Starts in:
2 DAYS
7 HRS
14 MIN
6 SEC
Starts in:
2 D
7 H
14 M
6 S
Open Closed

Issue while implementing the impersonation in micro Service based solution #6518


User avatar
0
viswajwalith created
  • ABP Framework version: v7.3.2
  • UI Type: MVC
  • Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..) / MongoDB
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue: We are trying to implement impersonation in ABP 7.3.2 but in the documentaton (https://docs.abp.io/en/commercial/7.3/modules/account/impersonation#authserver-2) not able to see the steps specific to relevent version, still we went ahded and tried the steps povided but getting the below error even if we keep the maxLimit to <requestLimits maxAllowedContentLength="4294967295" />

the log is as follows

2024-01-17 17:38:46.244 +05:30 [INF] IDX10242: Security token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
2024-01-17 17:38:46.244 +05:30 [INF] IDX10239: Lifetime of the token is valid.
2024-01-17 17:38:46.244 +05:30 [ERR] IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.
2024-01-17 17:38:46.245 +05:30 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
--- End of stack trace from previous location ---
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
has context menu

Please advise.


34 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    https://identityserver4.readthedocs.io/en/docs-preview/search.html?q=audience&check_keywords=yes&area=default

  • User Avatar
    0
    viswajwalith created

    https://identityserver4.readthedocs.io/en/docs-preview/search.html?q=audience&check_keywords=yes&area=default

    Thanks for the inputs, We will check and update accordingly

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok.

  • User Avatar
    0
    viswajwalith created

    hi

    Your JwtBearer requires an AccountService audience.

    context.Services.AddAuthentication() 
        .AddJwtBearer(options => 
        { 
            options.Authority = configuration["AuthServer:Authority"]; 
            options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); 
            options.Audience = "AccountService"; 
        }); 
    

    but your access token doesn't have this audience.

    By the way, does AccountService exist in your identity server?

    AccountService does not exist in our identity server, We upgraded our Application from Version 5.1.3 to 7.3.2 and there was no AccountService in 5.1.3, Can you please what will be the best possiblesolution

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You need to use a existing scope eg AuthServer

    context.Services.AddAuthentication() 
        .AddJwtBearer(options => 
        { 
            options.Authority = configuration["AuthServer:Authority"]; 
            options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); 
            options.Audience = "AuthServer"; 
        }); 
    
  • User Avatar
    0
    viswajwalith created

    hi

    You need to use a existing scope eg AuthServer

    context.Services.AddAuthentication()  
        .AddJwtBearer(options =>  
        {  
            options.Authority = configuration["AuthServer:Authority"];  
            options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);  
            options.Audience = "AuthServer";  
        });  
    

    Thanks for the quick response, below is our Auth server Audiance, do we need to replace 'AccountService' with 'AuthServer' or we need to add new Audiance 'AuthServer'?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I think you should replace all AccountService with AuthServer

  • User Avatar
    0
    viswajwalith created

    hi

    I think you should replace all AccountService with AuthServer

    We tried this, We replaced AccountService with AuthServer and logged in with User A. We try to Impersonate user B, it taking us to Authserver login page(https://localhost:44322/Account/Login), there are no errors in log file.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Your AccountController in the web project should inherit from AbpAccountImpersonationChallengeAccountController

    public class AccountController : AbpAccountImpersonationChallengeAccountController
    {
    
    }
    
    
Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06