- ABP Framework version: v5.3
- UI type: Blazor WASM
- DB provider: EF Core
I have an external application that accesses the Web API. To do that, it requests the Token using the method access/token and passing the client_id, client_secret, and grant_type parameters. It was working, but, it is no longer working. Calling access/token by Postman only returns "Invalid_Client", it seems that the client doesn't exist, which is not true. Checking the logs, the it says that the secret doesn't match, but, I am 100% sure that it is the same secret. The previous secret was expired, so, I've changed the date/time for it. I've restarted the application and cleaned the Redis cache to be sure it wouldn't be some cache issue.
Here is my request in Postman. In the Headers, I have the property "__tenants" with the tenant name:
Here is the Log file for the request in the Web Api: [15:17:19 INF] Request starting HTTP/1.1 POST https://localhost:44364/connect/token application/x-www-form-urlencoded 79 [15:17:19 DBG] Request path /connect/token matched to endpoint type Token [15:17:19 DBG] Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint [15:17:19 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token [15:17:19 DBG] Start token request. [15:17:19 DBG] Start client validation [15:17:19 DBG] Start parsing Basic Authentication secret [15:17:19 DBG] Start parsing for secret in post body [15:17:19 DBG] Parser found secret: PostBodySecretParser [15:17:19 DBG] Secret id found: SBC_Reports_2 [15:17:19 DBG] client configuration validation for client SBC_Reports_2 succeeded. [15:17:19 DBG] No matching hashed secret found. [15:17:19 DBG] Secret validators could not validate secret [15:17:19 INF] {"ClientId": "SBC_Reports_2", "Category": "Authentication", "Name": "Client Authentication Failure", "EventType": "Failure", "Id": 1011, "Message": "Invalid client secret", "ActivityId": "400001eb-0004-b900-b63f-84710c7967bb", "TimeStamp": "2022-07-11T03:17:19.0000000Z", "ProcessId": 29156, "LocalIpAddress": "::1:44364", "RemoteIpAddress": "::1", "$type": "ClientAuthenticationFailureEvent"} [15:17:19 ERR] Client secret validation failed for client: SBC_Reports_2. [15:17:19 INF] Request finished HTTP/1.1 POST https://localhost:44364/connect/token application/x-www-form-urlencoded 79 - 400 - application/json;+charset=UTF-8 28.5513ms
Here is the client with the Secret:
Sometimes, when adding another secret or doing some changes in the Identity Client, using the framework UI, it throws an exception:
10 Answer(s)
-
0
Hi, I just like to add that somehow it is working now, using the same client_id and client_secret. Before, I've added a long period of expiration: 31/12/2050. Then, I changed it to 31/12/2022. But, it hadn't worked. After writing this issue, I tried again, and it was working. It looks like it took some time to update the server.
The questions are, does it keep some kind of cache? If so, how to clean it to read the new parameters? Is possible to set the expiration date/time for a long period?
-
0
Hi,
Yes, we cached the client, the cache item will remove when the client changed, See https://github.com/abpframework/abp/blob/dev/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/IdentityServerCacheItemInvalidator.cs#L33
However, you can set the
expiration date
, try:Configure<IdentityServerOptions>(options => { options.Caching.ClientStoreExpiration = ....; })
-
0
How about the error when editing the Identity Client? I think due to this error, the cache has not been removed.
-
0
How about the error when editing the Identity Client?
Can you share the logs?
I think due to this error, the cache has not been removed.
Can you provide the full steps to reproduce? I will check it.
-
0
Hi liangshiwei,
To reproduce, you can create a new client in Administration > Identity Server > Clients, add a Secret. Save the client and then add another Secret and delete the previous. When you try to save, it will show the error.
-
0
Here is the log:
[08:14:56 ERR] Failed executing DbCommand (1ms) [Parameters=[@p0='?' (DbType = Guid), @p1='?', @p2='?', @p3='?', @p4='?' (DbType = DateTime), @p53='?' (DbType = Guid), @p5='?' (DbType = Int32), @p6='?' (DbType = Int32), @p7='?' (DbType = Int32), @p8='?' (DbType = Boolean), @p9='?' (DbType = Boolean), @p10='?' (DbType = Boolean), @p11='?' (DbType = Boolean), @p12='?', @p13='?' (DbType = Boolean), @p14='?' (DbType = Boolean), @p15='?' (DbType = Int32), @p16='?' (DbType = Boolean), @p17='?', @p18='?', @p19='?', @p20='?', @p21='?', @p22='?', @p54='?', @p23='?' (DbType = Int32), @p24='?' (DbType = DateTime), @p25='?' (DbType = Guid), @p26='?' (DbType = Guid), @p27='?' (DbType = DateTime), @p28='?', @p29='?' (DbType = Int32), @p30='?' (DbType = Boolean), @p31='?' (DbType = Boolean), @p32='?', @p33='?' (DbType = Boolean), @p34='?', @p35='?' (DbType = Int32), @p36='?' (DbType = Boolean), @p37='?' (DbType = Boolean), @p38='?' (DbType = DateTime), @p39='?' (DbType = Guid), @p40='?', @p41='?', @p42='?', @p43='?' (DbType = Int32), @p44='?' (DbType = Int32), @p45='?' (DbType = Boolean), @p46='?' (DbType = Boolean), @p47='?' (DbType = Boolean), @p48='?' (DbType = Boolean), @p49='?' (DbType = Int32), @p50='?' (DbType = Boolean), @p51='?', @p52='?' (DbType = Int32)], CommandType='Text', CommandTimeout='30'] INSERT INTO "IdentityServerClientSecrets" ("ClientId", "Type", "Value", "Description", "Expiration") VALUES (@p0, @p1, @p2, @p3, @p4); UPDATE "IdentityServerClients" SET "AbsoluteRefreshTokenLifetime" = @p5, "AccessTokenLifetime" = @p6, "AccessTokenType" = @p7, "AllowAccessTokensViaBrowser" = @p8, "AllowOfflineAccess" = @p9, "AllowPlainTextPkce" = @p10, "AllowRememberConsent" = @p11, "AllowedIdentityTokenSigningAlgorithms" = @p12, "AlwaysIncludeUserClaimsInIdToken" = @p13, "AlwaysSendClientClaims" = @p14, "AuthorizationCodeLifetime" = @p15, "BackChannelLogoutSessionRequired" = @p16, "BackChannelLogoutUri" = @p17, "ClientClaimsPrefix" = @p18, "ClientId" = @p19, "ClientName" = @p20, "ClientUri" = @p21, "ConcurrencyStamp" = @p22, "ConsentLifetime" = @p23, "CreationTime" = @p24, "CreatorId" = @p25, "DeleterId" = @p26, "DeletionTime" = @p27, "Description" = @p28, "DeviceCodeLifetime" = @p29, "EnableLocalLogin" = @p30, "Enabled" = @p31, "ExtraProperties" = @p32, "FrontChannelLogoutSessionRequired" = @p33, "FrontChannelLogoutUri" = @p34, "IdentityTokenLifetime" = @p35, "IncludeJwtId" = @p36, "IsDeleted" = @p37, "LastModificationTime" = @p38, "LastModifierId" = @p39, "LogoUri" = @p40, "PairWiseSubjectSalt" = @p41, "ProtocolType" = @p42, "RefreshTokenExpiration" = @p43, "RefreshTokenUsage" = @p44, "RequireClientSecret" = @p45, "RequireConsent" = @p46, "RequirePkce" = @p47, "RequireRequestObject" = @p48, "SlidingRefreshTokenLifetime" = @p49, "UpdateAccessTokenClaimsOnRefresh" = @p50, "UserCodeType" = @p51, "UserSsoLifetime" = @p52 WHERE "Id" = @p53 AND "ConcurrencyStamp" = @p54; [08:14:56 ERR] An exception occurred in the database while saving changes for context type 'Volo.Abp.IdentityServer.EntityFrameworkCore.IdentityServerDbContext'. Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while saving the entity changes. See the inner exception for details. ---> Npgsql.PostgresException (0x80004005): 23505: duplicate key value violates unique constraint "PK_IdentityServerClientSecrets" DETAIL: Detail redacted as it may contain sensitive data. Specify 'Include Error Detail' in the connection string to include this information. at Npgsql.Internal.NpgsqlConnector.<ReadMessage>g__ReadMessageLong|211_0(NpgsqlConnector connector, Boolean async, DataRowLoadingMode dataRowLoadingMode, Boolean readingNotifications, Boolean isReadingPrependedMessage) at Npgsql.NpgsqlDataReader.NextResult(Boolean async, Boolean isConsuming, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReaderAsync(RelationalCommandParameterObject parameterObject, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReaderAsync(RelationalCommandParameterObject parameterObject, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) Exception data: Severity: ERROR SqlState: 23505 MessageText: duplicate key value violates unique constraint "PK_IdentityServerClientSecrets" Detail: Detail redacted as it may contain sensitive data. Specify 'Include Error Detail' in the connection string to include this information. SchemaName: public TableName: IdentityServerClientSecrets ConstraintName: PK_IdentityServerClientSecrets File: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\access\nbtree\nbtinsert.c Line: 656 Routine: _bt_check_unique --- End of inner exception stack trace ---
-
0
Another question. I'm using RabbitMQ as Broker Message. We had another issue related to User Role Event Handler not being called because of this. Do you think that the event handler for Clients that removes the cache could not be reached due to the RabbitMQ?
-
0
Hi,
The
IdentityServerCacheItemInvalidator
is a local event handler class, so I think RabbitMQ will not affect it.To reproduce, you can create a new client in Administration > Identity Server > Clients, add a Secret. Save the client and then add another Secret and delete the previous. When you try to save, it will show the error.
I could reproduce the problem, we will fix it in the patch version, your ticket has been refunded.
-
0
For now, you can try this:
Add to your
*.ApplicationAutoMapperProfile
CreateMap<ApiResourceSecret, ApiResourceSecretDto>() .ForMember(d => d.Value, x => x.MapFrom(_ => _.Value)); CreateMap<ClientSecret, ClientSecretDto>() .ForMember(d => d.Value, x => x.MapFrom(_ => _.Value));
-
0
Ok, no problem. I've already fixed the Secret expiration date/time changing the database and restarting the server to clear the cache.