Open Closed

access/token returns "Invalid_Client" #3404


User avatar
0
Leonardo.Willrich created
  • ABP Framework version: v5.3
  • UI type: Blazor WASM
  • DB provider: EF Core

I have an external application that accesses the Web API. To do that, it requests the Token using the method access/token and passing the client_id, client_secret, and grant_type parameters. It was working, but, it is no longer working. Calling access/token by Postman only returns "Invalid_Client", it seems that the client doesn't exist, which is not true. Checking the logs, the it says that the secret doesn't match, but, I am 100% sure that it is the same secret. The previous secret was expired, so, I've changed the date/time for it. I've restarted the application and cleaned the Redis cache to be sure it wouldn't be some cache issue.

Here is my request in Postman. In the Headers, I have the property "__tenants" with the tenant name:

Here is the Log file for the request in the Web Api: [15:17:19 INF] Request starting HTTP/1.1 POST https://localhost:44364/connect/token application/x-www-form-urlencoded 79 [15:17:19 DBG] Request path /connect/token matched to endpoint type Token [15:17:19 DBG] Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint [15:17:19 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token [15:17:19 DBG] Start token request. [15:17:19 DBG] Start client validation [15:17:19 DBG] Start parsing Basic Authentication secret [15:17:19 DBG] Start parsing for secret in post body [15:17:19 DBG] Parser found secret: PostBodySecretParser [15:17:19 DBG] Secret id found: SBC_Reports_2 [15:17:19 DBG] client configuration validation for client SBC_Reports_2 succeeded. [15:17:19 DBG] No matching hashed secret found. [15:17:19 DBG] Secret validators could not validate secret [15:17:19 INF] {"ClientId": "SBC_Reports_2", "Category": "Authentication", "Name": "Client Authentication Failure", "EventType": "Failure", "Id": 1011, "Message": "Invalid client secret", "ActivityId": "400001eb-0004-b900-b63f-84710c7967bb", "TimeStamp": "2022-07-11T03:17:19.0000000Z", "ProcessId": 29156, "LocalIpAddress": "::1:44364", "RemoteIpAddress": "::1", "$type": "ClientAuthenticationFailureEvent"} [15:17:19 ERR] Client secret validation failed for client: SBC_Reports_2. [15:17:19 INF] Request finished HTTP/1.1 POST https://localhost:44364/connect/token application/x-www-form-urlencoded 79 - 400 - application/json;+charset=UTF-8 28.5513ms

Here is the client with the Secret:

Sometimes, when adding another secret or doing some changes in the Identity Client, using the framework UI, it throws an exception:


10 Answer(s)
  • User Avatar
    0
    Leonardo.Willrich created

    Hi, I just like to add that somehow it is working now, using the same client_id and client_secret. Before, I've added a long period of expiration: 31/12/2050. Then, I changed it to 31/12/2022. But, it hadn't worked. After writing this issue, I tried again, and it was working. It looks like it took some time to update the server.

    The questions are, does it keep some kind of cache? If so, how to clean it to read the new parameters? Is possible to set the expiration date/time for a long period?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Yes, we cached the client, the cache item will remove when the client changed, See https://github.com/abpframework/abp/blob/dev/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/IdentityServerCacheItemInvalidator.cs#L33

    However, you can set the expiration date, try:

    Configure<IdentityServerOptions>(options =>
    {
        options.Caching.ClientStoreExpiration = ....;
    })
    
  • User Avatar
    0
    Leonardo.Willrich created

    How about the error when editing the Identity Client? I think due to this error, the cache has not been removed.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    How about the error when editing the Identity Client?

    Can you share the logs?

    I think due to this error, the cache has not been removed.

    Can you provide the full steps to reproduce? I will check it.

  • User Avatar
    0
    Leonardo.Willrich created

    Hi liangshiwei,

    To reproduce, you can create a new client in Administration > Identity Server > Clients, add a Secret. Save the client and then add another Secret and delete the previous. When you try to save, it will show the error.

  • User Avatar
    0
    Leonardo.Willrich created

    Here is the log:

    [08:14:56 ERR] Failed executing DbCommand (1ms) [Parameters=[@p0='?' (DbType = Guid), @p1='?', @p2='?', @p3='?', @p4='?' (DbType = DateTime), @p53='?' (DbType = Guid), @p5='?' (DbType = Int32), @p6='?' (DbType = Int32), @p7='?' (DbType = Int32), @p8='?' (DbType = Boolean), @p9='?' (DbType = Boolean), @p10='?' (DbType = Boolean), @p11='?' (DbType = Boolean), @p12='?', @p13='?' (DbType = Boolean), @p14='?' (DbType = Boolean), @p15='?' (DbType = Int32), @p16='?' (DbType = Boolean), @p17='?', @p18='?', @p19='?', @p20='?', @p21='?', @p22='?', @p54='?', @p23='?' (DbType = Int32), @p24='?' (DbType = DateTime), @p25='?' (DbType = Guid), @p26='?' (DbType = Guid), @p27='?' (DbType = DateTime), @p28='?', @p29='?' (DbType = Int32), @p30='?' (DbType = Boolean), @p31='?' (DbType = Boolean), @p32='?', @p33='?' (DbType = Boolean), @p34='?', @p35='?' (DbType = Int32), @p36='?' (DbType = Boolean), @p37='?' (DbType = Boolean), @p38='?' (DbType = DateTime), @p39='?' (DbType = Guid), @p40='?', @p41='?', @p42='?', @p43='?' (DbType = Int32), @p44='?' (DbType = Int32), @p45='?' (DbType = Boolean), @p46='?' (DbType = Boolean), @p47='?' (DbType = Boolean), @p48='?' (DbType = Boolean), @p49='?' (DbType = Int32), @p50='?' (DbType = Boolean), @p51='?', @p52='?' (DbType = Int32)], CommandType='Text', CommandTimeout='30'] INSERT INTO "IdentityServerClientSecrets" ("ClientId", "Type", "Value", "Description", "Expiration") VALUES (@p0, @p1, @p2, @p3, @p4); UPDATE "IdentityServerClients" SET "AbsoluteRefreshTokenLifetime" = @p5, "AccessTokenLifetime" = @p6, "AccessTokenType" = @p7, "AllowAccessTokensViaBrowser" = @p8, "AllowOfflineAccess" = @p9, "AllowPlainTextPkce" = @p10, "AllowRememberConsent" = @p11, "AllowedIdentityTokenSigningAlgorithms" = @p12, "AlwaysIncludeUserClaimsInIdToken" = @p13, "AlwaysSendClientClaims" = @p14, "AuthorizationCodeLifetime" = @p15, "BackChannelLogoutSessionRequired" = @p16, "BackChannelLogoutUri" = @p17, "ClientClaimsPrefix" = @p18, "ClientId" = @p19, "ClientName" = @p20, "ClientUri" = @p21, "ConcurrencyStamp" = @p22, "ConsentLifetime" = @p23, "CreationTime" = @p24, "CreatorId" = @p25, "DeleterId" = @p26, "DeletionTime" = @p27, "Description" = @p28, "DeviceCodeLifetime" = @p29, "EnableLocalLogin" = @p30, "Enabled" = @p31, "ExtraProperties" = @p32, "FrontChannelLogoutSessionRequired" = @p33, "FrontChannelLogoutUri" = @p34, "IdentityTokenLifetime" = @p35, "IncludeJwtId" = @p36, "IsDeleted" = @p37, "LastModificationTime" = @p38, "LastModifierId" = @p39, "LogoUri" = @p40, "PairWiseSubjectSalt" = @p41, "ProtocolType" = @p42, "RefreshTokenExpiration" = @p43, "RefreshTokenUsage" = @p44, "RequireClientSecret" = @p45, "RequireConsent" = @p46, "RequirePkce" = @p47, "RequireRequestObject" = @p48, "SlidingRefreshTokenLifetime" = @p49, "UpdateAccessTokenClaimsOnRefresh" = @p50, "UserCodeType" = @p51, "UserSsoLifetime" = @p52 WHERE "Id" = @p53 AND "ConcurrencyStamp" = @p54; [08:14:56 ERR] An exception occurred in the database while saving changes for context type 'Volo.Abp.IdentityServer.EntityFrameworkCore.IdentityServerDbContext'. Microsoft.EntityFrameworkCore.DbUpdateException: An error occurred while saving the entity changes. See the inner exception for details. ---> Npgsql.PostgresException (0x80004005): 23505: duplicate key value violates unique constraint "PK_IdentityServerClientSecrets" DETAIL: Detail redacted as it may contain sensitive data. Specify 'Include Error Detail' in the connection string to include this information. at Npgsql.Internal.NpgsqlConnector.<ReadMessage>g__ReadMessageLong|211_0(NpgsqlConnector connector, Boolean async, DataRowLoadingMode dataRowLoadingMode, Boolean readingNotifications, Boolean isReadingPrependedMessage) at Npgsql.NpgsqlDataReader.NextResult(Boolean async, Boolean isConsuming, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteReader(CommandBehavior behavior, Boolean async, CancellationToken cancellationToken) at Npgsql.NpgsqlCommand.ExecuteDbDataReaderAsync(CommandBehavior behavior, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReaderAsync(RelationalCommandParameterObject parameterObject, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReaderAsync(RelationalCommandParameterObject parameterObject, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Update.ReaderModificationCommandBatch.ExecuteAsync(IRelationalConnection connection, CancellationToken cancellationToken) Exception data: Severity: ERROR SqlState: 23505 MessageText: duplicate key value violates unique constraint "PK_IdentityServerClientSecrets" Detail: Detail redacted as it may contain sensitive data. Specify 'Include Error Detail' in the connection string to include this information. SchemaName: public TableName: IdentityServerClientSecrets ConstraintName: PK_IdentityServerClientSecrets File: d:\pginstaller_13.auto\postgres.windows-x64\src\backend\access\nbtree\nbtinsert.c Line: 656 Routine: _bt_check_unique --- End of inner exception stack trace ---

  • User Avatar
    0
    Leonardo.Willrich created

    Another question. I'm using RabbitMQ as Broker Message. We had another issue related to User Role Event Handler not being called because of this. Do you think that the event handler for Clients that removes the cache could not be reached due to the RabbitMQ?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    The IdentityServerCacheItemInvalidator is a local event handler class, so I think RabbitMQ will not affect it.

    To reproduce, you can create a new client in Administration > Identity Server > Clients, add a Secret. Save the client and then add another Secret and delete the previous. When you try to save, it will show the error.

    I could reproduce the problem, we will fix it in the patch version, your ticket has been refunded.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    For now, you can try this:

    Add to your *.ApplicationAutoMapperProfile

    CreateMap<ApiResourceSecret, ApiResourceSecretDto>()
        .ForMember(d => d.Value, x => x.MapFrom(_ => _.Value));
    
    CreateMap<ClientSecret, ClientSecretDto>()
        .ForMember(d => d.Value, x => x.MapFrom(_ => _.Value));
    
  • User Avatar
    0
    Leonardo.Willrich created

    Ok, no problem. I've already fixed the Secret expiration date/time changing the database and restarting the server to clear the cache.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09