If you are unable to login, you can troubleshoot using the below steps
Help! I’m stuck in a redirect loop
If you are stuck in a redirect loop between AdminUI and OpenIddict, this is because AdminUI does not trust or cannot validate the OpenIddict identity token.
A common cause for this is when one or more of the applications are running on HTTP rather than HTTPS. This can cause the browser’s SameSite cookie policy to be enforced and AdminUI’s correlation cookie to be unavailable. This correlation cookie contains security data used to verify incoming requests to AdminUI’s redirect endpoint and validate tokens. If this cookie is not present, AdminUI will redirect the user back to OpenIddict.
To solve this, ensure all of your applications are running on HTTPS and can validate one another's TLS certificates.
If your applications are all running over HTTPS and you are still experiencing a redirect loop then your web server or reverse proxy could be terminating TLS. You will need to modify your web server or reverse proxy to tell AdminUI what the original request was by using X-Forwarded headers, such as X-Forwarded-For and X-Forwarded-Proto. This will tell AdminUI what the original scheme was (e.g. HTTPS) and the domain (e.g. openiddictcomponents.com). Check out the Microsoft documentation for more information on these headers and how AdminUI supports them here.
Another common cause for redirect loops is header size limitations. If your max header length is too small to accommodate the AdminUI session cookie, AdminUI will be unable to authenticate and will enter a redirect loop. To fix this, increase the maximum header size for your AdminUI site. We recommend a value of at least 128KB.
Invalid client secret
If you see an error page within AdminUI after redirecting from OpenIddict to AdminUI, it may be that AdminUI is using an incorrect client secret. This can be proven by checking the OpenIddict logs for a failed request against the token endpoint.
To resolve this, ensure that the AdminUI has the correct value for the AdminUIClientSecret configuration setting. Once these is correct, restart AdminUI for the configuration to be updated.
Invalid redirect URI
If you see an error page or an error log within OpenIddict that says the redirect URI is invalid, this means that the client configuration held by OpenIddict does not match your AdminUI instance.
To resolve this, ensure that the AdminUI site has the correct URL for the UiUrl configuration setting. Once this is correct, restart AdminUI for the configuration to be updated.
Invalid client
If you see an error page or error log within OpenIddict that says the client is invalid, this means that OpenIddict does not recognize the AdminUI client application.
This could be due OpenIddict and AdminUI not using the same database for OpenIddict configuration. To resolve this, ensure that both the AdminUI API and your OpenIddict are using the same connection strings.
Support
If none of these steps work or you are unsure how to fix the error in the logs, please contact us at support@openiddictcomponents.com, detailing the issue you see, including any error logs.