I enabled multitenancy based on this example: ABP Framework Sample.
Later, I encountered an issue where the issuer endpoint was set to the main domain (mydomain.com) instead of the tenant subdomain (tenant.mydomain.com).
To resolve this, I had to comment out the following line in the configuration:
PreConfigure<OpenIddictServerBuilder>(builder =>
{
builder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
builder.AddEncryptionCertificate(GetSigningCertificate(hostingEnvironment, configuration));
// builder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
});
After commenting out this line, the multitenancy worked correctly for tenant1.mydomain.com, tenant2.mydomain.com, etc.
However, I now face an issue when trying to log in with the admin user to mydomain.com as a "superadmin". I end up in an infinite loop because the /connect/token endpoint responds with a 400 error:
{
"error": "invalid_grant",
"error_description": "The issuer associated to the specified token is not valid.",
"error_uri": "https://documentation.openiddict.com/errors/ID2088"
}
In your forums, I found this topic: Local Docker Installation which suggests that the issue may be caused by the aforementioned commented-out line. However, my multitenancy setup does not work with that line included.
Additionally, there are no errors in the logs, and the logs are clean.
How can I fix this issue where the main domain login for the superadmin ends up in an infinite loop due to the invalid issuer token, while still maintaining the correct issuer endpoint for tenant subdomains?
Thank you.
Hi, thanks for the help. It got us quite far. I believe we only have one last issue before subdomains work for us:
we have a frontend angular method that establishes a connection to the backend but it reads the backend url from the appsettings and hence also contains the {0}, which is not resolved and not recognized by the backend.
private createConnection(): void {
this.hubConnection = new HubConnectionBuilder()
.withUrl(environment.apis.default.url + '/hubroute', { accessTokenFactory: () => localStorage.getItem('access_token') })
.withAutomaticReconnect()
.build();
}
is there an out of the box way to get the resolved tenant url in the frontend?
<lpx-toolbar [profileRef]="profileRef$" (profileClick)="toggleCtxMenu()"> <ng-container *ngIf="{ user: userProfileService.user$ | async, profileRef: profileRef$ | async } as data" > <lpx-context-menu *ngIf="data.profileRef" #menu="lpx-context-menu" (lpxClickOutside)="menu.close()" [exceptedRefs]="[data.profileRef]" > <ng-container *ngFor="let actions of data.user?.userActionGroups;~~~~"> <lpx-context-menu-action-group> <lpx-navbar-routes [navbarItems]="actions" [routerItem]="false" ></lpx-navbar-routes> </lpx-context-menu-action-group> </ng-container> </lpx-context-menu> </ng-container> </lpx-toolbar>
Toolbar-container.component.ts
import { Component, ElementRef, ViewChild } from '@angular/core'; import { ReplaySubject } from 'rxjs'; import { ContextMenuComponent } from '@volosoft/ngx-lepton-x'; import { UserProfileService, ToolbarService } from '@volo/ngx-lepton-x.core'; import { ToolbarTranslateKeys } from './enums'; @Component({ selector: 'app-pm-toolbar-container', templateUrl: './toolbar-container.component.html', }) export class ToolbarContainerComponent { @ViewChild(ContextMenuComponent, { static: false }) ctxMenu!: ContextMenuComponent; profileRef$ = new ReplaySubject<ElementRef>(1); welcomeText = ToolbarTranslateKeys.ContextMenuWelcome; constructor( public toolbarService: ToolbarService, public userProfileService: UserProfileService ) {} toggleCtxMenu(): void { this.ctxMenu.toggle(); } }
toolbar-container.module.ts
import { ModuleWithProviders, NgModule } from '@angular/core'; import { CommonModule } from '@angular/common'; import { LPX_TRANSLATE_TOKEN, LpxAvatarModule, LpxClickOutsideModule, LpxNavbarModule, LpxTranslateModule, } from '@volo/ngx-lepton-x.core'; import { LpxContextMenuModule } from '@volosoft/ngx-lepton-x'; import { LpxToolbarModule } from '@volosoft/ngx-lepton-x/layouts'; import { ToolbarContainerComponent } from './toolbar-container.component'; import { ToolbarTranslateDefaults } from './enums'; @NgModule({ declarations: [ToolbarContainerComponent], imports: [ CommonModule, LpxContextMenuModule, LpxClickOutsideModule, LpxAvatarModule, LpxNavbarModule, LpxToolbarModule, LpxTranslateModule, ], exports: [ToolbarContainerComponent], }) export class LpxToolbarContainerModule { static forRoot(): ModuleWithProviders<LpxToolbarContainerModule> { return { ngModule: LpxToolbarContainerModule, providers: [ { provide: LPX_TRANSLATE_TOKEN, useValue: [ToolbarTranslateDefaults], multi: true, }, ], }; } }
I added the code from that example to my project (v8.0.2) and deployed the version to an environment with an actual domain/subdomain, but it did not work. It has the issue that I described in the initial question.
can you maybe give some hints and ideas, on what could I check, and where I could have an issue?
Yes, I changed that file as well, but I am still encountering the same error. Can you please point out the configuration that will allow OpenIddict to hook the issuer from the subdomain?
From the documentation, it seems like this should achieve that:
// using Volo.Abp.OpenIddict.WildcardDomains
PreConfigure<AbpOpenIddictWildcardDomainOptions>(options =>
{
options.EnableWildcardDomainSupport = true;
options.WildcardDomainsFormat.Add("https://{0}.api.mydomain.com");
});
I have included this configuration as well, but the issuer still defaults to the main domain of the backend (api.mydomain.com) instead of the subdomain (tenant.api.mydomain.com).
Is there any other setting or configuration that I might be missing to ensure the issuer includes the tenant name in the subdomain?
I checked it and tried to include changes from https://github.com/abpframework/abp-samples/blob/master/DomainTenantResolver/OpenIddict/NG/aspnet-core/src/BookStore.HttpApi.Host/BookStoreHttpApiHostModule.cs to my project, however, I still get the same result and the issuer is still wrong. from the commit history, I don't see if there are more changes to be done, maybe you can give a hint about which files to look?
Hi,
Thanks for your quick response.
I also found that example and based on my comparison, it seems like I have a similar setup (nevertheless the the example version I below my current version).
Hello,
I have enabled multitenancy in my project using the documentation provided at ABP Multi-Tenancy Guide.
However, I'm encountering an issue. When I try to open the URL tenant.mydomain.com, I am redirected to tenant.api.mydomain.com, and I get the following console log error in the browser:
invalid issuer in discovery document expected: https://tenant.api.mydomain.com current: https://api.mydomain.com/
When I check the https://api.mydomain.com/.well-known/openid-configuration endpoint, I see the following configuration:
{
"issuer": "https://api.mydomain.com",
"authorization_endpoint": "https://tenant.api.mydomain.com/connect/authorize",
"token_endpoint": "https://tenant.api.mydomain.com/connect/token",
"introspection_endpoint": "https://tenant.api.mydomain.com/connect/introspect",
"end_session_endpoint": "https://tenant.api.mydomain.com/connect/logout"
}
It seems like the issuer doesn't include the tenant name in the subdomain. Could you please guide me on what additional steps I need to take to ensure that the issuer includes the tenant name in the subdomain and that the tenant domain resolver works correctly?
P.S. if you know any better or complete documentation please let me know
Thanks in advance
Hi devs,
We are using the angular version of ABP commercial and we want to modify the login process a little bit by making an API call to an external service where we first verify the user credentials entered into the cshtml login form and then log the user into asp upon success. This logic we want to handle in the login.cshtml.cs file because it makes most sense in our case. We want to also modify the login form itself to show additional fields.
For this, we have tried to overwrite the login.cshtml but then the login button stops working if we also overwrite the login.cshtml.cs file. we put the files in here to overwrite them:** /aspnet-core/src/Pm.GovernmentGpt.HttpApi.Host/Pages/Account/Login.cshtml** and for the cshtml file it works we used the code for the login.cshtml we found here (https://community.abp.io/posts/how-to-customize-the-login-page-of-an-abp-blazor-application-by4o9yms) as well as from the source code of the module, but as soon as we copy the login.cshtml.cs file from the source code into the directory mentioned above, the login button does nothing. Any ideas/hints as to why?
Thanks
ah I see, thanks for that info. How can we override the form? Any hints would be appreciated.
Thanks for the support.