OpenIdConnectProtocolException: Message contains error: 'invalid_grant' #9328

adamjenkins created about a month ago

We are currently in the process of implementing multi tenancy but most likely have an odd domain setup.

Our customers will be able to go to exampleapp.com or tenant.exampleapp.com. If they go to the apex domain they will be asked to find their tenant. When the user is on the correct tenant e.g. tenant1.exampleapp.com they will have all the applications available (before logging in).

The user then clicks on an application and gets redirected to the application with the tenant in the query string e.g. app1.exampleapp.com?__tenant=tenantname. I have made a change where if the user is not already authenticated they will be redirected to auth server (exampleapp.com) with the tenant in the domain (tenant.exampleapp.com).

I have resolved the invalid issuer issue but now facing the invalid_grant error and not sure how to resolve this.

The main goal is to all the customer to have a vanity url to the landing page so it can be branded etc but the main applications (which there are 3 for our customers) are all on specific subdomains (app1, app2, app3.exampleapp.com). I have tried simply redirecting the user to the auth server with __tenant query string but the tenant gets lost in all the redirects.

maliming created 28 days ago

Support Team Fullstack Developer

now facing the invalid_grant error and not sure how to resolve this.

Can you share full debug/error logs?

https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

liming.ma@volosoft.com

Thanks.

adamjenkins created 28 days ago

Hi,

Just sent an email with the logs and module classes.

Thanks

maliming created 27 days ago

Support Team Fullstack Developer

Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2088', status code '400'.

The issuer in your access token has a problem.

Can you share an access token with liming.ma@volosoft.com

Thanks.

adamjenkins created 27 days ago

The issuer would have been the tenant version of the login page where as the app is using the authority.

How do I get an access token to share with you?

maliming created 25 days ago

Support Team Fullstack Developer

Add a middleware to your https://localhost:44374 , then write the Authentication header to the logs.

GET /https://localhost:44374 HTTP/1.1
Host: https://localhost:44374
Authorization: Bearer eyJhbGciOi// your access token.

also enable debug/verb logs

maliming created 25 days ago

Support Team Fullstack Developer

IDX10205: Issuer validation failed. Issuer: 'https://localhost:44372/'. Did not match: validationParameters.ValidIssuer: 'null' or validationParameters.ValidIssuers: '{0}.localhost'.

Please try to add https://localhost:44372/ to ValidIssuers list.

And your wildcard domain format: *.localhost needs the port.

adamjenkins created 25 days ago

HI,

Valid issuers is not the problem I am facing.

maliming created 25 days ago

Support Team Fullstack Developer

Is the Message contains error: 'invalid_grant', error_description: 'The issuer associated to the specified token is not valid.' error solved?

adamjenkins created 25 days ago

Applied the change and fixed the if statement and still get the invalid_grant error.

Instead of us redirecting the user from the auth-server to tenant.auth-server then to the app. Is there a way for the app to persist the __tenant query string when the user gets redirected to /connect/authorize then to the /account/login?