Issue while implementing the impersonation in micro Service based solution #6518

34 Answer(s)

• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  IDX10214: Audience validation failed. A Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

  Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

  Your access_token seems to be missing the AccountService audience.

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  IDX10214: Audience validation failed. A Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

  Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

  Your access_token seems to be missing the AccountService audience.

  Aftering doing the suggisted change

  

  we are getting the below issues for our services

  PermissionRequirement: EmployeeService.Employees.Create

  2024-01-22 12:58:41.151 +05:30 [INF] Authorization failed. These requirements were not met:

  PermissionRequirement: EmployeeService.Employees.Create

  2024-01-22 12:58:41.174 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:41.178 +05:30 [INF] Authorization failed. These requirements were not met:

  PermissionRequirement: EmployeeService.Employees.Create

  2024-01-22 12:58:41.206 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:41.207 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:41.211 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

  2024-01-22 12:58:42.601 +05:30 [INF] Authorization failed. These requirements were not met:

  PermissionRequirement: ObservationsService.Observations

  2024-01-22 12:58:42.601 +05:30 [INF] Authorization failed. These requirements were not met:

  PermissionRequirement: IncidentService.IncidentManagements

  2024-01-22 12:58:42.601 +05:30 [INF] Authorization failed. These requirements were not met:

  PermissionRequirement: InspectionService.AuditsManagements

  2024-01-22 12:58:42.602 +05:30 [INF] Authorization failed. These requirements were not met:

  PermissionRequirement: InspectionService.InspectionManagements

  Still we proceeded and tried the same but getting the below error as well

  { "code": "Volo.Account:RequirePermissionToImpersonateUser", "message": "Require AbpIdentity.Users permission to impersonate user!", "details": null, "data": { "PermissionName": "AbpIdentity.Users" }, "validationErrors": null }

  My first question is this functionality and steps valid for ABP7?

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  Require AbpIdentity.Users permission to impersonate user! These requirements were not met:

  Does the user have the related permissions?

  Can you share a access_token to liming.ma@volosoft.com

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  Require AbpIdentity.Users permission to impersonate user! These requirements were not met:

  Does the user have the related permissions?

  Can you share a access_token to liming.ma@volosoft.com

  Yes permission is provided

  

  sharing the access-token over the email in few minutes

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  These are the roles of your access_token.

  Do they have the correct permissions?

    "role": [
      "HSE Manager",
      "HSE Review",
      "HSE Team",
      "Super Administrator",
      "Vehicle Maintainance Team"
    ],
  

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  These are the roles of your access_token.

  Do they have the correct permissions?

    "role": [ 
      "HSE Manager", 
      "HSE Review", 
      "HSE Team", 
      "Super Administrator", 
      "Vehicle Maintainance Team" 
    ], 
  

  Yes those are having proper permissions and rest all functionalities are working fine

  

  

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  The log says : Require AbpIdentity.Users permission to impersonate user!",

  What's your ImpersonationUserPermission value?

  Eg:

  context.Services.Configure<AbpAccountOptions>(options =>
  {
      //For impersonation in Saas module
      options.TenantAdminUserName = "admin";
      options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;
  
      //For impersonation in Identity module
      options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
  });
  

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  The log says : Require AbpIdentity.Users permission to impersonate user!",

  What's your ImpersonationUserPermission value?

  Eg:

  context.Services.Configure<AbpAccountOptions>(options => 
  { 
      //For impersonation in Saas module 
      options.TenantAdminUserName = "admin"; 
      options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation; 
   
      //For impersonation in Identity module 
      options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation; 
  }); 
  

  we are using the below

  

  and added below as well in auth server

  

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  It's weird.

  Can you debug the app and inject the IOptions<AbpAccountOptions to see its values?

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  It's weird.

  Can you debug the app and inject the IOptions<AbpAccountOptions to see its values?

  ok will check and update u

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  ok. thanks

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  ok. thanks

  This is what we are getting, let us know if u need any more info.

  

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  Can you share a project?

  liming.ma@volosoft.com

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  Can you share a project?

  liming.ma@volosoft.com

  do u want just Auth server one or entire, becoz our is very big one with mutiple micro services so sharing may not be possible.

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  I can share the source code of the Impersonate classes.

  You can debug it in your local.

  Send the class name to liming.ma@volosoft.com

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  I can share the source code of the Impersonate classes.

  You can debug it in your local.

  Send the class name to liming.ma@volosoft.com

  I just emailed

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  Please share the HTTP request info of this error, then I will send your source code.

  {
  "code": "Volo.Account:RequirePermissionToImpersonateUser",
  "message": "Require AbpIdentity.Users permission to impersonate user!"
  }
  

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  Please share the HTTP request info of this error, then I will send your source code.

  { 
  "code": "Volo.Account:RequirePermissionToImpersonateUser", 
  "message": "Require AbpIdentity.Users permission to impersonate user!" 
  } 
  

  Please find the further details shared over ur email, due to length constraint I shared over email

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  Your problem is not related to the permissions but access_token

  Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

  Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

  

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  Your problem is not related to the permissions but access_token

  Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

  Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

  

  Hi didnt get what exactly you mean too, can you please explain in much detail and let us know the probable fix./change

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  You can try to add AccountService here

  

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  hi

  You can try to add AccountService here

  

  If we add 'AccountService', we are getting this error: 2024-01-25 11:56:57.402 +05:30 [ERR] Scope AccountService not found in store. 2024-01-25 11:56:57.402 +05:30 [ERR] Request validation failed

  Without 'AccountService', we are getting this error: 2024-01-25 12:01:34.565 +05:30 [INF] Executing endpoint '/Account/ImpersonateUser' 2024-01-25 12:01:34.567 +05:30 [INF] Route matched with {page = "/Account/ImpersonateUser", action = "", controller = "", area = ""}. Executing page /Account/ImpersonateUser 2024-01-25 12:01:34.567 +05:30 [INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy 2024-01-25 12:01:34.582 +05:30 [INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.ImpersonateUserModel.OnGetAsync - ModelState is "Valid" 2024-01-25 12:01:34.586 +05:30 [INF] Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'. at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown) --- End of stack trace from previous location --- at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() 2024-01-25 12:01:34.586 +05:30 [INF] Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'. 2024-01-25 12:01:34.600 +05:30 [WRN] ---------- RemoteServiceErrorInfo ---------- { "code": "Volo.Account:RequirePermissionToImpersonateUser", "message": "Require AbpIdentity.Users.Impersonation permission to impersonate user!", "details": null, "data": { "PermissionName": "AbpIdentity.Users.Impersonation" }, "validationErrors": null }

  2024-01-25 12:01:34.600 +05:30 [WRN] Exception of type 'Volo.Abp.BusinessException' was thrown. Volo.Abp.BusinessException: Exception of type 'Volo.Abp.BusinessException' was thrown. at Volo.Abp.Account.Web.Pages.Account.IdentityServerImpersonateUserModel.OnGetAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Convert[T](Object taskAsObject) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Execute(Object receiver, Object[] arguments) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) 2024-01-25 12:01:34.658 +05:30 [WRN] Code:Volo.Account:RequirePermissionToImpersonateUser 2024-01-25 12:01:34.658 +05:30 [WRN] Details: 2024-01-25 12:01:34.660 +05:30 [WRN] ---------- Exception Data ---------- PermissionName = AbpIdentity.Users.Impersonation

  We Upgraded our application from 5.1.3 to 7.3.2 and We are using 'AuthServer' not using 'AccountService' in Scopes

  

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  Please share the source code of your Auth server module(MyProjectNameAuthServerModule-http://localhost:44322)

  liming.ma@volosoft.com

  Save Cancel
• 

  0

  viswajwalith created 10 months ago

  Hi Sry for delay,

  I sahred the code to your email liming.ma@volosoft.com (via WeTransfer)

  Save Cancel
• 

  0

  maliming created 10 months ago

  Support Team Fullstack Developer

  hi

  Your JwtBearer requires an AccountService audience.

  context.Services.AddAuthentication()
      .AddJwtBearer(options =>
      {
          options.Authority = configuration["AuthServer:Authority"];
          options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
          options.Audience = "AccountService";
      });
  

  but your access token doesn't have this audience.

  By the way, does AccountService exist in your identity server?

  

  Save Cancel