Infinite Loop Issue with Superadmin Login in Multitenant OpenIddict Configuration #7332 | Support Center | ABP Commercial

anurag.tyagi créé il y a 9 jours

ABP Framework version: v8.0.2
UI Type: Angular
Database System: EF Core (MySQL)
Tiered (for MVC) or Auth Server Separated (for Angular): no
Exception message and full stack trace: infinite loop, with no errors in the logs
Steps to reproduce the issue: enable multitenancy, try to login as superadmin

I enabled multitenancy based on this example: ABP Framework Sample.

Later, I encountered an issue where the issuer endpoint was set to the main domain (mydomain.com) instead of the tenant subdomain (tenant.mydomain.com).

To resolve this, I had to comment out the following line in the configuration:

PreConfigure<OpenIddictServerBuilder>(builder =>
{
    builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
    builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
    // builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
});

After commenting out this line, the multitenancy worked correctly for tenant1.mydomain.com, tenant2.mydomain.com, etc.

However, I now face an issue when trying to log in with the admin user to mydomain.com as a "superadmin". I end up in an infinite loop because the /connect/token endpoint responds with a 400 error:

{
  "error": "invalid_grant",
  "error_description": "The issuer associated to the specified token is not valid.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2088"
}

In your forums, I found this topic: Local Docker Installation which suggests that the issue may be caused by the aforementioned commented-out line. However, my multitenancy setup does not work with that line included.

Additionally, there are no errors in the logs, and the logs are clean.

How can I fix this issue where the main domain login for the superadmin ends up in an infinite loop due to the invalid issuer token, while still maintaining the correct issuer endpoint for tenant subdomains?

Thank you.

5 Réponse (s)

0

maliming créé il y a 8 jours
Équipe d'assistance Fullstack Developer

hi

What are error logs when builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));?
0
anurag.tyagi créé il y a 8 jours
Hi,

Thanks for your response.

There are no backend logs on this issue, on the frontend console I see:

invalid issuer in discovery document expected: https://tenant.api.mydomain.com current: https://api.mydomain.com/

and when I check the https://api.mydomain.com/.well-known/openid-configuration endpoint, I see the following configuration:

{ "issuer": "https://api.mydomain.com", "authorization_endpoint": "https://tenant.api.mydomain.com/connect/authorize", "token_endpoint": "https://tenant.api.mydomain.com/connect/token", "introspection_endpoint": "https://tenant.api.mydomain.com/connect/introspect", "end_session_endpoint": "https://tenant.api.mydomain.com/connect/logout" }

FYI, this issue is not reproducible locally as soon as SetIssuer is in the if (!hostingEnvironment.IsDevelopment()) block.
0

maliming créé il y a 8 jours
Équipe d'assistance Fullstack Developer

hi

The issuer is obtained by request.Scheme + Uri.SchemeDelimiter + host + request.PathBase if you don't call the SetIssuer method.

invalid issuer in discovery document expected

You could disable issuer validation using skipIssuerCheck. https://manfredsteyer.github.io/angular-oauth2-oidc/docs/classes/AuthConfig.html#skipIssuerCheck
0

anurag.tyagi créé il y a 8 jours

Hi,

Is it OK to disable the issuer validation on production?

also, without SetIssuer the login works just fine on all other tenants (tenant1.mydomain.com, tenant2.mydomain.com) but not for mydomain.com, it should work the same way for all URLs, right?

Can I somehow remove SetIssuer and find a solution to the problem described above? or the only way is to bring it back and disable issuer validation?

Many thanks for considering my request.
0
maliming créé il y a 7 jours
Équipe d'assistance Fullstack Developer
hi

Is it OK to disable the issuer validation on production?

I think it's ok.

https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/OpenIddict/NG/angular/src/environments/environment.ts#L16

However, I now face an issue when trying to log in with the admin user to mydomain.com as a "superadmin". I end up in an infinite loop because the /connect/token endpoint responds with a 400 error:

{ "error": "invalid_grant", "error_description": "The issuer associated to the specified token is not valid.", "error_uri": "https://documentation.openiddict.com/errors/ID2088" }

Can you share a access_token in this error?

Vous avez une réponse à cette question? Connexion et écrivez votre réponse.