DefaultTokenService #3938 | Support

mgurer created 2 years ago

ABP Framework version: v6.0.0
UI type: Blazor
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): yes
Exception message and stack trace:
Steps to reproduce the issue:"

Hi, there was a class named DefaultTokenService of IdentityServer4. After switching to OpendIddict, the class is missing. I used to override that class in AuthServer project and add some dynamic claims to token.

Can you suggest me a new way for the missing class?

Thanks.

17 Answer(s)

0

maliming created 2 years ago
Support Team Fullstack Developer

hi

https://docs.abp.io/en/abp/latest/Modules/OpenIddict#updating-claims-in-access_token-and-id_token
0

mgurer created 2 years ago

Hi,

I think the document is not about adding new claims to the token. It is about switching the destination of an already added claim. It helps to decide where the claim exists (idtoken or accesstoken).

The claims property of the context is a readonly array and can not be altered. Using this class, I can not add a new claim to the context but I can alter it is destination.

I need to add new claims to the context, not to alter their locations.

Thanks
0

maliming created 2 years ago
Support Team Fullstack Developer

hi

https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory
0

mgurer created 2 years ago

It works as expected on password flow.

I could not test it on refresh_token flow. I will open another ticket for that issue.

Thank for your support.
0

mgurer created 2 years ago

I just tested the refresh_token flow. Suggested solution does not suitable for refresh_tokens. The solutions is fine for password flow. IdentityServer4's DefaultTokenService was working as expected. I need to alter/add claims to token even in the refresh_token flow.
0

maliming created 2 years ago
Support Team Fullstack Developer

I just tested the refresh_token flow

Can you share your steps?
0

mgurer created 2 years ago

I created a micro service pro project Run the solution Added a demo client with client_credentials and refresh_token options available.

Folowed the steps in the document; https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory

Added a ClaimsPrincipalContributor file to authserver project

Called the token endpoint using client_credentials flow. I successfully interrupted the flow and breakpoint on ContributeAsync method hit. I called the token endpoint using refresh_token flow. The ContributeAsync is not visited.

So the ContributeAsync method is only visited on client_credentials flow. On IS4 version, I created DefaultTokenService class and this class is visited on both flows.
0

maliming created 2 years ago
Support Team Fullstack Developer

I called the token endpoint using refresh_token flow.

Can you share your access_token and HTTP request info?
0

mgurer created 2 years ago

Nope, I will not supply any further information. I am sick of endless questions.The issues is so clear, I asked you where the DefaultTokenService is gone, you said there is an alternative. I said alternative is not acting same when the flow is refresh_token. This is the summary and enough to see what is going on. If you have something to say, this information is enough. I am not your beta tester. I am tired of this buggy abp version. It already took 15 days to migrate. I am on live, stressed enough and I dont accept any meaningless questions anymore. If you are not able to give me a proper answer, please dont pretend to do so. This version of abp sucksssssss.. It is 5 times slower than before.. If you have nothing to say, close the ticket.
0

maliming created 2 years ago
Support Team Fullstack Developer

hi

refresh_token basically uses the claims from the access_token. So it shouldn't be a problem.
0

mgurer created 2 years ago

Bu there is a problem. I insist that IAbpClaimsPrincipalContributor is nothing to do with refresh_token flow. Is there anyone else can confirm me? Please do not answer if you have only assumptions but not tested for yourself.
0

maliming created 2 years ago
Support Team Fullstack Developer

I insist that IAbpClaimsPrincipalContributor is nothing to do with refresh_token flow

You will get access_token and refresh_token first. Then use refresh_token to get them again.

The IAbpClaimsPrincipalContributor will be called when generating the access_token, and refresh_token will copy claims from access_token's principal.

Talk is cheap. You can prepare a simple demo project to reproduce your real problem.
support@abp.io

mgurer created 2 years ago

Here is the CoMedClaimsPrincipalContributor.cs used in test;

using System.Threading.Tasks;
using Volo.Abp.DependencyInjection;
using Volo.Abp.Security.Claims;

namespace CoMed.AuthServer;

public class CoMedClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency
{
    public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context)
    {
        await Task.CompletedTask;
    }
}

steps to create a test;

mkdir CoMed
cd CoMed
abp new CoMed -t microservice-pro -u blazor

cd etc
cd docker
.\up.ps1
cd ..
cd ..

open \apps\auth-server\CoMed.AuthServer.sln in visual studio
add CoMedClaimsPrincipalContributor.cs file. (path: apps\auth-server\src\CoMed.AuthServer\CoMedClaimsPrincipalContributor.cs)

return to console

dotnet restore
dotnet build /graphBuild

.\run-tye.ps1

open browser browse https://localhost:44307 see afterLeptonXInitialization error still exists in v6.1 login with default credentials go to openid/applications tab create new application: clientid: demo displayname: Demo password: 123456 type: confidential client allow password flow allow client credentials flow allow refresh token flow give access to all scopes save the app close the browser stop the tye. ctrl+c reopen CoMed.AuthServer.sln project run project with CoMed.AuthServer profile. Place break point on CoMedClaimsPrincipalContributor/ContributeAsync method. Open postman ui. 1 - test with password flow:

var client = new RestClient("https://localhost:44322/connect/token");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("client_id", "demo");
request.AddParameter("client_secret", "123456");
request.AddParameter("grant_type", "password");
request.AddParameter("username", "admin");
request.AddParameter("password", "1q2w3E*");
request.AddParameter("scope", "offline_access");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);

see break-point hits three times.

2 - copy the refresh_token value, use in your own test. test with refresh_token flow and see break point does not hit.

var client = new RestClient("https://localhost:44322/connect/token");
client.Timeout = -1;
var request = new RestRequest(Method.POST);
request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
request.AddParameter("refresh_token", "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOiIxNzQ5Njc3QzkwRjU1MDUyNTYwNDc0QUM4RDhGMjk2QTA2NkI4RDNCIiwidHlwIjoib2lfcmVmdCtqd3QifQ.joQFH7tLYdrHK1_g5B0p3i8Xvq-kivcQX7wtPwtHRMmxnfD_1csi1ik7GwpqWPfKKdC1X4NvXvBBw0PqgUmn11VsxJe8l8_PFZa9_p1M7OWKkbuKkkpU58Bb-cuw7VV-_lzeqKF4xqugK3Aeko5HAvESqwHoWARaw0BX1xnooue5D8lT-wtxeqbN9qY3kwFXnaIltosTQ6QqAQeGQ2Ft4NUd5QRI3hsv74LA3kDf2biJDtGxKmM-8JvA9ouA0trGg0EzS9b2vXuHDL4uFmWDrcMj9oLMgmcnXSO88d04gn--eU65VtDa_lu7ZYCiwPtJ5eX2BqVbdWl-YX9FSxsz5Q.WrtU66BNpifWT7RO3Aq-qA.kWx0LOOQmNmOHKJF79J_8eBzNytPr4pAR8AULxBHFRUAa4DkTVCKuxMbadF_lo9-Pw7Wr0cqKLvMl5DEh80J5Y726aO4qJRpBZQnkdLO_lKyfqKFohc86r9Cu0GWVfgJUvRd7e12_gJD7cWLZYN_wsfB1XQtGp-HnmzarJnECcAKUE4l__Ri_0cxQInoZhsdN27quYj3Qy-DiAoL6I3kmtjUalv3Qr00g8mPdnho3Ej3l-riu8ZvjNQokvsnCnkaCbCHQ_B4Do1ecYHEXPmVeObTf-L_GQmFan29AnuktXwPJfBQko0obDkRSdL5kLp1mroi-pgMo-ExFpYlgnAyt6fq0173vS4cnHcBHrnDWkeSZmcuT0PzSBmQc4C4KV0vEJxCPA8TqWUzixJ7IWwtWUfqMseDmgJG3pXTL43RiW1ZhdehnHmrw3hFRK5zG539OwCXTNGPcaVMB4kO29qihlRhiyxIvz9-DmPSXyzxFVDJVEsXbv5PLy0hv-OnBJgW7o3T7-FTmr1ckvmeb7yiXL35JFJ4JKbDJuVtHwQV-2bSssNIwjdOeNoJqxMoaH9rnmcAtn97PJt0hWH5nB8y4m1tXW4zP1fkmS2yPZmDEP3aFhgK1RlXW3tQWpSYN_TvT92_1BSyTo6nkNwNAraZGaTin9JLHp4uUUfORvwlqGmH3ji7UD4t1SXWAXYo09w5RjIc9ANnkN5d17JTeZGTrEj9A0_kXriLyjUm5GDJAKu2x-isp0zqHlnUXxBQpQn06XO9R2Aeu0jVcoX0Mxi36zS0yER_d1TX0mShbdU9rec4f9E5E-c53_tvIKW2yD6dbp-YnwMlgwi7AP0_YOQbpCwIvi04qZ77KJOLt2tRp0gHSk5oC4lepB7a4wGchdO0dAcj-BjLbVIqau-8YK_OLE3UfpxNU0Xp0AAB1XCWrijd3d3sD_9Qq52D7xy4JN7E0Rs_3sDQhGr36AX5Iew1lOZ-FWvUb7Cr30N_Eq6tbj7y-ubF4zxsFgb97frN9fupO71OKQx1ql1AF0TbAyT9Rs1fdHqYkPOkpoDEUflraitwYehnRFWumLfQCp7oaZ0hwdwpgJF9q4IATdf4fCJ0TRjXmmFk5YG7n6j7XIYBzXBd1ucg2XOybMI2YaU5mAvDj0O2esTEJd-EwUTt719myGyixUVLzFw25LUxc9fdcdIinvBffuMytkJbLe2LREs95SuACVMeZ6RT_x151gtl93vBwQWkuil_5UgyJVjdWVwOrRE5pPNU1siU3e6-ofxBPlZo7motsgAB3kyEdHrIIhd8Of1HwEuXefLPKV9LAurMGNau8x5HwkyJ6WkxVKuXRaIq1iGlR977WCqLA5WHw9j3MYPxkpB255KaQk3SDHke1KASduX5NbEfj3N9ttDOGB-cTGzRuItgI0vG8-hlRrC0xOP2g7sL6SElRAwWtiD3uxURFAJOt6TK12TAQ_RlNLWhvve-TVpbIqJkE4XdAJYHxaGegCbg07_iBvXX8qGByr1KLDaueAH0D2Zs-JkCbawJHa7lTAddkLRO19AdtGczRb-8vQhpFvPP3i526MBrY23pMeeRUasgbP4Tda1bTetbN7gNbVUm-icesy2gL9KPlJJQ0jnrA_miE3Vt89RQnevv5SVJgtNrXZlOASqHSLWozpj3E7sPAXDUH-jTi6KH71GgqG5GzwRenH5AN8Y2VdXllY24uzXt6tf_6x-recZGHY8AbQoP5DLhS9hSmfrCVAFPhfdhGuK77aiNPJMLPGLFSgnmu84BhXd7j5Qv0YhOH4FTm7cAlAxJGVatcg9wP_wu1HMdmPMWJ7q38aRlUawaGBeRzdQHnzq5UvlOcK1LboxbJe4-sulXSnxaiPXM2ZdbSY0l3ZkmNZrC5snhAsnGSUaF_soLRRBaDthtVza8q97Jqpi4y97vKRM_UwZubbaWv5VLF3K358BBabM9nz7qiUdR0B4Ib00UTrUIUY9Kjs7TWftPAAR7CdbKxo96hCf8rXMo7aXAOzG6t2t7a0IujucKK2i4wpYJZlj1-8xcFcu1vcvxXrGdLHXxlQU39Tgmus5OpHLkZY4hbLvsUpjV7jy4Cf_n7WGMR910fCtiZCfhPN9bvZ7oklh-HeAv34mvb94kfjjilHDqrbk.jC3WoYCk0LGa9NzsuVvE1GC0mv65plGJk-1swnm17iQ");
request.AddParameter("client_id", "demo");
request.AddParameter("client_secret", "123456");
request.AddParameter("grant_type", "refresh_token");
IRestResponse response = client.Execute(request);
Console.WriteLine(response.Content);

0

mgurer created 2 years ago

Any suggestions????
-1

maliming created 2 years ago
Support Team Fullstack Developer

hi mgurer

I confirmed that CoMedClaimsPrincipalContributor will not be called, Dynamic cliams may not be added or replaced. I will provide a solution as soon as possible,

maliming created 2 years ago

Support Team Fullstack Developer

public override void PreConfigureServices(ServiceConfigurationContext context)
{
    PreConfigure<OpenIddictServerBuilder>(builder =>
    {
        builder.AddEventHandler(MyPrepareAccessTokenPrincipal.Descriptor);
    });
}


using System.Security.Claims;
using OpenIddict.Abstractions;
using OpenIddict.Server;
using Volo.Abp.DependencyInjection;
using Volo.Abp.Security.Claims;

namespace MyPrepareAccessTokenPrincipal;

public class CoMedClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency
{
    public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context)
    {
        var identity = context.ClaimsPrincipal.Identities.FirstOrDefault();
        identity?.AddClaim(new Claim("SocialSecurityNumber", "Old SocialSecurityNumber"));
        await Task.CompletedTask;
    }
}


public class MyPrepareAccessTokenPrincipal : IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignInContext>
{
    public static OpenIddictServerHandlerDescriptor Descriptor { get; }
            = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ProcessSignInContext>()
                .AddFilter<OpenIddictServerHandlerFilters.RequireAccessTokenGenerated>()
                .UseSingletonHandler<MyPrepareAccessTokenPrincipal>()
                .SetOrder(OpenIddictServerHandlers.PrepareAccessTokenPrincipal.Descriptor.Order + 1)
                .SetType(OpenIddictServerHandlerType.Custom)
                .Build();

    public ValueTask HandleAsync(OpenIddictServerEvents.ProcessSignInContext context)
    {
        var identity = context.AccessTokenPrincipal?.Identities.FirstOrDefault();
        identity?.RemoveClaims("SocialSecurityNumber");
        identity?.AddClaim(new Claim("SocialSecurityNumber", DateTime.Now.ToString("s")));
        return default;
    }
}

1

mgurer created 2 years ago

Hi maliming.

Thank you.

The new solution works as expected.

It is way better than the previous one.

Have an answer to this question? Log in and write your answer.

Assignee

maliming

Labels