How can I get access_token using password flow for a tenant? #5485 | Support Center | ABP Commercial

mgurer created 9 months ago

ABP Framework version: v7.2.1
UI Type: Blazor WASM
Database System: EF Core (PostgreSQL)
Tiered (for MVC) or Auth Server Separated (for Angular): yes (commecial micro services)
Exception message and full stack trace:
Steps to reproduce the issue: Hello, I want to get user access token using password flow. When I post data (client_id,client_secret,grant_type,username,sope,password) to /connect/token endpoint of authserver, I successfuly get access token of the user for the host site. But I could not figure out how to get access_token for the tenant site. Is there any way to get access token by providing tenant_id using password-flow? Thanks.

5 Answer(s)

0
maliming created 9 months ago
Support Team Fullstack Developer
hi

You can add a new post data.

__tenant: TenantName
0

mgurer created 9 months ago

Thanks
0

mgurer created 9 months ago

Hi again. I tested the __tenant header. Here are my test results;

1 - I have created new tenant named "Test" with admin password 1.

2 - I set __tenant header to "Test" and username to admin and password to 1 and successfuly received the accesstoken.

3 - I removed the __tenant header, and reposted the last payload with password 1 and still got the access token. (on host site admin password is 1q2w3E*). When I look into the access_token, I still see the tenantId claim set. This behaviour is suspicious.

4 - I set __tenant header to "XX" and password to 1 and result was a warning about missing tenant.

5 - I removed the __tenant header once more and sent 1 as password, I got a warning about invalid credentials.

6 - I set password to ABP default admin password, and get the access_token for host site.

As summary, when I set __tenant header, it is cached and until an unsuccessful attempt made, the cache remains still.

Can you confirm that?
0

maliming created 9 months ago
Support Team Fullstack Developer

hi

As summary, when I set __tenant header, it is cached and until an unsuccessful attempt made, the cache remains still.

Can you share a simple project to reproduce this?

liming.ma@volosoft.com
0

mgurer created 9 months ago

Hi,

I have tested tenant header using Postman.

I figured out that postman adds a header named cookie.

This header also includes a field named __tenant which stores the last successfuly gathered tenantid.

This header is hidden by default on the postman app, which you can not figure out easily.

When I remove my very own __tenant header, Postman keeps adding the hidden header to the request which results as the strange behaviour that I already told before.

So, there is no problem with ABP but the test tool POSTMAN.

Below you can see header named Cookie added by the tool.

1

Have an answer to this question? Log in and write your answer.