The request origin could not be verified. Unable to complete this login request with same-instance cross-tenant IdP federation
-
Re: Can I configure a tenant application as an external identity provider for other tenants?
I've tried to do this setup as well, with common sub-tenant users all authenticating against the master Fusion tenant/app which is setup as an OIDC provider. On the sub-tenant apps, I add an idphint and that allows it to bypass the sub-tenant login and the login with master tenant button. All good.
I can register and login which is visible in the Fusion Login Records but it does not redirect back to the sub-tenant app and I get this "The request origin could not be verified. Unable to complete this login request."
I'm running Fusion 1.63.0 with the standard simple theme so it's not the old issue from 1.43.
I've tried setting Authorized origins to match master and tenant on both applications.
My event log debug log says I'm getting The authorization code has been successfully exchanged for an access token.
One suggestion from your AI was missing X-Forwarded headers from my proxies. The FusionAuth dashboard does not have any warnings for this - and login works for master tenant.
Any clues on how to resolve please?
-
@hvfa At first glance this looks like a domain issue. Can you share an example of how your Authorized redirect URLs and Authorized request origin URLs are set up in relation to the applications. Please feel free to use example domains like https://domain1/ or https://domain2 and so on. It may also be useful to give the other OAuth settings for the applications as well (be sure to redact or obscure and sensitive information).
-
@mark-robustelli thanks Mark.
All domains will be sub-domains of the main domain name, but for this staging system, we are using 2026.domain.com and 2026-tenant1.domain.com, 2026-tenant2 etc.
Logins work successfully without the idphint on a per tenant basis but we want all tenants to use the common master tenant (via SSO) as the login, because many users will be members across multiple tenants and their data can be common across tenants.
The auth server uses auth.domain.com
We have the master tenant and sub tenants in FusionAuth. We have the master application and sub-tenant applications for each tenant.
A tenant application has an authorized redirect like 2026-tenant1.domain.com/callback and currently no request origin (I have tried adding this for sub-tenant and master tenant together). I've tried adding the sub-tenants as authorized origins on the master tenant.There's nothing extra configured on the FusionAuth tenants.
Under settings, Identity Providers, we have an OIDC provider pointing back to the master app in the master tenant. We do see the button to login with master tenant on a sub-tenant (if no idphint is set).
All sub-tenant applications are enabled for this provider (with create reg), I also have the sub-tenants added in this IP and have tried without. Managed domains is blank. Not using the POST method.
Auth endpoints have been manually set (because FusionAuth couldn't self-discover?!) like so:
https://auth.domain.com/oauth2/authorize,
https://auth.domain.com/oauth2/token,
https://auth.domain.com/oauth2/userinfoThere's no groups configured.
Hosting wise, FusionAuth is a Docker container on the same server with the main app and sub-tenants behind a Traefik 2 proxy which is also behind Cloudflare and each site has its own LetsEncrypt SSL cert via Traefik.
Direct login to the master tenant is successful but not via a sub-tenant.
Grok suggests it's a CORS issue. My filter was not enabled. I also tried enabled (current) and allowed all methods with (and without) wildcard origins.
As mentioned, the login is recorded on FusionAuth, it just seems to fail on the callback process via master..
The master login URL when called via a sub-tenant shows the master tenant as the callback URL. I've tried adding the sub-tenant callback as authorised in the master tenant.
I think that's everything..
