ABP Framework version: v8.1.3
UI Type: Angular
Database System: EF Core (Oracle)
Auth Server Separated OpenID Server
I still can't get logout to work consistently in my Angular applications.
First of all, I commented the line - just for your information:
path: '',
pathMatch: 'full',
loadChildren: () => import('@my-home-page-package').then(m => m.MyHomeModule),
// canActivate: [AuthGuard] // This was a logout blocker
A) If i use this code:
export class MyServerErrorInterceptor implements HttpInterceptor {
constructor(private router: Router) { }
intercept(request: HttpRequest<any>, next: HttpHandler): Observable<HttpEvent<any>> {
return next.handle(request).pipe(
catchError((error: HttpErrorResponse) => {
if (error.status === 401) {
return EMPTY;
} else {
return throwError(error);
and click "Logout" link in the user menu, the logout seems to be working as expected from tab 1 in the browser. However if I have another page being open from the same site in tab 2 - it is not redirected to Login page: instead, I come up with an empty (no navigation menu) home page shown in this tab;
B) If i replace ['/']
with ['/login']
in the code above - both tabs react on this, however I end up with the endless loop, when both tabs try to do something and it never ends;
Also - if i have only one tab of the application opened in the browser, I still have a weird situation, when after getting connect/revocat
request (twice, btw - ??) and several 401 API requests, I see (so i see traditional openid-configuration
and so forth), so I am not actually logged out - but redirected to a home page;
C) If i emulate the situation with a token expiration - removing "local storage" data in the browser, I expect to be redirected to Login page on the next request attempt (instead of giving me error 401). So the setting (B) provides this, however setting (A) redirects me to a no-menu home page;
And in general, logout process visually does not look good: I expect if a user clicks "Logout" - he is redirected to Login page straight away. Instead, I see the navigation menu is being disappeared and still observing a home page while some server operations are taking place;
I have some Middleware in my OpenID Server module to do cleaning work on httpContext.Request.Path.Value == "/connect/logout"
scenario (B) (but works fine with scenario (A) - the exception does not happen). So I commented it, but it RANDOMLY affected the described scenario (sometimes it did, sometimes it did not):
public async Task InvokeAsync(HttpContext httpContext, IAbxRequestContext requestContext, IdentityUserManager userManager)
await _next(httpContext);
if (httpContext.Request.Path.Value == "/connect/logout")
await OnSessionEndRequestAsync(httpContext, userManager);
private async Task OnSessionEndRequestAsync(HttpContext httpContext, IdentityUserManager userManager)
var user = await userManager.GetUserAsync(httpContext.User); //IF IT GETS INVOKED AND CRASHES - IT SEEMS TO AFFECT THE LOGOUT
//Some cleaning routine - accessing DB, removing entries
catch(Exception ex)
_logger.LogError(ex, "Session End handling error");
Thus, I have no clue what might be a real root cause of the logout issue.
I kindly ask you to provide me with the correct settings (code) for a front-end and a back-end settings which might be relevant to the situation.
I cannot provide you with our code, sorry.
My suggestion is to start with a root cause of the exception in the call above. It is:
at System.Threading.CancellationToken.ThrowOperationCanceledException()
at System.Threading.CancellationToken.ThrowIfCancellationRequested()
at Volo.Abp.Identity.IdentityUserStore.FindByIdAsync(String userId, CancellationToken cancellationToken)
at Castle.Proxies.IdentityUserManagerProxy.FindByIdAsync_callback(String userId)
at Castle.Proxies.Invocations.UserManager1_FindByIdAsync.InvokeMethodOnTarget() at Castle.DynamicProxy.AbstractInvocation.Proceed() at Castle.DynamicProxy.AbstractInvocation.ProceedInfo.Invoke() at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue
at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func
3 proceed)
at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync() at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter
1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
whereas httpContext.User
is OK (data is ok and it is authenticated).
96 Answer(s)
The js code will do the follow work:
Both tabs will register a load event.
If one of the tabs logs in to the website, it will write thestateKey
, and then the other tab will receive the storage change event, and you can refresh or redirect to the homepage(/
).Please ensure that the login and other pages have loaded this script
(function () { const stateKey = 'authentication-state-id'; window.addEventListener('load', function () { if (!abp || !abp.currentUser) { return; } if (!abp.currentUser.isAuthenticated) { localStorage.removeItem(stateKey); } else { localStorage.setItem(stateKey, abp.currentUser.id); } window.addEventListener('storage', function (event) { if (event.key !== stateKey || event.oldValue === event.newValue) { return; } if (event.oldValue || !event.newValue) { window.location.reload(); } else { location.assign('/') } }); }); }());
Hi. Thank you. I have the window load handler both in the OpenID server module added via
and the same logic added viaapp.component.ts
constructor like this (the load handler code DOES get triggered when I load Angular app pages):this.document.defaultView.addEventListener('storage', event => { if (event.key === 'access_token' && event.newValue === null) { this.document.defaultView.location.reload(); } }); const stateKey = 'authentication-state-id'; const onLoad = () => { if (!this.currentUser.isAuthenticated) { // this.configStateService.getOne('currentUser') localStorage.removeItem(stateKey); } else { localStorage.setItem(stateKey, this.currentUser.id); } this.document.defaultView.addEventListener('storage', (event) => { if (event.key !== stateKey || event.oldValue === event.newValue) { return; } if (event.oldValue || !event.newValue) { this.document.defaultView.location.reload(); } else { location.assign('/'); } }); }; if (this.document.readyState === 'complete') { onLoad(); } else { this.document.defaultView?.addEventListener('load', onLoad); }
However, the error 400 is still there (with the same "The provided antiforgery token was meant for a different claims-based user than the current user." exception message): when I click "Login" button in OpenID server web page in the passive tab - neither code of
is invoked (I put the breakpoints everywhere).What am I doing wrong?
Any update?
Thank you for your patience, and I apologize for the delayed response. I have carefully revisited your concern in light of the latest updates. Based on the analysis, the logs and debugs are not triggered as the errors in question are likely occurring earlier in the process.
Here is a detailed explanation of the issue:
400 Bad Request
Error:This error indicates that the request to the identity provider (IdP) was unsuccessful. Common causes include:
Expired sessions.
Incorrect or missing parameters.
Validation issues on the IdP side.
When this error occurs, the OpenID Connect library is unable to complete the authentication flow, leading to a secondary error.
Recommended Approach:
To achieve a clearer response from the library, consider reviewing the discussion here and implementing the solution described in this sample project.
Error:As illustrated in the attached example, this secondary error occurs when the library detects an incomplete or invalid flow and securely terminates it to prevent further processing with incorrect or missing information.
This behavior is by design and serves as a safeguard, ensuring that broken authentication attempts are securely halted. It is not indicative of a bug, but rather a critical feature to maintain security. However, this may have downstream impacts on your business logic, so adjustments might be necessary to account for this scenario.
Reopening. Thank you for your response. Unfortunately, I am currently overwhelmed with my existing tasks and do not have the time to analyze your reply at the moment.
thank you for the reply. Whereas I cannot handle this issue now and I did not dig into the suggested project, I have a quick question for you: will it be easy to integrate the authenticate service solution by your link into our ABP-based solution? In fact, I have no idea how it works "under the hood" now, because we just use a standardAuthService
to log out and it is place in a separate NPM component. No custom logic attached. So what is it supposed to be at the very end? ReplacingAuthService
of ABP with the customized version from the mentioned project viaproviders
? -
Hi alex,
The problem is not exactly on client side, server is not allows you to authenticate at the same time with multiple tabs. We'll handle this behavior on client side in someway yet, this very specific case for the occur. We'll try to handle this error with specificed code or content. You might handle this problem with error handling maybe custom interceptor can help with that until we fix
I reopened the question
Thank you. So I have tried to figure out what can I do to hastily solve this problem till a solid solution is implemented in ABP framework. However, I might need your input / explanation here.
From what I can see, 'XSRF-TOKEN' is stored in OpenID server's cookies. And it is 'reused' later in the hidden field of a Login form of Angular app. So when I silently reload the second tab on logging out in the first tab (this is done via
this.window.addEventListener('storage', event => { if (event.key === 'access_token' && event.newValue === null) { this.window.location.reload(); } })
and this is exactly how i want it to behave) - this hash seems to remain the same. Though, when I log in from the active tab - it works fine, when I try to do the same from the second tab - it does not. I do not understand the logic under it: the same user, the same hash, butAntiforgery token validation failed. The provided antiforgery token was meant for a different claims-based user than the current user. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user
A new session - that's why? How to deal with that then? If a custom antiforgery token implementation omits the timestamp and session information, it obviously has a negative security side effect (and the antiforgery protection loses its point). So I expected that a user on the second tab would join the existing session (from the first tab) instead of creating a new one. -
Any updates?
We are really sorry for the delay. We are working on a solution to fix this issue and appreciate your understanding while we are sorting it out.
I'm reopening the issue. Let me know the recent status of this problem.
If this is the question for me - i don't know what to say. I was trying to make some local fix, but for this, i need some assistance from your team side. However your team member from Angular division writes above that they are working on the fix now... So should I better wait?
If it aligns with your approach, you can temporarily replace the
with your own service to manage this part.//app.module.ts @NgModule({ ... providers: [ { provide: LocalStorageListenerService, useValue: MyLocalStorageListenerService, }, ... ], ... }) export class AppModule {}
//my-local-storage-listener.service.ts @Injectable({ providedIn: 'root', }) export class MyLocalStorageListenerService {}
It might be allright to replace the service... But for the start, I would like to understand the issue better. I was trying to figure out the issue here...
We understand the issue you mentioned requires configuration on our end, and we are currently working on it. If proceeding with the service replacement does not align with your needs, please let us know.
The point is that I do not know how to use this service to resolve the current issue with AntiForgery token. Sorry.
Regarding the antiforgery token issue, as a temporary solution, I recommend overriding the service like this. You can also apply the same logic in your app.component.ts if that works better for you.
//app.module.ts @NgModule({ ... providers: [ { provide: LocalStorageListenerService, useValue: MyLocalStorageListenerService, }, ... ], ... }) export class AppModule {}
//my-local-storage-listener.service.ts import { DOCUMENT } from '@angular/common'; import { inject, Injectable } from '@angular/core'; @Injectable({ providedIn: 'root', }) export class MyLocalStorageListenerService { window = inject(DOCUMENT).defaultView; constructor() { this.window.addEventListener('storage', event => { if (event.key !== 'access_token') { return; } const tokenRemoved = event.newValue === null; const tokenAdded = event.oldValue === null && event.newValue !== null; if (tokenRemoved || tokenAdded) { location.assign('/'); } }); } }
I cannot find where should I reference
from... Expected@abp/ng.core
, but it is not there. -
is located inside the core library, but you can also take the same action in theapp.component.ts
export class AppComponent { window = inject(DOCUMENT).defaultView; constructor() { this.window.addEventListener('storage', event => { if (event.key !== 'access_token') { return; } const tokenRemoved = event.newValue === null; const tokenAdded = event.oldValue === null && event.newValue !== null; if (tokenRemoved || tokenAdded) { location.assign('/'); } }); } }
I have tried this approach and it does not work: I am still getting error 400 in the second tab when trying to log in after the user has been logged in the first tab.
So I'd better wait for the consistent and tested solution from your side. -
Actually, the recommended fix should behave like this
Can you share the error details if you encounter something other than you mentioned at the beginning?
This time, I have run the code you suggested in ABP test solution. Suprisingly, I have found the discrepancy between the way your code behaves in ABP test solution and our solution:
in ABP test solution after logging out, when I am logging-in in the first tab - I am automatically being logged-in in the second tab;
in our solution this does not happen: the second tab is left intact: so when I try to log-in there manually after I have logged in in the first tab, I get error 400 related to the AntiForgery token issue (the situation we observed in both solutions before you came up with the suggested workaround).
Why your code behaves differently for both solutions - I have no idea. However, I am not allowed to share our project - I can only base on your suggestions if any.
Thank you for testing the approach and sharing your findings. The difference in behavior likely comes from how session persistence, token storage, or middleware logic is handled in your solution.
For the AntiForgery token issue, it seems the XSRF token isn’t refreshing properly when logging in from another tab. You might try:
Ensuring the XSRF token is re-fetched on new login sessions.
Invalidating cached tokens on logout.
Checking if the
event properly syncs authentication state.
export class AppComponent { window = inject(DOCUMENT).defaultView; constructor() { this.window.addEventListener('storage', event => { if (event.key !== 'access_token') { return; } const tokenRemoved = event.newValue === null; const tokenAdded = event.oldValue === null && event.newValue !== null; //You can re-fetch and update the XSRF token here if (tokenRemoved || tokenAdded) { location.assign('/'); } }); } }
Let me know if this helps or if you need further suggestions.
I wish I knew how to properly refresh anAntiforgery
token in ABP solution.
By this moment, i have only noticed that this token is present as a hidden field in OpenID server login page.
But my guess is that it's too late to affect it there unless i am going to modify an OpenID login page directly with some js injection...