_Blazor","RedirectUri":null,"Endpoint":"Authorize","SubjectId":"a747cd62-452b-4a15-a5ef-3a03aaaf684a","Scopes":"","GrantType":null,"Error":"invalid_request","ErrorDescription":"Invalid redirect_uri","Category":"Token","Name":"Token Issued Failure","EventType":"Failure","Id":2001,"Message":null,"ActivityId":"80000037-0000-eb00-b63f-84710c7967bb","TimeStamp":"2022-05-18T01:01:27.0000000Z","ProcessId":1456,"LocalIpAddress":"10.11.0.196:443","RemoteIpAddress":"49.191.30.55","$type":"TokenIssuedFailureEvent"} 2022-05-18 01:01:27.897 +00:00 [INF] Request finished HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/connect/authorize?client_id=App_Blazor&redirect_uri=https%3A%2F%2Ftest1.test.schemasight.com%2Fauthentication%2Flogin-callback&response_type=code&scope=openid%20profile%20App%20role%20email%20phone&state=1da588d11341487a94642d2bed6eab20&code_challenge=qmShTV7mfnSJPcgJKR1_0TArv9iuI7B8lrzoPIp7-oI&code_challenge_method=S256&prompt=none&response_mode=query - - - 302 - - 48.3418ms 2022-05-18 01:01:27.958 +00:00 [INF] Request starting HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/Account/Error?errorId=CfDJ8A81w2ldNe9HkjgrAVgXeu2KSVwnb2qRNv8Q7cucfA9K5sGzzdnJcqcCwghB2LY0XRj6SvbcTAw-yBmMdeoMLE5Jp4EDCQyvou9drwxJnN8auNRbcKWZE4IUs5OQ9j9yfJp-JRD5oWywlC_T0JHy72pnJBD_tF_R9_aSDmMHH1rd-WN9t0Yps9UT4jSfv5g6BaDdhG4hfarMTw-Yyn3QyiwWjyCS-fnnhNTyYvkc81Y4HsaV4n4YJESuht8NxnE2BM3OXvJiKe7hxDwi96kf6ZD29bKu0PGvoSTruCAtN_BrBTAgBV6tg49H3mpiZkndvFgZ6SVbc6fWYlpUEDVsbhCsBhxru4q_14WAgjMIepYf - - 2022-05-18 01:01:27.970 +00:00 [INF] Executing endpoint 'Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)' 2022-05-18 01:01:27.974 +00:00 [INF] Route matched with {area = "account", action = "Index", controller = "Error", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Index(System.String) on controller Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController (Volo.Abp.Account.Pro.Public.Web.IdentityServer). 2022-05-18 01:01:27.980 +00:00 [INF] Executing action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer) - Validation state: "Valid" 2022-05-18 01:01:27.980 +00:00 [INF] Executed action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer), returned result Microsoft.AspNetCore.Mvc.ViewResult in 0.3649ms. 2022-05-18 01:01:27.980 +00:00 [INF] Executing ViewResult, running view ~/Views/Error/500.cshtml. 2022-05-18 01:01:28.060 +00:00 [INF] Executed ViewResult - view ~/Views/Error/500.cshtml executed in 79.2701ms. 2022-05-18 01:01:28.060 +00:00 [INF] Executed action Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer) in 85.3887ms 2022-05-18 01:01:28.060 +00:00 [INF] Executed endpoint 'Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)' 2022-05-18 01:01:28.066 +00:00 [INF] Request finished HTTP/1.1 GET https://testschemasighthost.azurewebsites.net/Account/Error?errorId=CfDJ8A81w2ldNe9HkjgrAVgXeu2KSVwnb2qRNv8Q7cucfA9K5sGzzdnJcqcCwghB2LY0XRj6SvbcTAw-yBmMdeoMLE5Jp4EDCQyvou9drwxJnN8auNRbcKWZE4IUs5OQ9j9yfJp-JRD5oWywlC_T0JHy72pnJBD_tF_R9_aSDmMHH1rd-WN9t0Yps9UT4jSfv5g6BaDdhG4hfarMTw-Yyn3QyiwWjyCS-fnnhNTyYvkc81Y4HsaV4n4YJESuht8NxnE2BM3OXvJiKe7hxDwi96kf6ZD29bKu0PGvoSTruCAtN_BrBTAgBV6tg49H3mpiZkndvFgZ6SVbc6fWYlpUEDVsbhCsBhxru4q_14WAgjMIepYf - - - 200 - text/html;+charset=utf-8 107.7556ms

  • 0
    gterdem created
    Support Team

    2022-05-18 01:01:27.895 +00:00 [ERR] Invalid redirect_uri: https://test1.test.schemasight.com/authentication/login-callback

    AllowedRedirectUris":["https://test.schemasight.com/authentication/login-callback"]

    Your database has https://test.schemasight.com/authentication/login-callback as RedirectUri for your application but it should be https://test1.test.schemasight.com/authentication/login-callback or vise-versa.

    Update your database with the correct redirectUri of the application.

  • 0
    agilmore created

    test1 is the name of a tenant. I'm using subdomain tenant resolver. So there could be 1000 different tenants with different names, with subdomain names <tenantName>.test.mydomain.com. That is the point of the subdomain tenant resolver.

    abp.io is supposed to support a subdomain per tenant. How do I configure to support that?

  • 0
    maliming created
    Support Team

    HI @agilmore

    You can check this demo. https://github.com/abpframework/abp-samples/tree/master/DomainTenantResolver

    https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.IdentityServer/BookStoreIdentityServerModule.cs#L55-L61

  • 0
    agilmore created

    Thanks for that.

    So... to implement the subdomain tenant resolver, you need to modify the IdentityServer module configuration delivered with the product. The documentation points to the example you gave, but its only for MVC, and gives absolutely no indication of what code has changed from the original implementation. This makes it nearly useless.

    This documentation: https://docs.abp.io/en/abp/5.2/Multi-Tenancy#domain-subdomain-tenant-resolver gives the impression that all that needs to change is to drop that simple code into the configuration of the host module. It's deceptive. I've seen several questions about this on this forum. You would save yourselves and others lots of time if you simply completed the documentation detailing all the places code needs to change to implement subdomain tenancy resolution.

  • 0
    maliming created
    Support Team

    You can try to add the code to your Identity Server project. Update the RootUrl of the Client, or update the identity server's data tables.

    You can migrate the demo project to check the identity server's data tables.

    https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/MVC-TIERED/src/Acme.BookStore.DbMigrator/appsettings.json#L10

    context.Services.AddAbpStrictRedirectUriValidator();
    context.Services.AddAbpClientConfigurationValidator();
    context.Services.AddAbpWildcardSubdomainCorsPolicyService();
    Configure<AbpTenantResolveOptions>(options =>
    {
        options.AddDomainTenantResolver("{0}.test.mydomain.com");
    });