Open Closed

Google SSO using multiple subdomains #9734


1
wydeedev created
  • Product version: 9.1.0
  • Product type: MVC
  • Product framework type: .NET Core

Hello all!

I'm trying to use Google SSO in order to make users login in my application.

I go to https://console.developers.google.com/ , get the ClientId and the ClientSecret and place them in the appsettings.json of the application.

It is a multi-tenant application, so each tenant will have its own subdomain. For instance, client.mydomain.com and client2.mydomain.com.

Since Google does not support wildcards in order to match all the subdomains, how can I achieve a behavior where, regardless of the subdomain used, Google SSO works?

I get this error, if I try to achieve a subdomain that is not in the list of authorized URIs: Erro 400: redirecturimismatch The redirect URI in the request, https://client2.mydomain.com/signin-google, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit: https://console.developers.google.com/apis/credentials/oauthclient/${yourclientid}?project=${yourprojectnumber}

Of course, if I put all my subdomains in Google in the authorized URIs it will work, but it is not a good practice to do that everytime a new tenant is added.

How can achieve the behavior?


3 Answer(s)
  • 0
    ismcagdas created
    Support Team

    Hi @wydeedev

    Did you set the returl URL on Google to https://mydomain.com/signin-google and try this way ? I'm not %100 sure but I remember something like this worked for me.

  • 0
    wydeedev created

    Hi @ismcagdas, thanks for your answer.

    I've tried but with no success, it returns the same error as before.

    Do you have any workaround for this or how do you manage these kind of issues? Do you enter all the subdomains in order to authorize them? This does not sound like a good solution in the long run.

  • 0
    ismcagdas created
    Support Team

    Hi @wydeedev

    Actually, I haven't tried Google SSO with subdomains. You can follow such an approach;

    You can use main website url for Google SSO with a tenantId query string parameter, using state parameter of Google SSO as explained here https://stackoverflow.com/a/13769166/6681451.

    Then, you can write a custom tenant resolver which is similar to https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp.AspNetCore/AspNetCore/MultiTenancy/DomainTenantResolveContributor.cs. This resolver should resolve tenantId from Google SSO's state paraemter.

    Then, user should be logged in correctly but in the main URL. So you also need to redirect user to related subdomain after a successfull login.