Activities of "cfd000"
ABP Framework version: v4.4.2
UI type: MVC
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): yes
Exception message and stack trace: C:\SRC\abp-4.4.2\identity-pro>dotnet build Microsoft (R) Build Engine version 16.11.0+0538acc04 for .NET Copyright (C) Microsoft Corporation. All rights reserved.
Determining projects to restore... Skipping project "C:\SRC\abp-4.4.2\licensing\Volo.Abp.AspNetCore.Mvc.UI.Theme.Commercial\Volo.Abp.AspNetCore.Mvc.UI.Theme.Commercial.csproj" because it was not found. Skipping project "C:\SRC\abp-4.4.2\licensing\Volo.Abp.Commercial.Core\Volo.Abp.Commercial.Core.csproj" because it was not found. Skipping project "C:\SRC\abp-4.4.2\licensing\Volo.Abp.Commercial.Core\Volo.Abp.Commercial.Core.csproj" because it was not found. Skipping project "C:\SRC\abp-4.4.2\licensing\Volo.Abp.Commercial.Core\Volo.Abp.Commercial.Core.csproj" because it was not found.
Steps to reproduce the issue:"
- Download 4.4.2 tag from GIT, and extract to a local directory (in this case, C:\Src\abp-4.4.2\abp )
- Create a folder C:\Src\abp-4.4.2\identity-pro
- Use CLI to download source (abp get-source Volo.Identity.Pro --local-framework-ref --abp-path ......\ )
- Run dotnet restore
We have been unable to build most of the "PRO" modules due to the missing "Volo.Abp.Commercial" projects.
This is a bug in the ABP get-source function.
If it is not possible to get the source for a given module, the resulting project files should reference the package. The resulting output is non-functional without manually editing 89 broken project references.
The challenge we have is that we are trying to debug core framework functionality, and our solution built using ABP Suite is not allowing that to happen. We switched to building the solution using the CLI, which does allow the breakpoints to be hit, but requires a HUGE amount of manual editing of dozens of project files just to get a successful compile.
One of the huge benefits of paying for ABP Commercial was access to the full source code. Without the ability to easily debug at every level (our projects, the ABP Pro/Commercial modules, and the base open source ABP framework) we are not getting the benefits we were promised.
The best practice is creating your folder structure same as ABP is,
- YourCompany's Project folder
- abp contains abp github repository
- abp-pro contains abp-pro modules
- naming the pro modules with same as abp (attached img)
When using
--local-framework-ref --abp-pathtarget --abp-path to abp
After this you need just few minutes of manual working Replace all\abp\abp\with\abp-pro\
Thanks for the suggestions. I was able to come up with a script that got it all working (prior to seeing your posts). My folder structure put "abp" in the same directory as the pro modules (basically those folders all all moved up 1 level from where you put them), and I was able to replace SuiteTemplate with a reference in the same way as "Commercial.Core".
Any idea if that matters? Everything seems to be compiling, the only problem I have now is the CLI project creation with local references creates a project that will also need some references "fixed".
- ABP Framework version: v4.4.3
- UI type: MVC / Blazor
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:"
When deploying a tiered application in containers behind an application gateway, what is the recommended configuration? The main web interface and API Host seem to work fine by configuring the "/" path to reoute to the "Web" and "/swagger" and "/api" to route to the HTTPAPI server, but routing "/Account" to the identity server causes problems (such as resources not being found).
- Should it be configured similar to a virtual directory, where all URLs have a specific path (something like "/Identity/Account/Login" instead of the current behavior of just "/Account/Login")?
-
- If so, how do I configure JUST the IdentityServer project to expect a path beyond the base URL (trying to put http://localhost/Identity" in the appsettings.json seems to ignore the "/Identity" part)
- Is there a different way to make the 3 separate containers work properly? We do not want to go to the full microservice template if possible.
To clarify, do you want to deploy all your applications (Http.Api.Host, Web and IdentityServer) to same domain with sub folders? Web is running on: mydomain Http.Api.Host on: mydomain.com/api IdentityServer on: mydomain.com/account
If so, you will need to write Rewrite rule in load balancer (nginx i suppose) to redirect to /account
You can check deployment configurations docs. Also official identityserver4 deployment docs.
If you have already deployed identityserver, you can also share its link.
Correct. I have the rules configured and working, but the interactions aren't correct.
For RemoteServices__Default__BaseUrl I am using the internal name of the HTTP-API service. For AuthServer__Authority I cannot use the internal name because the redirect to the login page does not work externally. When I put the FQDN of the Identity-Server (with /Account at the end), and click the Login button, I am redirected to my url.com/?handler=Login which does not load.
- Should the Identity server external URL be configured for AuthServer__Authority?
- How do I get the Login button to redirect to url.com/Account/Login (or, is there another way to get that redirection to work properly behind the load balancer?)
UPDATE
I was able to get Idenity Server working better by modifying the Startup.cs:
public void Configure(IApplicationBuilder app) { app.UseStaticFiles("/IdentityServer"); app.UsePathBase("/IdentityServer"); app.InitializeApplication(); }
and modifying the ...Module.cs to include (ABOVE the app.UseIdentityServer(); line!):
var forwardOptions = new ForwardedHeadersOptions
{
ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor | Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto,
RequireHeaderSymmetry = false
};
forwardOptions.KnownNetworks.Clear();
forwardOptions.KnownProxies.Clear();
// ref: https://github.com/aspnet/Docs/issues/2384
app.UseForwardedHeaders(forwardOptions);
This allows the LOGIN button to redirect to the Identity login page. Now if I go directly to the /IdentityServer/ URL (which redirects me to /IdentityServer/Account/Login), I can login successfully. The problem is:
If I go to the MVC Index page and click the Login button the Request URL header has this:
https://url.com/IdentityServer/connect/authorize?client_id=ABPWeb_Web&redirect_uri=http://url.com/signin-oidc&response_type=code id_token&scope=openid
When this happens, the /IdentityServer/Account/Login page redirects to a 500 error page with a message "Invalid redirect_uri"
Where does the redirect_uri come from? I am running HTTPS up to the load balancer, and HTTP behind it.
It turns out that the problem was that it is necessary to put the ForwardedHeadersOptions code into EACH PROJECT, simply adding it to IdentityServer is not enough. In hindisght this makes sense, as the MVC project is what generates the headers with the redirect URL in them.
- ABP Framework version: v4.4.3
- UI type: MVC
- DB provider: EF Core (PostgreSQL)
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:"
We have a tiered application which is setup as 4 web endpoints: HttpApi, Identity, Web(MVC), and Web(Public). All works correctly in Visual Studio when running under IIS.
We have deployed this application to Azure Kubernetes (AKS), and are running behind a reverse proxy (Azure Application Gateway), which is doing SSL offload and routing.
In order to route appropriately, the MVC Web app was set to a BasePath of /MVC, and Identity was set to a BasePath of /IdentityServer (HttpApi calls are routed by configuring /api and /swagger)
Each project has ForwardedHeaders configured in their respective module under OnApplicationInitialization, and Cookie.Path is set to "/" in ConfigureServices of the module.
Login works, and Identity pages are accessible, but pages that require a background API call fail with "Authorization failed! Given policy has not granted.". I can go to the /swagger page and I am able to authenticate and successfully return results from these same API calls.
We would prefer not to go to a full microservice setup, what else needs to be configured for the tiered application to work when containerized? Could this be related to the cookie paths that are set to /IdentityServer and /MVC - how do I fix those?
From the MVC Web pod:
10/28/2021, 4:03:07 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:07 INF] Received HTTP response headers after 998.7507ms - 200 10/28/2021, 4:03:07 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:07 INF] End processing HTTP request after 998.8642ms - 200 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:08 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: SettingManagement.Emailing 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:08 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: AbpAccount.SettingManagement 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:08 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: AbpIdentity.SettingManagement 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:08 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:08 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: LeptonThemeManagement.Settings 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:09 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: SettingManagement.Emailing 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:09 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: AbpAccount.SettingManagement 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:09 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: AbpIdentity.SettingManagement 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:09 INF] Authorization failed. These requirements were not met: 10/28/2021, 4:03:09 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 PermissionRequirement: LeptonThemeManagement.Settings 10/28/2021, 4:03:10 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:10 INF] Executed page /Index in 4323.8182ms 10/28/2021, 4:03:10 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:10 INF] Executed endpoint '/Index' 10/28/2021, 4:03:10 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:10 INF] Request finished HTTP/1.1 GET http://localhost/ - - - 200 - text/html;+charset=utf-8 4345.5647ms 10/28/2021, 4:03:10 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:10 INF] Executed page /Index in 4160.1205ms 10/28/2021, 4:03:10 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:10 INF] Executed endpoint '/Index' 10/28/2021, 4:03:10 PM web-mvc-74cd795647-vtvfv a501ad9903ebcf015f869a39f5c3a8a24237c9db0b9f3c3296b4dd791674d8f7 [20:03:10 INF] Request finished HTTP/1.1 GET http://localhost/ - - - 200 - text/html;+charset=utf-8 4171.5145ms