0
carl.hallqvist created
Trying to replace our Blazor Wasm application to WebApp and gets this in the local dev of Blazor WebApp:
11:29:02 ERR] Exception occurred while processing message.
System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
[11:29:02 INF] Error from RemoteAuthentication: Response status code does not indicate success: 401 (Unauthorized)..
[11:29:02 ERR] An unhandled exception has occurred while executing the request.
Microsoft.AspNetCore.Authentication.AuthenticationFailureException: An error was encountered while handling the remote login.
---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 401 (Unauthorized).
at System.Net.Http.HttpResponseMessage.EnsureSuccessStatusCode()
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.GetUserInformationAsync(OpenIdConnectMessage message, JwtSecurityToken jwt, ClaimsPrincipal principal, AuthenticationProperties properties)
at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()
--- End of inner exception stack trace ---
at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at Volo.Abp.AspNetCore.Tracing.AbpCorrelationIdMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)
[11:29:02 INF] Setting culture and ui-culture to the response. culture: sv, ui-culture: sv
And the log from the auth server gives:
[10:29:02 INF] The request URI matched a server endpoint: Token.
[10:29:02 INF] The token request was successfully extracted: {
"client_id": "BlazorWebApp",
"client_secret": "[redacted]",
"code": "[redacted]",
"grant_type": "authorization_code",
"redirect_uri": "https://localhost:44346/signin-oidc"
}.
[10:29:02 INF] The token request was successfully validated.
[10:29:02 INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[10:29:02 INF] Route matched with {action = "Handle", controller = "Token", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.TokenController (Volo.Abp.OpenIddict.AspNetCore).
[10:29:02 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy
[10:29:02 INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
[10:29:02 INF] The token '3a1e7bd4-5293-5f82-8180-a638db5cb5fa' was successfully marked as redeemed.
[10:29:02 INF] The response was successfully returned as a JSON document: {
"access_token": "[redacted]",
"token_type": "Bearer",
"expires_in": 3599,
"scope": "openid profile roles email phone AuthServer IdentityService AdministrationService SaasService AuditLoggingService GdprService ChatService",
"id_token": "[redacted]"
}.
[10:29:02 INF] Executed action Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 62.1836ms
[10:29:02 INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[10:29:02 INF] Request finished HTTP/1.1 POST http://auth.staging.myproject.io/connect/token - 200 3079 application/json;charset=UTF-8 147.4217ms
[10:29:02 INF] Request starting HTTP/1.1 GET http://auth.staging.myproject.io/connect/userinfo - null null
[10:29:02 WRN] Unknown proxy: [::ffff:10.244.1.23]:38956
[10:29:02 INF] The request URI matched a server endpoint: UserInfo.
[10:29:02 INF] The userinfo request was successfully extracted: {}.
[10:29:02 INF] The userinfo request was rejected because the mandatory 'access_token' parameter was missing.
[10:29:02 INF] The response was successfully returned as a challenge response: {
"error": "missing_token",
"error_description": "The mandatory 'access_token' parameter is missing.",
"error_uri": "https://documentation.openiddict.com/errors/ID2029"
}.
[10:29:02 INF] Request finished HTTP/1.1 GET http://auth.staging.myproject.io/connect/userinfo - 302 0 null 1.6405ms
[10:29:02 INF] Request starting HTTP/1.1 GET http://auth.staging.myproject.io/Error?httpStatusCode=401 - null null
1 Answer(s)
-
0
1. Solution
The flow on your AuthServer is actually succeeding (authorization code + token). The failure happens after that, when the Blazor WebApp’s
OpenIdConnectHandlertries to call/connect/userinfo:- AuthServer log:
The userinfo request was rejected because the mandatory 'access_token' parameter was missing. - Blazor WebApp log:
OpenIdConnectHandler.GetUserInformationAsync(...)->HttpRequestException 401 Unauthorized
So:
- The Blazor WebApp is configured with
GetClaimsFromUserInfoEndpoint = true. - But the handler is not sending an access token to
/connect/userinfo(most commonly because tokens are not saved).
There are two practical ways to fix this for a Blazor WebApp with ABP/OpenIddict.
Option A (recommended): Stop calling the UserInfo endpoint
In ABP with OpenIddict, the standard user claims (subject, name, email, roles, etc.) are already available in the ID token, as long as you request the right scopes. In most cases you don’t need
/connect/userinfoat all.Configure your Blazor WebApp authentication like this (Program.cs / Startup):
builder.Services .AddAuthentication(options => { options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; }) .AddCookie() .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => { options.Authority = configuration["AuthServer:Authority"]; // e.g. https://auth.staging.myproject.io options.RequireHttpsMetadata = true; options.ClientId = "BlazorWebApp"; options.ClientSecret = configuration["AuthServer:ClientSecret"]; // your client secret options.ResponseType = OpenIdConnectResponseType.Code; options.UsePkce = true; // Tokens can still be saved if you want to call APIs later options.SaveTokens = true; // IMPORTANT: disable UserInfo call to avoid your 401 error options.GetClaimsFromUserInfoEndpoint = false; // Request the scopes that ABP/OpenIddict uses to put claims into id_token options.Scope.Clear(); options.Scope.Add("openid"); options.Scope.Add("profile"); options.Scope.Add("email"); options.Scope.Add("phone"); options.Scope.Add("roles"); options.Scope.Add("offline_access"); // Plus any API scopes you need, e.g.: options.Scope.Add("AuthServer"); options.Scope.Add("IdentityService"); options.Scope.Add("AdministrationService"); options.Scope.Add("SaasService"); options.Scope.Add("AuditLoggingService"); options.Scope.Add("GdprService"); options.Scope.Add("ChatService"); });Also ensure that in your AuthServer/OpenIddict client definition for
"BlazorWebApp"the same scopes are allowed.With
GetClaimsFromUserInfoEndpoint = false, the handler will not call/connect/userinfo, so themissing_token/ 401 error disappears, and the Blazor WebApp uses the claims inid_token.
Option B: Keep UserInfo and send a valid access token
If you explicitly want to use
/connect/userinfo:- Make sure the WebApp saves tokens:
options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true;- Keep the same scopes as in option A (so an access token is actually issued).
- Ensure your
"BlazorWebApp"client in AuthServer:- Has those scopes assigned.
- Issues an access token with an audience accepted by AuthServer’s OpenIddict validation (in your current log the first issue is simply missing token; if you later see “token had no valid audience”, that’s an audience/scope configuration problem).
But since ABP/OpenIddict already includes the usual claims in
id_token, Option A is usually simpler and more robust, especially when migrating from Blazor WASM to Blazor WebApp.
2. Sources
- ABP OpenIddict deployment & validation/audience notes (relevant when using access tokens and UserInfo):
- https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/openiddict-deployment
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
- AuthServer log:
