Open Closed

Not sharing authentication among multiple client applications connecting to the same host application #10607


0
quTIP created

Prerequisites

Please answer the following questions before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • What is your product version? 10.3
  • What is your product type (Angular or MVC)? Angular but Public Web Site Is MVC
  • What is product framework type (.net framework or .net core)? .net core

If issue related with ABP Framework

  • What is ABP Framework version? 6.3

Admin App is Angular But we have changed in the Public Web Site to support its own login (instead of single sign-on). In other words, we generated the admin again in MVC. Then we removed all unwanted pages and kept anything related to Accounts, Login, Authentication and so on. So now there are 2 clients application connecting to the same Host. The problem now is: when we login with a certain user in one of the client applications, the other client application automatically becomes logged in with the user of the other client application. By the way, the same happens with swagger UI. When we login with a user in one client application, swagger automatically becomes logged in with the same user. Even worse, when the user changes tenant at one client application using the tenant change modal - without event logging in -, the other application is logged out even before the user logs in at the other client appplication

We do not want that.

We want the user to login in with a different user account at each client application. And whatever happens in one client application is not shared with the other client application.

How to do that?


7 Answer(s)
  • 0
    ismcagdas created
    Support Team

    Hi,

    Could you try using different values for Authentication:JwtBearer (in appsettings.json) for both of your apps and see if it works ?

    Thanks,

  • 0
    quTIP created

    Changing Jwt Bearer Secret Key had no difference.

    I believe authentication is shared because cookies are shared. Cookies are not aware of port. On the other hand, each application is running at a different port. Could I be right in this assumption? What would be the solution if that is the case?

    Correction to the original description of the issue: Apps do not share the user, they are logged out once another application logs in or changes its tenant or switches to host.

    Also there is a worthwhile notice: -Angular app does not get affected whatever happens in the MVC app or in swagger. But it affects the other apps i.e. whenever I log out of angular app or change user in Angular, the other apps are logged out. -As for the MVC app and Swagger, once any of other applications (angular, MVC, swagger) changes the user or logs out, it is logged out.

  • 0
    ismcagdas created
    Support Team

    Hi @quTIP

    Yes, if you are running the apps under the same domain (or localhost), cookies will be valid for both apps. But, changing the JwtBearer should make a difference I think because this value is used for generation and validaiton of the tokens.

    Are you able to host your apps on different domains or IPs ?

  • 0
    quTIP created

    Maybe the tokens would be different with different JwtBeareer keys. But the problem is in the AbpTenant cookie. It always has the same name. So it would be shared.

    As for having the apps on different subdomains or domains, this is what we are trying to do currently but DNS changes are taking 24-72 hours to propagate. The challenge is in debugging and development from visual studio. We cannot debug on IISExpress as it depends on having a different port per application. Any suggestions for debugging? IIS for debugging would work but it requires a tedious process with every run. Any easier options for debugging?

    Having this said, how can we make the Angular app work on a subdomain or IP without a port number? How to set this up in angular application. It currently runs on localhost:4200

    Actually, we need your help to tell us how to achieve below: We want to have the below apps with the below subdomains:

    1. API i.e. swagger and host app on api.domain.com
    2. Admin i.e the main app which is an angular app on admin.domain.com. It supports tenants.
    3. GlobalPortal i.e. a portal that gets some data from all tenants for all external customers on domain.com itself without subdomain. It must be host based only without tenants
    4. TenantPortal i.e. a portal per tenant that gets data for external customers of each tenant. This would be on subdomain portal.domain.com

    Please note that we support tenants in some of the above subdomains/apps. So how to support {tenancy_name} in subdomains? Let us say there is a tenancy name "XYZ", so we should have below subdomains:

    • api.domain.com
    • xyz.admin.domain.com
    • admin.domain.com itself of course for us a super administrators
    • domain.com. This is host based. Never can have tenants -> How to fix tenantId = null all over the whole app?
    • xyz.TenantPortal.domain.com. This is tenant based. Must have tenants always
  • 0
    ismcagdas created
    Support Team

    Hi @quTIP

    To use subdomain as the tenancy name, you cna check https://docs.aspnetzero.com/en/aspnet-core-mvc/latest/Overview-Core#multi-tenancy. If user visits an URL like "xyz.admin.domain.com", the tenantId will be detected automatically, so you don't have to do anything.

    As you said, setting up the same environment with subdomains locally is a bit hard. The easiest way would be to deploy your app to Kubernetes (using Docker for windows for example) locally and modify Windows hosts file and map 127.0.0.1 to a URL you want.

    For the domains you don't want tenancy to be active, it is not supported out of the box if you are deploying the same app. If it is a different app, you can modify source code and remove tenant selection from Login page.

  • 0
    quTIP created

    We will try all the above and let you know, if something does not go as expected.

    But we have a very important question related to above somehow. In our project, when a user is created at a Tenant, we automatiically create for him another user at host and link both using Linked Accounts. What we want now is: When user logs on the host application (using his host-based user), he should be able to click on a link that would open a new window in which the tenant application would open with him automatically logged in with his linked tenant user without entering username or password. And we do not want him logged out of the host application. And also vice versa; When user logs on the tenant application (using his tenant-based user), he should be able to click on a link that would open a new window in which the host appliacation would open with him automatically logged in with his linked host user without entering username or password. And we do not want him logged out of the host application. It is as-if each application is an external authenticator for the other. But when it externallly authenticates, user remains logged in on both applications (one as host-user and the other as tenant-user)

    Please note that host application is an MVC app while the tenant application is an Angular app.

  • 0
    ismcagdas created
    Support Team

    Hi @quTIP

    Yes, it works like that out of the box. You need to implement logout functionality in the use-case you want.