Finbuckle.MultiTenant icon indicating copy to clipboard operation
Finbuckle.MultiTenant copied to clipboard
verified publisher icon Finbuckle

Cookies and Identity Server

Open goforebroke opened this issue 1 year ago • 5 comments

Hi Andrew,

Having problems logging into identity server after a tenant identifier is updated by a user. I am hoping to get some guidance/assistance

When a new tenant is created an identifier is automatically created for them. I allow tenants to update their identifier. Once their identifier is updated the user can initiate a logout, which logs them out and redirects them to the start page with the updated identifier in the url.

e.g user is logged in with this url

http://appurl/1B8E302B-B931-4CAE-B404-A42B7D1E8895/Dashboard/Settings/Identifier

user then updates their identifier to "ABC" and initiates a logout. The user is then redirected to this url

http://appurl/ABC

At this point the user then tries to log back in, but instead of logging into identity server with the new identifier

http://identityserver/abc

the user is redirected to identity server with the old url

http://identityserver/1B8E302B-B931-4CAE-B404-A42B7D1E8895

resulting in invalid redirect uri error in identity server since the urls dont match...."ABC" does not match "1B8E302B-B931-4CAE-B404-A42B7D1E8895"

I suspect it has to do with the identity server session created with the first login prior to updating the identifier?

My signout code in the application

public IActionResult OnGet()
{
      var redirectUri = Url.Page("/", null, null, Request.Scheme);
       return SignOut(new AuthenticationProperties() 
      { 
                RedirectUri = redirectUri
       }, CookieAuthenticationDefaults.AuthenticationScheme,
                OpenIdConnectDefaults.AuthenticationScheme);
}

Any help appreciated.

goforebroke avatar Jun 14 '24 13:06 goforebroke

Hi friend. I haven’t forgotten you. I’m catching up on things and will take a look. Have you made any progress in the mean time?

AndrewTriesToCode avatar Jun 25 '24 15:06 AndrewTriesToCode

Hi Andrew,

At this time no, but I currently have a work around.

goforebroke avatar Jun 28 '24 13:06 goforebroke

Hm, it looks like the open id connect option for the tenant are not being refreshed. When they change tenant identifier you'll want to clear the already generated options as described here: https://www.finbuckle.com/MultiTenant/Docs/Options#options-and-caching

I don't recall off the top of my head if you need to use the IOptionsMonitor approach as described or the other. Then next time it needs those options to drive logic, i.e. redirect, it should regenerate them.

That being said I find that redirecting based on tenant id might be better than identifier since in theory id should never change.

What sort of workaround did you come up with in your situation?

AndrewTriesToCode avatar Jul 05 '24 21:07 AndrewTriesToCode

Hi Andrew,

Thx for getting back to me. I will look into your suggestions.

As a work around I created a friendly identifier column that is 4 to 8 characters long. The user can then look up their friendly identifier on a search screen. If their tenant is found, they are redirected to their portal with the "normal" identifier in the URL. If the tenant is not found, they are directed to a referral screen indicating their organization was not found. Portal admins can set their friendly identifier.

goforebroke avatar Jul 19 '24 13:07 goforebroke

This issue has been labeled inactive because it has been open 180 days with no activity. Please consider closing this issue if no further action is needed.

github-actions[bot] avatar Mar 23 '25 02:03 github-actions[bot]