Duplicate api resources in identity server #2672 | Support

nicolas.muniere@soprasteria.com created 2 years ago

We are facing "Duplicate api resources" exception using identity server pro module. This bug has already been reported here a few month ago : https://support.abp.io/QA/Questions/1126/Bugs--Issues-v43X#answer-aee6a847-3590-2a64-81de-39fbde90446e

ABP Framework version: v5.1.3
UI type: MVC
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): no
Exception message and stack trace:
Steps to reproduce the issue: From a new solution, not tiered

Login with admin Open IdentityServer clients, edit AuthService_Swagger client Go to advanced -> Grant types and add client_credentials then save

Open postman, create a new get query on whatever, example https://localhost:44345/api/identity/users In authorization, select oauth2, then grant type : client credential access token url : https://localhost:44345/connect/token client id : AuthService_Swagger client secret : 1q2w3e* scope : AuthService then click 'get new access token'

=> it works correctly, because we are using a single scope

return to abp with admin account create a new api scope named AuthService.Read

edit api ressource and select the 2 scopes, save

In swagger, add the new scope AuthService.Read after AuthService

=> it does not work anymore, here is the error in logs

2022-03-04 09:42:42.689 +01:00 [INF] {"Details":"System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService\r\n at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context)\r\n at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)","Category":"Error","Name":"Unhandled Exception","EventType":"Error","Id":3000,"Message":"Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService","ActivityId":"8000000a-0008-fc00-b63f-84710c7967bb","TimeStamp":"2022-03-04T08:42:42.0000000Z","ProcessId":30676,"LocalIpAddress":"::1:44345","RemoteIpAddress":"::1","$type":"UnhandledExceptionEvent"} 2022-03-04 09:42:42.689 +01:00 [FTL] Unhandled exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes) at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess) at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)

<br> we cas try to use only the new scope : In swagger, replace scope with only AuthService.Read

=> it does not work, here is the error in logs

[ERR] Client AuthService\_Swagger is not allowed access to scope AuthService.Read. 2022-03-04 09:50:08.023 +01:00 [ERR] Invalid scopes requested, {"ClientId":"AuthService\_Swagger","ClientName":"AuthService\_Swagger","GrantType":"client\_credentials","Scopes":null,"AuthorizationCode":"**","RefreshToken":"**","UserName":null,"AuthenticationContextReferenceClasses":null,"Tenant":null,"IdP":null,"Raw":{"grant\_type":"client\_credentials","scope":"AuthService.Read"},"$type":"TokenRequestValidationLog"} 2022-03-04 09:50:08.023 +01:00 [INF] {"ClientId":"AuthService\_Swagger","ClientName":"AuthService\_Swagger","RedirectUri":null,"Endpoint":"Token","SubjectId":null,"Scopes":null,"GrantType":"client\_credentials","Error":"invalid\_scope","ErrorDescription":null,"Category":"Token","Name":"Token Issued Failure","EventType":"Failure","Id":2001,"Message":null,"ActivityId":"80000051-000a-fe00-b63f-84710c7967bb","TimeStamp":"2022-03-04T08:50:08.0000000Z","ProcessId":30676,"LocalIpAddress":"::1:44345","RemoteIpAddress":"::1","$type":"TokenIssuedFailureEvent"}

We are currently blocked, and need urgently a solution. Our project is starting, and if we can't archieve authentication we will have to look atfer another technical solution. Thanks for your help

13 Answer(s)

0

liangshiwei created 2 years ago
Support Team Fullstack Developer

Hi,

I will check it out.
0

liangshiwei created 2 years ago
Support Team Fullstack Developer

Hi

Try named AuthService_Read instead of AuthService.Read.

And create an Api resources named AuthService_Read.

Add to client:
0

nicolas.muniere@soprasteria.com created 2 years ago

Hello, The workaround using many api resources, containing each one unique scope is working, thank you! But is cannot be a long term solution, is it a bug from abp.io or Identity Server?

Thanks!
0

liangshiwei created 2 years ago
Support Team Fullstack Developer

Hi,

This is not a bug, this is design by identityserver

1

nicolas.muniere@soprasteria.com created 2 years ago

Hi, I do not agree with this, both Identity Server and abp allow administrator to configure multiple scopes on a unique api resource.

Here is a link to documentation, http://docs.identityserver.io/en/latest/topics/resources.html You can see that ApiResources can be configured with many scopes

public static readonly IEnumerable GetApiResources()
{
    return new List
    {
        new ApiResource("invoice", "Invoice API")
        {
            Scopes = { "invoice.read", "invoice.pay", "manage" }
        },
        
        new ApiResource("customer", "Customer API")
        {
            Scopes = { "customer.read", "customer.contact", "manage" }
        }
    };
}

Do you have an idea?

0

nicolas.muniere@soprasteria.com created 2 years ago

Hi support team, any new on this subject?
0

gterdem created 2 years ago
Senior .NET Developer

Hi support team, any new on this subject?

ABP design is to use single API resource to single API scope. Because we use permission management for authorization.

If you want to use scope based authorization for your api, just fine.

Can you explain your exact problem? Does IdentityServer Management UI not allowing you to use multiple scopes?
0

nicolas.muniere@soprasteria.com created 2 years ago

Hello, The problem is explained in my fisrt ticket, IdentityServer Management UI allow user to enter multiple scopes, but its not working.
0

nicolas.muniere@soprasteria.com created 2 years ago

Hello, Perhaps my explanations are not clear, please tell me what you need to investigate, I'm currently using multi api resources but if an admin select multi scope the sso will fail. Thanks
0

liangshiwei created 2 years ago
Support Team Fullstack Developer

Hi,

if an admin select multi scope the sso will fail.

Is there any error logs?
0

nicolas.muniere@soprasteria.com created 2 years ago

Hello, yes, here is the copy of the logs :

2022-03-04 09:42:42.689 +01:00 [INF] {"Details":"System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService\r\n at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context)\r\n at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)","Category":"Error","Name":"Unhandled Exception","EventType":"Error","Id":3000,"Message":"Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService","ActivityId":"8000000a-0008-fc00-b63f-84710c7967bb","TimeStamp":"2022-03-04T08:42:42.0000000Z","ProcessId":30676,"LocalIpAddress":"::1:44345","RemoteIpAddress":"::1","$type":"UnhandledExceptionEvent"} 2022-03-04 09:42:42.689 +01:00 [FTL] Unhandled exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes) at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess) at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)
0

liangshiwei created 2 years ago
Support Team Fullstack Developer

Hi,

It seems a problem, I will research it.
0

liangshiwei created 2 years ago
Support Team Fullstack Developer

HI,

I create an internal issue and will fix it in the next version.

Have an answer to this question? Log in and write your answer.