abp CookieAuthenticationOptions，IntrospectAccessToken #10288

17 Answer(s)

• 

  0

  AI-Bot created yesterday

  Support Team ABP Agent

  1. Solution

  options.IntrospectAccessToken() is an ABP helper extension for cookie authentication:

  context.Services.AddAuthentication(options =>
  {
      options.DefaultScheme = "Cookies";
      options.DefaultChallengeScheme = "oidc";
  })
  .AddCookie("Cookies", options =>
  {
      options.ExpireTimeSpan = TimeSpan.FromDays(365);
      options.IntrospectAccessToken();   // = old helper
  })
  .AddAbpOpenIdConnect("oidc", options =>
  {
      // ...
  });
  

  From the ABP source:

  /// <summary>
  /// Check the access_token is expired or inactive.
  /// </summary>
  [Obsolete("Use CheckTokenExpiration method instead.")]
  public static CookieAuthenticationOptions IntrospectAccessToken(
      this CookieAuthenticationOptions options,
      string oidcAuthenticationScheme = "oidc")
  {
      return options.CheckTokenExpiration(oidcAuthenticationScheme, null, TimeSpan.FromMinutes(1));
  }
  

  So:

  • It hooks into CookieAuthenticationOptions.Events.OnValidatePrincipal.
  • Periodically (default ~1 minute) it checks the access_token associated with the cookie:
    • If token is expired or inactive (introspection active = false) it rejects the cookie principal (signs the user out).
  • It is meant for scenarios where:
    • You use OIDC login (AddAbpOpenIdConnect("oidc", …)).
    • Cookie lifetime is long (e.g. 365 days).
    • You still want the user to be logged out as soon as the access token becomes invalid, not when the cookie expires.

  When the log shows active: false / audience not listed

  Your log:

  Potentially sensitive application claims were excluded from the introspection response as the client 'EAP' was not explicitly listed as an audience.
  "active": false

  This happens when the extension calls the introspection endpoint of OpenIddict and:

  • The access token audience doesn’t include the current client (e.g. EAP), so OpenIddict:
    • Removes sensitive claims.
    • Returns active: false.

  Common reasons:

  • In your OpenIddictDataSeedContributor, the client representing this Blazor Server app:
    • Doesn't list the correct API/resource as audience.
    • Or the API scope/audience configuration doesn’t match the token you’re sending.

  Result: every validation attempt marks the token as not active, so the cookie is invalidated.

  What you should do

  1. Prefer the new API

  IntrospectAccessToken is obsolete. Use:

  .AddCookie("Cookies", options =>
  {
      options.ExpireTimeSpan = TimeSpan.FromDays(365);
      options.CheckTokenExpiration(); // new recommended helper
  });
  

  2. Only use it when you really need token‑based sign‑out

  Use CheckTokenExpiration / IntrospectAccessToken when:

  • The UI (Blazor Server / MVC) logs in via OIDC (oidc scheme), and
  • You call protected APIs using the same access token, and
  • You want the UI cookie to become invalid as soon as the access token is no longer valid.

  If:

  • Your UI and backend are the same application, or
  • You don’t rely on the access token after login,

  then you can simply remove IntrospectAccessToken() / CheckTokenExpiration() and rely on normal cookie expiration.

  3. If you keep it, fix the OpenIddict client/audience

  If you want to keep token introspection:

  • In your OpenIddictDataSeedContributor, ensure the client for this app:
    • Has the correct scopes (e.g. your API scopes).
    • Has the correct audiences to match the APIs the token is issued for.
  • Then the introspection endpoint will return active: true while the token is valid and the cookie will not be cleared.

  In summary:

  • IntrospectAccessToken is used to periodically verify the OIDC access token behind the cookie and log the user out when that token is no longer valid.
  • It’s now obsolete; use CheckTokenExpiration().
  • Use it only when you need access‑token‑driven logout; otherwise you can safely remove it.
  • Your current active: false error is due to OpenIddict audience/scope configuration, not ABP itself.

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  你好

  完整的OpenIddict IntrospectAccessToken日志是?

  Save Cancel
• 

  0

  heshengli created yesterday

  [2026-01-07 16:51:58.183 +00:00] [INF] [OpenIddict.Server.OpenIddictServerDispatcher] The response was successfully returned as a JSON document: { "active": true, "iss": "http://10.166.0.106:44390/", "sub": "4d75bb07-b3de-0147-7a5c-3a1d3c88d0e8", "jti": "b66835b5-f0ab-45bd-afec-7d85e4b91e81", "token_type": "Bearer", "token_usage": "access_token", "client_id": "EAP", "iat": 1767804690, "nbf": 1767804690, "exp": 1767808290, "aud": "ControlCenter" }. [2026-01-07 16:51:58.184 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request finished HTTP/1.1 POST http://10.166.0.106:44390/connect/introspect - 200 327 application/json;charset=UTF-8 18.7682ms [2026-01-07 16:51:59.429 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request starting HTTP/1.1 POST http://10.166.0.106:44390/register-health-check - application/json; charset=utf-8 null [2026-01-07 16:51:59.430 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request finished HTTP/1.1 POST http://10.166.0.106:44390/register-health-check - 200 0 null 0.7973ms [2026-01-07 16:52:00.706 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request starting HTTP/1.1 POST http://10.166.0.106:44390/register-health-check - application/json; charset=utf-8 null [2026-01-07 16:52:00.707 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request finished HTTP/1.1 POST http://10.166.0.106:44390/register-health-check - 200 0 null 1.1336ms [2026-01-07 16:52:02.388 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request starting HTTP/1.1 POST http://10.166.0.106:44390/register-health-check - application/json; charset=utf-8 null [2026-01-07 16:52:02.389 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request finished HTTP/1.1 POST http://10.166.0.106:44390/register-health-check - 200 0 null 0.9464ms [2026-01-07 16:52:02.443 +00:00] [INF] [Microsoft.AspNetCore.Hosting.Diagnostics] Request starting HTTP/1.1 POST http://10.166.0.106:44390/connect/introspect - application/x-www-form-urlencoded 1339 [2026-01-07 16:52:02.444 +00:00] [INF] [OpenIddict.Server.OpenIddictServerDispatcher] The request URI matched a server endpoint: "Introspection". [2026-01-07 16:52:02.444 +00:00] [INF] [OpenIddict.Server.OpenIddictServerDispatcher] The introspection request was successfully extracted: { "token": "[redacted]", "client_id": "EMS", "client_secret": "[redacted]" }. [2026-01-07 16:52:02.465 +00:00] [INF] [OpenIddict.Server.OpenIddictServerDispatcher] The response was successfully returned as a JSON document: { "active": false }.

  Save Cancel
• 

  0

  heshengli created yesterday

  [2026-01-07 16:51:58.183 +00:00] [INF] [OpenIddict.Server.OpenIddictServerDispatcher] Potentially sensitive application claims were excluded from the introspection response as the client 'EAP' was not explicitly listed as an audience.

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  请分享完整的身身份认证配置代码

  

  Save Cancel
• 

  0

  heshengli created yesterday

  

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  这个错误的原因是access token中Audience不包含odic的ClientId

  你是否对OpenIddict做了任何的自定义修改?

  如何使用默认的模版项目复现问题?

  Save Cancel
• 

  0

  heshengli created yesterday

  [OpenIddict.Server.OpenIddictServerDispatcher] The introspection request was rejected because the access token was issued to a different client or for another resource server.

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  你是否对OpenIddict做了任何的自定义修改?

  如何使用默认的模版项目复现问题?

  Save Cancel
• 

  0

  heshengli created yesterday

  [OpenIddict.Server.OpenIddictServerDispatcher] The introspection request was rejected because the access token was issued to a different client or for another resource server. 整体站点采用http,单点登录 cookie 共享

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  你可以移除 options.IntrospectAccessToken()将解决这个问题.

  之后复制这个类的源码到你的项目中

  https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs

  67行的ClientId需要来自Access token中而不是每个项目的ClientId.

  https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs#L67

  ---

  为什么多个APP没有使用相同的ClientId?

  Save Cancel
• 

  0

  heshengli created yesterday

  openiddict 多个应用，多个app地址，单点登录 appurl /signin-oidc

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  修改CheckTokenExpiration会解决问题

  Save Cancel
• 

  0

  heshengli created 17 hours ago

  不行，使用CheckTokenExpiration会导致用户在不登录的情况下，直接访问内部地址，而IntrospectAccessToken不会

  Save Cancel
• 

  0

  AI-Bot created 17 hours ago

  Support Team ABP Agent

  1. Solution

  CheckTokenExpiration() and IntrospectAccessToken() are just two different ABP helpers that plug into the cookie authentication pipeline:

  • IntrospectAccessToken() (obsolete)

    • Uses OpenIddict introspection endpoint and sends the cookie’s access token together with this app’s ClientId.
    • OpenIddict then enforces: the caller (client doing introspection) must be in the token’s audience/presenter.
    • In your scenario you have multiple apps, each with its own ClientId, but you are sharing one login (SSO).
      • The access token may be issued for audience ControlCenter (or some other client/resource).
      • When APP‑2 introspects it with its own ClientId, OpenIddict sees that this ClientId is not in aud/azp and rejects the request:
        • Log: The introspection request was rejected because the access token was issued to a different client or for another resource server.
    • This is why some introspection calls return active: false even when the token itself is valid.

  • CheckTokenExpiration() (new, recommended)

    • Does not use introspection in this strict way; it mainly checks token expiration and optionally calls user info.
    • Therefore it doesn’t hit the audience/presenter restriction that is causing your current error.

  Because you have many apps (Portal, APP‑1/2/3) with SSO and different OpenIddict clients, IntrospectAccessToken() will always be fragile unless all access tokens are issued with all your frontend ClientIds as audiences.

  The workaround suggested in the support thread is:

  1. Remove options.IntrospectAccessToken() from all apps.
  2. Copy and adjust ABP’s implementation to your own project:
     • File: CookieAuthenticationOptionsExtensions.cs
     • Source:
       https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs
  3. In the copied CheckTokenExpiration/validation logic, change the ClientId used for introspection:
     • Instead of using each app’s own OIDC ClientId, take the ClientId (or audience) from the access token being validated, or use a single technical client that is always present in aud.
     • This bypasses the “token issued to a different client/resource server” condition you saw in OpenIddict’s ValidateIntrospectionRequest handler.

  If you do this:

  • You keep the behavior you like from IntrospectAccessToken (user is redirected to login when token is invalid/expired).
  • You avoid the audience mismatch when the same token is reused across multiple apps with different ClientIds.

  Regarding your last comment:

  Using CheckTokenExpiration lets users access internal URLs without logging in, but IntrospectAccessToken does not.

  That difference comes from the exact validation logic inside the ABP extension. Once you copy the extension code and adapt the introspection part (ClientId/audience logic) you can:

  • Keep the “force login when no valid token” behavior,
  • While still supporting your multi‑client, shared cookie (ApplicationName, Redis Protection-Keys shared) architecture.

  2. Sources

  • ABP cookie helpers for token checking and introspection (source code):
    • CookieAuthenticationOptionsExtensions
      https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  maliming created 16 hours ago

  Support Team Fullstack Developer

  hi

  复制这个类的源码到你的项目中

  https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Microsoft/Extensions/DependencyInjection/CookieAuthenticationOptionsExtensions.cs

  67行的ClientId需要来自Access token中而不是每个项目的ClientId.

  var tokenHandler = new JwtSecurityTokenHandler();
  var securityToken = (JwtSecurityToken)tokenHandler.ReadToken(your_access_token);
  var clientid = securityToken.Claims.FirstOrDefault(c => c.Type == openiddict_client_id_claim_type)?.Value;
  
   ClientId = clientid
  
  

  https://www.nuget.org/packages/system.identitymodel.tokens.jwt/

  Save Cancel
• 

  0

  maliming created 13 hours ago

  Support Team Fullstack Developer

  One new way to solve it. See https://github.com/abpframework/abp/pull/24598

  Save Cancel