Enhancement: Better out-of-the-box support for deployment

[leonkosak]

Although, there are articles and documentation on how to deploy abp-based applications to various environments (IIS, Azure App Services, Docker,...), but most deployments nowadays are behind reverse proxy (e.g. nginx) and/or inside containerized environment (Kubernetes, Docker,...).

There is an excellent part in the documentation: https://docs.abp.io/en/commercial/latest/startup-templates/application/deployment-docker-compose?UI=MVC&DB=EF&Tiered=Yes
(Thank you @gterdem)

However, I have many questions from my developer colleagues how to properly deploy and configure (appsettings.json) tiered application (.AuthServer, .HttpApi.Host, .Web).

Based on documentation on link above, I realized that this is not possible at all without additional code and two additional properties (AuthServer:IsContainerizedOnLocalhost and AuthServer:MetaAddress) in appsettings.json.

My recommendation and suggestion is that the code below, should be included in generated abp-based project from the beginning.

if (Convert.ToBoolean(configuration["AuthServer:IsContainerizedOnLocalhost"]))
{
   ...
}

It's not much code, but deployments on many production and test environments would be 100% configurable via appsetting.json without adding code in applications middleware.

And lastly: Less custom code in project/application middleware (xxxxModule.cs files), easier is upgrade process of abp. :)

@maliming and @gterdem, please consider this. It's not a breaking change in abp framework at all, but the last step for us developers would be greatly simplified.

[leonkosak]

Thank you @maliming and @gterdem for your active approach. 👍
Should I help somehow that this suggestion (task) would be done in 8.0-preview milestone (November 15th)?

P.S.: @gterdem please use "real" boolean value (not "true", "false" in string) inside appsettings.json for AuthServer:IsContainerizedOnLocalhost property.
Look: #17830
Use:
configuration.GetValue<bool>("AuthServer:IsContainerizedOnLocalhost");
in if statement instead of:
Convert.ToBoolean(configuration["AuthServer:IsContainerizedOnLocalhost"])

[gterdem]

Hello @leonkosak ,

I assume you mean to add this section for the ABP open-source templates, considering it is missing the related section:

abp/templates/app/aspnet-core/src/MyCompanyName.MyProjectName.Web.Host/MyProjectNameWebModule.cs

Lines 150 to 167 in fc77ef9

	.AddAbpOpenIdConnect("oidc", options =>
	{
	options.Authority = configuration["AuthServer:Authority"];
	options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
	options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
	options.ClientId = configuration["AuthServer:ClientId"];
	options.ClientSecret = configuration["AuthServer:ClientSecret"];
	options.UsePkce = true;
	options.SaveTokens = true;
	options.GetClaimsFromUserInfoEndpoint = true;
	options.Scope.Add("roles");
	options.Scope.Add("email");
	options.Scope.Add("phone");
	options.Scope.Add("MyProjectName");
	});

The problem with adding additional code based on deployment is, most of the users are not using containerized deployment and they raise questions about it more often than you can imagine.

But, we can add that and try to explain it as best as we can.

About using real boolean and not using string for true and false in the appsettings was about the yaml override problems. I'm still testing it and we'll conclude it soon.

[leonkosak]

Well, that's strange @gterdem. Most deployments in our area for abp-based applications are in containers. :)
But it would really be a problem for so many users if this part of code were disabled with parameter in appsettings.json file?

[gterdem]

@leonkosak
Let me know if #17847 works for you.

[leonkosak]

@gterdem: So, I should create tiered mvc abp v7.4.0 and manually copy code from this commit in the correct files to confirm if this works?
07ea9ee

[gterdem]

@gterdem: So, I should create tiered mvc abp v7.4.0 and manually copy code from this commit in the correct files to confirm if this works? 07ea9ee

Yeah, it will be available at v8.0 preview. You can use the committed code block to any version, it should work fine.

/*
            * This configuration is used when the AuthServer is running on the internal network such as docker or k8s.
            * Configuring the redirecting URLs for internal network and the web
            * The login and the logout URLs are configured to redirect to the AuthServer real DNS for browser.
            * The token acquired and validated from the the internal network AuthServer URL. 
            */
            if (configuration.GetValue<bool>("AuthServer:IsContainerized"))
            {
                context.Services.Configure<OpenIdConnectOptions>("oidc", options =>
                {
                    options.TokenValidationParameters.ValidIssuers = new[]
                    {
                        configuration["AuthServer:MetaAddress"]!.EnsureEndsWith('/'),
                        configuration["AuthServer:Authority"]!.EnsureEndsWith('/')
                    };
                    options.MetadataAddress = configuration["AuthServer:MetaAddress"]!.EnsureEndsWith('/') +
                                            ".well-known/openid-configuration";
                    var previousOnRedirectToIdentityProvider = options.Events.OnRedirectToIdentityProvider;
                    options.Events.OnRedirectToIdentityProvider = async ctx =>
                    {
                        // Intercept the redirection so the browser navigates to the right URL in your host
                        ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"]!.EnsureEndsWith('/') + "connect/authorize";
                        if (previousOnRedirectToIdentityProvider != null)
                        {
                            await previousOnRedirectToIdentityProvider(ctx);
                        }
                    };
                    var previousOnRedirectToIdentityProviderForSignOut = options.Events.OnRedirectToIdentityProviderForSignOut;
                    options.Events.OnRedirectToIdentityProviderForSignOut = async ctx =>
                    {
                        // Intercept the redirection for signout so the browser navigates to the right URL in your host
                        ctx.ProtocolMessage.IssuerAddress = configuration["AuthServer:Authority"]!.EnsureEndsWith('/') + "connect/logout";
                        if (previousOnRedirectToIdentityProviderForSignOut != null)
                        {
                            await previousOnRedirectToIdentityProviderForSignOut(ctx);
                        }
                    };
                });
            }

[leonkosak]

Thanks @gterdem, we'll test this inside a real containerized environment in our cloud and also on virtual machines behind a reverse proxy in the following days.
Expect my answer next week.

[leonkosak]

We tested this code @gterdem but unfortunately without success. We tried many configurations in appsettings.json files (.AuthServer, .HttpApi.Host, .Web) and the best we can achieve is to get 500 error during login.
(Configuration: abp (Commercial) v7.4, MVC, tiered, OpenIddict)

.Web error

System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://test.id.nexavia.io/.well-known/openid-configuration'. 

---> System.ArgumentException: IDX20108: The address specified 'http://test.id.nexavia.io/.well-known/jwks' is not valid as per HTTPS scheme. Please specify an https address for security reasons. If you want to test with http address, set the RequireHttps property  on IDocumentRetriever to false. (Parameter 'address') 

I also found this: openiddict/openiddict-core#1613

OpenIddict COnfiguration for abp COmmercial is still in development: https://docs.abp.io/en/commercial/latest/guides/openiddict-deployment