abp icon indicating copy to clipboard operation
abp copied to clipboard
verified publisher icon abpframework

Deployment documents improvements

Open hikalkan opened this issue 3 years ago • 6 comments

We've created notes for development. See all: https://docs.abp.io/en/abp/7.0/Deployment/Index I've created this issue to collect more notes to add to these documents.

We can add these:

  • OpenIddict configuration
  • Database connection string
  • Domain names of the target website (change all localhost)
  • Developers also need to configure the certificate of AuthServer (AddDevelopmentEncryptionAndSigningCertificate for openiddict AddDeveloperSigningCredential for Identity Server)
  • UI specific configuration and things to do (Angular, MVC, Blazor, React Native, MAUI, etc)
  • Data protection keys (redis config)
  • MongoDB ACID support
  • See https://support.abp.io/QA/Questions/5064#answer-3a0b5997-12c1-b2b5-2b18-9ab9db9e8295

hikalkan avatar Dec 09 '22 07:12 hikalkan

OpenIddict configuration

Developers need to configure the certificate of `AuthServer.

  • AddDevelopmentEncryptionAndSigningCertificate for openiddict by default. https://documentation.openiddict.com/configuration/encryption-and-signing-credentials.html
  • AddDeveloperSigningCredential for Identity Server by default.
    https://identityserver4.readthedocs.io/en/latest/topics/startup.html#refstartupkeymaterial https://identityserver4.readthedocs.io/en/latest/topics/crypto.html

maliming avatar Dec 09 '22 07:12 maliming

@maliming is this the reason why users need to re-login after each server deployment ?

ahmednfwela avatar Dec 09 '22 22:12 ahmednfwela

@ahmednfwela

Can you explain it in detail?

maliming avatar Dec 10 '22 06:12 maliming

@maliming I deploy my server on google cloud run using a docker image (with no volumes configured). so on each time I deploy the Auth Server, the old certificates that were used are lost and replaced by new ones. So when old users (using refresh tokens made by the old certificate) try to request a new access token, they get this error:

{
  "error": "invalid_grant",
  "error_description": "The specified token is invalid.",
  "error_uri":"https://documentation.openiddict.com/errors/ID2004"
}

making them have to re-login

ahmednfwela avatar Dec 10 '22 06:12 ahmednfwela

hi https://github.com/abpframework/abp/blob/08034310b15e9056c019403f500a507e2b4efbdd/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs#L86 https://github.com/abpframework/abp/blob/08034310b15e9056c019403f500a507e2b4efbdd/modules/openiddict/app/OpenIddict.Demo.Server/OpenIddictServerModule.cs#L91

maliming avatar Dec 11 '22 07:12 maliming

Hi,

  1. I'm making initial migrations in localhost. So all URLs would be localhost that should be in database also. I need to change them manually for the first deployment:

IdentityServer:

[dbo].[IdentityServerClientCorsOrigins].[Origin]
[dbo].[IdentityServerClientPostLogoutRedirectUris].[PostLogoutRedirectUri]
[dbo].[IdentityServerClientRedirectUris].[RedirectUri]

OpenIddict:

[dbo].[OpenIddictApplications].PostLogoutRedirectUris
[dbo].[OpenIddictApplications].RedirectUris
[dbo].[OpenIddictApplications].ClientUri

  1. For the similar reasons as 1, I'm using generally default secret keys. So, it may be a bit complicated to change them in the production database. (https://support.abp.io/QA/Questions/441/About-changing-client-secrets)

  2. If I deploy Host project to IIS, I need to make change about WebDav. Otherwise PUT and DELETE requests don't work: Web.config

  <modules runAllManagedModulesForAllRequests="false">
  <remove name="WebDAVModule" />

  1. After migrating from IdentityServer to OpenIddict I had to set "Load User Profile" setting to true in IIS (in Application Pool=> Advanced Settings)

  2. Although it is standard procedure, it may be good to mention about that in Deployment docs. Developers must edit URLs in appsettings.json files both in Host and UI. For me, HostFolder\appsettings.json and BlazorFolder\wwwroot\appsettings.json

omer-repo avatar Dec 12 '22 10:12 omer-repo