Open Closed

Abp application Authanticate from non-Abp application external provider, but loop redirect and logout problems. #4769


User avatar
0
hakan.kulcur@yddosoftware.com created

IdentityCheck the docs before asking a question: https://docs.abp.io/en/commercial/latest/ Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v5.3.3
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hello,

I have three questions regarding Identity Server authentication.

  1. The ABP application I have developed can authenticate with IDS4 from a non-ABP ASP.NET Core application. When I click the "Login" button on the homepage in abp app, I can connect with OpenID Connect configuration. I have prepared an authorized Custom Page for testing purposes, and I can access it. However, when I try to access the CustomPage without logging in, IDS4 asks for the user's name and password from the Login screen. Then, I get stuck in an endless redirect loop. There are dozens of log entries in the log file. I can log in from the homepage without any issues and access the Custom Page. Why does it loop after login when I access it without authentication? I am attaching the IdentityServer QuickStart sample and ABP application as examples. Link DELETED
Log--
023-03-24 14:02:24.452 +03:00 [INF] Request starting HTTP/2 GET https://localhost:44313/CustomPage - -
2023-03-24 14:02:24.708 +03:00 [INF] Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
2023-03-24 14:02:24.819 +03:00 [INF] AuthenticationScheme: oidc was challenged.
2023-03-24 14:02:24.822 +03:00 [INF] Request finished HTTP/2 GET https://localhost:44313/CustomPage - - - 302 - - 369.7578ms
2023-03-24 14:02:26.550 +03:00 [INF] Request starting HTTP/2 POST https://localhost:44313/signin-oidc application/x-www-form-urlencoded 589
2023-03-24 14:02:26.732 +03:00 [DBG] Executing HealthCheck collector HostedService.

2023-03-24 14:02:30.130 +03:00 [INF] AuthenticationScheme: oidc was challenged.
2023-03-24 14:02:30.131 +03:00 [INF] Request finished HTTP/2 GET https://localhost:44313/CustomPage - - - 302 - - 5.7295ms
2023-03-24 14:02:30.363 +03:00 [INF] Request starting HTTP/2 POST https://localhost:44313/signin-oidc application/x-www-form-urlencoded 589
2023-03-24 14:02:30.388 +03:00 [INF] AuthenticationScheme: Identity.External signed in.
2023-03-24 14:02:30.389 +03:00 [INF] Request finished HTTP/2 POST https://localhost:44313/signin-oidc application/x-www-form-urlencoded 589 - 302 - - 25.5136ms
2023-03-24 14:02:30.391 +03:00 [INF] Request starting HTTP/2 GET https://localhost:44313/CustomPage - -
2023-03-24 14:02:30.394 +03:00 [INF] Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
  1. After logging in to the non-ABP application in one browser tab, when I log in to the ABP application, the non-ABP application logs out. When I log in again to the non-ABP application, our ABP application logs out. The two applications cannot be logged in simultaneously, but both can log in with the same client configuration from the same IdentityServer. How is this possible?

This issue cannot be reproduced in the IDS4 Quickstart and MVC client example that I have sent. However, I can reproduce it in the non-ABP application, but I cannot send the code.

  1. After logging in to the ABP application, the following warning appears in the IDS4 and application logs of the non-ABP application.
fail: Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery[7]
      An exception was thrown while deserializing the token.
      Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.
       ---> System.Security.Cryptography.CryptographicException: The key {a040ee01-b8b0-4d88-ad71-b94da3cb80f9} was not found in the key ring.
         at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.UnprotectCore(Byte[] protectedData, Boolean allowOperationsOnRevokedKeys, UnprotectStatus& status)
         at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.DangerousUnprotect(Byte[] protectedData, Boolean ignoreRevocationErrors, Boolean& requiresMigration, Boolean& wasRevoked)
         at Microsoft.AspNetCore.DataProtection.KeyManagement.KeyRingBasedDataProtector.Unprotect(Byte[] protectedData)
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
         --- End of inner exception stack trace ---
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgeryTokenSerializer.Deserialize(String serializedToken)
         at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.GetCookieTokenDoesNotThrow(HttpContext httpContext)
  1. Bonus Question !! Would you run our abp aplication in to non Abp Application Iframe Page with authantication?

4 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    This issue cannot be reproduced in the IDS4 Quickstart and MVC client example that I have sent. However, I can reproduce it in the non-ABP application, but I cannot send the code.

    In this case, it is difficult for me to troubleshoot the problem. Please provide a simple project reproduction problem instead of not your real project.

  • User Avatar
    0
    hakan.kulcur@yddosoftware.com created

    For first question (redirect loop) I sent a link (now deleted) for reproduce problem code. can ou suggest a solution?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    ok, please send it via email, liming.ma@volosoft.com

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You are using IdentityConstants.ExternalScheme(https://localhost:5001/) as SignInScheme of OpenIdConnect.

    but the default scheme is Identity.Application(account/login).

    The Authorize of CustomPage will try authentication with Identity.Application(account/login).

    I don't recommend you change DefaultSignInScheme.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 05, 2024, 12:19