Open

Missing Host Admin Permissions When Dynamic Claims Enabled #8963

murat.kebabci created 4 days ago

ABP Framework version: v8.3.4
UI Type: Angular
Database System: EF Core (SQL Server & PostgreSQL)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
Steps to reproduce the issue:

I have enabled the Dynamic Claims feature in my application to prevent concurrent logins by adding the following configurations in HttpApiHostModule and AuthServerModule:

context.Services.Configure(options =>
{
options.IsDynamicClaimsEnabled = true;
});

app.UseDynamicClaims();

I placed app.UseDynamicClaims(); before app.UseAuthorization(); as recommended in the documentation.

However, I am facing the following issue:

When logging in as a host admin, the granted permissions are empty in the application configuration. This prevents the admin from seeing menus and accessing certain pages.

5 Answer(s)

0

maliming created 4 days ago
Support Team Fullstack Developer

hi

How can I reproduce this problem in a new template project?

Can you share the code and steps?

liming.ma@volosoft.com

Thanks
0

adhamawadhi created 2 days ago

hi,
This happens even in MVC.
To reproduce as I noticed: you wait (without any actions somtimes) till Token expired but not the cookie, when the Web call HostApi which not accept Web Token. this issue happend.

I tried to change cookie and Token configs but still face it.
Most of times Logging out not solve it. Nor clean browser cache.
This happens in development and prodctuion environments

Currently The ONLY WORKAROUND FOR THIS : Clean REDIS cache

I think this related to some enryption keys for Token stored in REDIS cache, when clear the cache the system re-generate some keys.

maliming created 2 days ago

Support Team Fullstack Developer

I tried to change cookie and Token configs but still face it.

Do you mean this?

https://abp.io/docs/latest/modules/openiddict-pro#setting-tokens-lifetime

Can you try to call CheckTokenExpiration in AddCookies?

context.Services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
    options.ExpireTimeSpan = TimeSpan.FromDays(365);
    options.CheckTokenExpiration();
})
.AddAbpOpenIdConnect("oidc", options =>
{
    options.Authority = configuration["AuthServer:Authority"];
    options.RequireHttpsMetadata = configuration.GetValue<bool>("AuthServer:RequireHttpsMetadata");

0

adhamawadhi created a day ago

Yes, I did that too, but the problem still persists.
Were you able to reproduce this issue?
0

maliming created a day ago
Support Team Fullstack Developer

hi

To reproduce as I noticed: you wait (without any actions somtimes) till Token expired but not the cookie,

The CheckTokenExpiration method will check your access_token. It will log out the cookies if the token is invalid.

Can you set a breakpoint on this method to see what happened?

https://github.com/abpframework/abp/blob/3616e843cfdee671317941fe5b478c1c8bd180df/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs#L37-L77

Thanks.