Open Closed

Successful login with Authorization exceptions after updating to v.5.3.0 #3303


User avatar
0
DanielAndreasen created
  • ABP Framework version: v5.3.0
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): No (Angular)
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

After updating our applications from ABP v.4.4.4 to v.5.3.0 and handling breaking changes as described in the ABP docs migration guides, we are experiencing an unexpected authorization behavior in our web application (Angular). When we are running the API/IdentityServer with the Angular application we are able to successfully authenticate after entering correct credentials at the login page, receive a JWT and redirect to the Angular application. However when attempting to use any controller endpoint the response code is always 401 with a 'Volo.Abp.Authorization.AbpAuthorizationException' even though the role of the authenticated user allows everything. It seems like the API is either not doing any JWT validation at all or is not properly keeping track of the user session.

Below is our configuration of authentication which also makes use of MongoDB for DataProtection API storage to support our load balanced setup in production. When inspecting the MongoDB collections we can see that keys and sessions are created as expected.

    private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
    {
        var mongoUrlBuilder = new MongoUrlBuilder(Environment.GetEnvironmentVariable("MONGODB_CONNECTION_STRING") +    Environment.GetEnvironmentVariable("MONGODB_CONNECTION_PARAMS"));
        var mongoClient = new MongoClient(mongoUrlBuilder.ToMongoUrl());

        context.Services.AddDataProtection().SetApplicationName(Environment.GetEnvironmentVariable("DATA_PROTECTION_APPLICATION_NAME")).PersistKeysToMongoDb(() => mongoClient.GetDatabase(Environment.GetEnvironmentVariable("MONGODB_DATA_PROTECTION_DATABASE_NAME")));

        context.Services.ConfigureApplicationCookie(options =>
        {
            options.SessionStore = new MongoDbTicketStore(new MongoDbTicketStoreOptions()
            {
                Database = mongoClient.GetDatabase(Environment.GetEnvironmentVariable("MONGODB_DATA_PROTECTION_DATABASE_NAME")),
                CollectionName = Environment.GetEnvironmentVariable("MONGODB_AUTH_SESSION_STORE_COLLECTION_NAME")
            });
        });


        Configure<IdentityServerOptions>(options => { options.IssuerUri = configuration["App:SelfUrl"]; });            

        context.Services.AddAuthentication()
            // IdentityServer
            .AddJwtBearer(options =>
            {
                    options.Authority = configuration["AuthServer:Authority"];
                    options.RequireHttpsMetadata = false;
                    options.ClaimsIssuer = "Stella";
                    options.BackchannelHttpHandler = new HttpClientHandler
                {
                    ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
                };
            });
}

When inspecting the network logs in a browser after authenticating the user and being redirected to the Angular app we also noticed that the "currentUser" segment of the response from api/abp/application-configuration show null values.


1 Answer(s)
  • User Avatar
    0
    DanielAndreasen created

    Audience option was not set correctly

    context.Services.AddAuthentication()
                    // IdentityServer
                    .AddJwtBearer(options =>
                    {
                            options.Authority = configuration["AuthServer:Authority"];
                            options.RequireHttpsMetadata = false;
                            options.ClaimsIssuer = "Stella";
                            --> options.Audience = "Stella";
                            options.BackchannelHttpHandler = new HttpClientHandler
                        {
                            ServerCertificateCustomValidationCallback = HttpClientHandler.DangerousAcceptAnyServerCertificateValidator
                        };
                    });
    
Made with ❤️ on ABP v9.1.0-preview. Updated on December 12, 2024, 07:15