Activities of "viswajwalith"

We can find the Roles in Log, but when we inject CurrentUser in AppService, not able find the roles.

[liming.ma@volosoft.com] said: hi

The Microsoft logs level still not Debug

Please use the log configuration code below.

var loggerConfiguration = new LoggerConfiguration() 
    .MinimumLevel.Debug() 
    .MinimumLevel.Override("Microsoft.EntityFrameworkCore", LogEventLevel.Warning) 
    .Enrich.FromLogContext() 
    .WriteTo.Async(c => c.File("Logs/logs.txt")) 

2025-06-30 19:52:16.805 +05:30 [INF] Request starting HTTP/1.1 GET http://localhost:44371/api/employee-service/dashboard-pages?PageId=HOMEDASHBOARD&SkipCount=0&MaxResultCount=20000&api-version=1.0 - null 0 
 
2025-06-30 19:52:17.252 +05:30 [INF] Executing endpoint 'Exceego.EHSWatch.AppV3.EmployeeService.Controllers.DashboardPages.DashboardPageController.GetListAsync (Exceego.EHSWatch.AppV3.EmployeeService.HttpApi)' 
 
2025-06-30 19:52:18.685 +05:30 [INF] Authorization failed. These requirements were not met: 
PermissionRequirement: EmployeeService.CustomReports 
 
2025-06-30 19:52:19.936 +05:30 [INF] Request finished HTTP/1.1 GET https://localhost:44371/api/employee-service/dashboard-pages?PageId=HOMEDASHBOARD&SkipCount=0&MaxResultCount=20000&api-version=1.0 - 403 0 null 3131.5555ms 

These requirements were not met: PermissionRequirement: EmployeeService.CustomReports

Does your current user have EmployeeService.CustomReports permission?

If the 403 error only happened on Exceego.EHSWatch.AppV3.EmployeeService.HttpApi.Host. website.

Please enable the Debug log level and share again.

Also output some info to the logs.

app.UseAuthentication(); 
 
app.Use(async (httpContext, next) => 
{ 
    var logger = httpContext.RequestServices.GetRequiredService<ILogger<EmployeeServiceHttpApiHostModule>>(); 
    var claims = httpContext.User.Claims.Select(x => new { x.Type, x.Value }).ToList(); 
    logger.LogError("HttpContext.User Claims:"); 
    logger.LogError(JsonSerializer.Serialize(claims)); 
 
    var currentUser = httpContext.RequestServices.GetRequiredService<ICurrentUser>().GetAllClaims().Select(x => new { x.Type, x.Value }).ToList(); 
    logger.LogError("Current User Claims:"); 
    logger.LogError(JsonSerializer.Serialize(currentUser)); 
 
 
    var userid = AbpClaimTypes.UserId; 
    var username = AbpClaimTypes.UserName; 
    var roleClaimType = AbpClaimTypes.Role; 
 
    logger.LogError($"UserId Claim Type: {userid}"); 
    logger.LogError($"UserName Claim Type: {username}"); 
    logger.LogError($"Role Claim Type: {roleClaimType}"); 
 
    var authorizationHeader = httpContext.Request.Headers["Authorization"]; 
    logger.LogError(!string.IsNullOrEmpty(authorizationHeader) 
        ? $"Authorization Header: {authorizationHeader}" 
        : "Authorization Header is missing or empty."); 
 
    await next(httpContext); 
}); 

Thanks.

sent the logs to ur email, Thanks

1. We have upgraded our application from 7.3.2 to 9.2.0
2. We are continue to use IdentityServer (we did not Migrated to OpenIddict).
3. We are not using any external login.
4. After upgrade from 7.3.2 to 9.2.0, we were missing the sub and role claims in Back Office Web. We have managed to get thsese claims by adding below code in Back Office Web in AddAbpOpenIdConnect configuration. options.ClaimActions.MapJsonKey("sub", AbpClaimTypes.UserId); options.ClaimActions.MapJsonKey("role", "role");
5. One of our Micro service called 'Employee Service' have 'EmployeeService.CustomReports' permission and this permission is given to a role and that role assigned to the logged in user. We are able to get that permission from JS, because in Back office web we mapped the roles. But when we check in Employee Service(Micro service), we are missing the roles in claims/CurrentUser, because of this we are not getting the permission.
6. After upgrade from 7.3.2 to 9.2.0, we are facing this in Employee Service.

Are we missing anything to get Roles claims/CurrentUser in Employee Service?

Hi,

Sent you email.

[liming.ma@volosoft.com] said: hi

Add it to the project that has forbidden erros And can you share the debug logs for forbidden erros?

https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

Thanks.

Hi We have added the code in both web and one of the service still getting the autorization error, I have emails the log files to ur email id

[liming.ma@volosoft.com] said:

If we check the permissions in JS we are able to see the proper permissions but not at backend so getting forbidden erros.

Sorry for that. I missed it.

Can you check the claims value and type by adding a custom middleware after UseAuthentication?

app.UseAuthentication(); 
 
app.Use(async (httpContext, next) => 
{ 
    var claims = httpContext.User.Claims; 
    var currentUser = httpContext.RequestServices.GetRequiredService<ICurrentUser>().GetAllClaims(); 
     
    var userid = AbpClaimTypes.UserId; 
    var username = AbpClaimTypes.UserName; 
    var roleClaimType = AbpClaimTypes.Role; 
     
    await next(httpContext); 
}); 
 

Thanks.

Thanks for the quick response, I belive this need to be added in Web Module file right. will give a try and update you back.

[liming.ma@volosoft.com] said: hi

Removing IdentityServer4 from the Back office Web project will fix this error.

As you can see. the IdentityServer4 is used in your Back office Web project

As I mentioned earlier, we have overcome this issue by assigning the claims again but now facing the permissions issue

[liming.ma@volosoft.com] said: hi

Please try to remove IdentityServer4 from Back office Web project first.

Then, the claims problem you can see https://abp.io/community/articles/how-claim-type-works-in-asp-net-core-and-abp-framework-km5dw6g1

Thanks.

Hi, Thanks for the response but I feel there is some miss-understanding, still we tried to find the reference for IdentityServer4 across our web project but no where we found that. If you can elobrate much more that might be useful.

Our Back Office Web Project has a reference to IdentityServer Web and Web dosent have reference to Identity4 and we checked over there as well but not able to find any clue

Also we are not in a plans to OpenIdDict and want to continue with IdentityServer4 for now. Do u think still IdentityServer4 need to be removed from web project?

[liming.ma@volosoft.com] said: hi

Your Back office Web project has an indirect dependency on IdentityServer4

Please search code and remove it.

Hi, we made some changes to map all the claims received via token to claimsIdentity in "ConfigureServices" under web module file . After that change we are able to login and roles are showing as mapped but permissins are not mapping to the logged in user in backend.

If we check the permissions in JS we are able to see the proper permissions but not at backend so getting forbidden erros.

Please advise.

Note: We still using IdentityServer4 and if we are making callss to API via PostMan getting the data without any roles or permissions issues

            options.Events = new OpenIdConnectEvents
            {
                OnRemoteFailure = context =>
                {
                    Log.Information("Remote login failed: " + context.Failure?.Message);
                    return Task.CompletedTask;
                },
                OnTokenValidated = context =>
{
    Log.Information("Token validated!");

    var claimsIdentity = context.Principal.Identity as ClaimsIdentity;

    var idToken = context.ProtocolMessage.IdToken;
    var handler = new JwtSecurityTokenHandler();
    var token = handler.ReadJwtToken(idToken);

    foreach (var claim in token.Claims)
    {
        if (!claimsIdentity.HasClaim(c => c.Type == claim.Type && c.Value == claim.Value))
        {
            Log.Information($"Manually adding claim: {claim.Type} = {claim.Value}");
            claimsIdentity.AddClaim(claim);
        }
    }

    return Task.CompletedTask;
}
            };

It s not possible to send the code we may have the screenshare session to take this further.