If you are unable to login, you can troubleshoot using the below steps
Help! I’m stuck in a redirect loop
If you are stuck in a redirect loop between AdminUI and IdentityServer, this is because AdminUI does not trust or cannot validate the IdentityServer identity token.
A common cause for this is when one or more of the applications are running on HTTP rather than HTTPS. This can cause the browser’s SameSite cookie policy to be enforced and AdminUI’s correlation cookie to be unavailable. This correlation cookie contains security data used to verify incoming requests to AdminUI’s redirect endpoint and validate tokens. If this cookie is not present, AdminUI will redirect the user back to IdentityServer.
To solve this, ensure all of your applications are running on HTTPS and can validate one another's TLS certificates.
If your applications are all running over HTTPS and you are still experiencing a redirect loop then your web server or reverse proxy could be terminating TLS. You will need to modify your web server or reverse proxy to tell AdminUI what the original request was by using X-Forwarded headers, such as X-Forwarded-For and X-Forwarded-Proto. This will tell AdminUI what the original scheme was (e.g. HTTPS) and the domain (e.g. identityserver.com). Check out the Microsoft documentation for more information on these headers and how AdminUI supports them here.
Another common cause for redirect loops is header size limitations. If your max header length is too small to accommodate the AdminUI session cookie, AdminUI will be unable to authenticate and will enter a redirect loop. To fix this, increase the maximum header size for your AdminUI site. We recommend a value of at least 128KB.
Invalid client secret
If you see an error page within AdminUI after redirecting from IdentityServer to AdminUI, it may be that AdminUI is using an incorrect client secret. This can be proven by checking the IdentityServer logs for a failed request against the token endpoint.
To resolve this, ensure that the AdminUI and API sites have the same value for the AdminUIClientSecret configuration setting. Once these are the same, restart the API website for the IdentityServer configuration to be updated.
Invalid redirect URI
If you see an error page or an error log within IdentityServer that says the redirect URI is invalid, this means that the client configuration held by IdentityServer does not match your AdminUI instance.
To resolve this, ensure that the AdminUI API site has the correct URL for the UiUrl configuration setting. Once this is correct, restart the API website for the IdentityServer configuration to be updated.
Invalid client
If you see an error page or error log within IdentityServer that says the client is invalid, this means that IdentityServer does not recognize the AdminUI client application.
This could be due IdentityServer and AdminUI not using the same database for IdentityServer configuration. To resolve this, ensure that both the AdminUI API and your IdentityServer are using the same connection strings.
Support
If none of these steps work or you are unsure how to fix the error in the logs, please contact us at [email protected], detailing the issue you see, including any error logs.