Open Closed

Token expiration / permissions cache issue in Blazor Server with LeptonX #4614


User avatar
0
mobajwa created
  • ABP Framework version: v7.0.2

  • UI type: Blazor Server

  • DB provider: EF Core

  • Tiered (MVC) or Identity Server Separated (Angular): yes

  • Exception message and stack trace: Blazor logs: 2023-02-27 17:50:24.528 +00:00 [INF] Received HTTP response headers after 118.4314ms - 200 2023-02-27 17:50:24.528 +00:00 [INF] End processing HTTP request after 118.6985ms - 200 2023-02-27 17:50:24.538 +00:00 [INF] Authorization failed. These requirements were not met: PermissionRequirement: SettingManagement.Emailing HttpApi.Host logs: 2023-02-27 17:50:24.169 +00:00 [INF] Request starting HTTP/1.1 GET https://localhost:44397/api/abp/application-configuration?IncludeLocalizationResources=False&api-version=1.0 - - 2023-02-27 17:50:24.178 +00:00 [INF] Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenExpiredException: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '2/24/2023 11:31:19 PM', Current time: '2/27/2023 5:50:24 PM'. at Microsoft.IdentityModel.Tokens.Validators.ValidateLifetime(Nullable1 notBefore, Nullable1 expires, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateLifetime(Nullable1 notBefore, Nullable1 expires, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown) --- End of stack trace from previous location --- at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() 2023-02-27 17:50:24.178 +00:00 [INF] Bearer was not authenticated. Failure message: IDX10223: Lifetime validation failed. The token is expired. ValidTo: '2/24/2023 11:31:19 PM', Current time: '2/27/2023 5:50:24 PM'.

  • Steps to reproduce the issue: Generate a tiered solution with LeptonX theme with ABP Suite

Some time (let's say an hour) after signing in users can't access protected pages, and menu items are missing.

I updated Volo.Abp.AspNetCore.Components.Server.LeptonXTheme and Volo.Abp.AspNetCore.Mvc.UI.Theme.LeptonX to 2.2.0-preview20230224, and the rest of Volo packages to 7.1.0-rc.2 and the issue is still there.

The only thing that temporarily makes permissions work again is clearing cookies and flushing Redis cache.

The issue is similar to these: https://github.com/abpframework/abp/issues/14068 https://support.abp.io/QA/Questions/4348/Permission-get-lost-during-application-running https://support.abp.io/QA/Questions/4561/Strange-ConnectionCaching-Behavior


6 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I will find a way.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The only thing that temporarily makes permissions work again is clearing cookies and flushing Redis cache.

    After that, refreshing the page will work.

    options.Events.OnValidatePrincipal

    context.Services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies", options =>
    {
        options.ExpireTimeSpan = TimeSpan.FromDays(365);
        options.Events.OnValidatePrincipal = async principalContext =>
        {
            if (principalContext.Principal != null && principalContext.Principal.Identity != null && principalContext.Principal.Identity.IsAuthenticated)
            {
                var accessToken = principalContext.Properties.GetTokenValue("access_token");
                if (accessToken.IsNullOrWhiteSpace())
                {
                    principalContext.RejectPrincipal();
                    await principalContext.HttpContext.SignOutAsync("Cookies");
                    return;
                }
    
                var httpClient = principalContext.HttpContext.RequestServices.GetRequiredService<IHttpClientFactory>().CreateClient();
                var response = await httpClient.IntrospectTokenAsync(new TokenIntrospectionRequest
                {
                    Address = configuration["AuthServer:Authority"] + "/connect/introspect",
                    ClientId = configuration["AuthServer:ClientId"],
                    ClientSecret = configuration["AuthServer:ClientSecret"],
                    Token = accessToken
                });
    
                if (!response.IsActive)
                {
                    principalContext.RejectPrincipal();
                    await principalContext.HttpContext.SignOutAsync("Cookies");
                }
            }
        };
    })
    .AddAbpOpenIdConnect("oidc", options =>
    {
        options.Authority = configuration["AuthServer:Authority"];
        options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);;
        options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
    
        options.ClientId = configuration["AuthServer:ClientId"];
        options.ClientSecret = configuration["AuthServer:ClientSecret"];
    
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
    
        options.Scope.Add("roles");
        options.Scope.Add("email");
        options.Scope.Add("phone");
        options.Scope.Add("BookStore");
    });
    
  • User Avatar
    0
    mobajwa created

    Hi Thank you for quick response.

    So far looks good, I'll give it a day or two to test it and if I don't run into any issues, I'll close the question.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Thanks

  • User Avatar
    0
    mobajwa created

    Works like a charm. Thank you!

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    https://github.com/abpframework/abp/pull/15876

Made with ❤️ on ABP v9.1.0-preview. Updated on December 26, 2024, 06:07