Open Closed

Issue while redirecting tenant after identity server login (using subdomain tenant resolver) #924


0
[email protected] created

Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

  • ABP Framework version: v4.2.0
  • UI type: Angular
  • DB provider: MongoDB
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace: Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10205: Issuer validation failed. Issuer: 'System.String'. Did not match: validationParameters.ValidIssuer: 'System.String' or validationParameters.ValidIssuers: 'System.String'. at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateIssuer(String issuer, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
  • Steps to reproduce the issue: After logging in at the identity server, I'm redirected to the correct 'subdomain.mydomain.com' but I'm not in fact logged at the UI and the exception above is listed on identity server logs.txt. Cheking 'identityserver.subdomain.mydomain.com' it's possible to see 'myuser' logged at the correct tenant/subdomain. I'm using 'Tenant Specific Remote Endpoints' from https://docs.abp.io/en/abp/latest/UI/Angular/Multi-Tenancy at the front-end and 'Subdomain Tenant Resolvers' from 'https://docs.abp.io/en/abp/latest/Multi-Tenancy' for both the HttpApi.Host ({0}.api.domain.com) and IdentityServer ({0}.is.domain.com).

Identity server is logged in.

Ui is not logged in.

Do you think this is something related to the way urls are setup?

Another potential issue and something I'm not able to address right now is how to add RedirectUri objects for the subdomains, right now I'm hardcoding a 'subdomain.domain.com' redirect uri. Is there any way to dynamically redirect according to the current tenant?


4 Answer(s)
  • 0
    maliming created
    Support Team

    hi

    You can take a look this https://github.com/abpframework/abp/issues/5589#issuecomment-722084689

  • 0
    [email protected] created

    I couldn't make your suggestion work.

    The only way I was able to get rid of the exception and login into the ui by setting the ValidateIssuer to false as in https://github.com/abpframework/abp/issues/3304#issuecomment-609030329 but this is just a work-around as it may raise some security issues.

    Regarding the RedirectUris, how can I have them defined dynamically? As I mentioned earlier I set 'subdomain.domain.com' as a redirect uri for the 'ClientelePortal_App' client directly on the database.

  • 0
    maliming created
    Support Team

    For Identity Server, RedirectUris is fixed, I will try to found a way to make it dynamicall.

  • 0
    maliming created
    Support Team

    You can check this https://github.com/abpframework/abp/pull/7783