Open Closed

Issue while implementing the impersonation in micro Service based solution #6518


User avatar
0
viswajwalith created
  • ABP Framework version: v7.3.2
  • UI Type: MVC
  • Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..) / MongoDB
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue: We are trying to implement impersonation in ABP 7.3.2 but in the documentaton (https://docs.abp.io/en/commercial/7.3/modules/account/impersonation#authserver-2) not able to see the steps specific to relevent version, still we went ahded and tried the steps povided but getting the below error even if we keep the maxLimit to <requestLimits maxAllowedContentLength="4294967295" />

the log is as follows

2024-01-17 17:38:46.244 +05:30 [INF] IDX10242: Security token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
2024-01-17 17:38:46.244 +05:30 [INF] IDX10239: Lifetime of the token is valid.
2024-01-17 17:38:46.244 +05:30 [ERR] IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.
2024-01-17 17:38:46.245 +05:30 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.
   at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
--- End of stack trace from previous location ---
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
   at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
   at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
has context menu

Please advise.


34 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    IDX10214: Audience validation failed. A Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

    Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

    Your access_token seems to be missing the AccountService audience.

  • User Avatar
    0
    viswajwalith created

    hi

    IDX10214: Audience validation failed. A Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

    Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

    Your access_token seems to be missing the AccountService audience.

    Aftering doing the suggisted change

    we are getting the below issues for our services

    PermissionRequirement: EmployeeService.Employees.Create

    2024-01-22 12:58:41.151 +05:30 [INF] Authorization failed. These requirements were not met:

    PermissionRequirement: EmployeeService.Employees.Create

    2024-01-22 12:58:41.174 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:41.178 +05:30 [INF] Authorization failed. These requirements were not met:

    PermissionRequirement: EmployeeService.Employees.Create

    2024-01-22 12:58:41.206 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:41.207 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:41.208 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:41.211 +05:30 [WRN] Could not find the localization resource LeptonX on the remote server!

    2024-01-22 12:58:42.601 +05:30 [INF] Authorization failed. These requirements were not met:

    PermissionRequirement: ObservationsService.Observations

    2024-01-22 12:58:42.601 +05:30 [INF] Authorization failed. These requirements were not met:

    PermissionRequirement: IncidentService.IncidentManagements

    2024-01-22 12:58:42.601 +05:30 [INF] Authorization failed. These requirements were not met:

    PermissionRequirement: InspectionService.AuditsManagements

    2024-01-22 12:58:42.602 +05:30 [INF] Authorization failed. These requirements were not met:

    PermissionRequirement: InspectionService.InspectionManagements

    Still we proceeded and tried the same but getting the below error as well

    { "code": "Volo.Account:RequirePermissionToImpersonateUser", "message": "Require AbpIdentity.Users permission to impersonate user!", "details": null, "data": { "PermissionName": "AbpIdentity.Users" }, "validationErrors": null }

    My first question is this functionality and steps valid for ABP7?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Require AbpIdentity.Users permission to impersonate user! These requirements were not met:

    Does the user have the related permissions?

    Can you share a access_token to liming.ma@volosoft.com

  • User Avatar
    0
    viswajwalith created

    hi

    Require AbpIdentity.Users permission to impersonate user! These requirements were not met:

    Does the user have the related permissions?

    Can you share a access_token to liming.ma@volosoft.com

    Yes permission is provided

    sharing the access-token over the email in few minutes

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    These are the roles of your access_token.

    Do they have the correct permissions?

      "role": [
        "HSE Manager",
        "HSE Review",
        "HSE Team",
        "Super Administrator",
        "Vehicle Maintainance Team"
      ],
    
  • User Avatar
    0
    viswajwalith created

    hi

    These are the roles of your access_token.

    Do they have the correct permissions?

      "role": [ 
        "HSE Manager", 
        "HSE Review", 
        "HSE Team", 
        "Super Administrator", 
        "Vehicle Maintainance Team" 
      ], 
    

    Yes those are having proper permissions and rest all functionalities are working fine

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The log says : Require AbpIdentity.Users permission to impersonate user!",

    What's your ImpersonationUserPermission value?

    Eg:

    context.Services.Configure<AbpAccountOptions>(options =>
    {
        //For impersonation in Saas module
        options.TenantAdminUserName = "admin";
        options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;
    
        //For impersonation in Identity module
        options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
    });
    
  • User Avatar
    0
    viswajwalith created

    hi

    The log says : Require AbpIdentity.Users permission to impersonate user!",

    What's your ImpersonationUserPermission value?

    Eg:

    context.Services.Configure<AbpAccountOptions>(options => 
    { 
        //For impersonation in Saas module 
        options.TenantAdminUserName = "admin"; 
        options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation; 
     
        //For impersonation in Identity module 
        options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation; 
    }); 
    

    we are using the below

    and added below as well in auth server

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    It's weird.

    Can you debug the app and inject the IOptions<AbpAccountOptions to see its values?

  • User Avatar
    0
    viswajwalith created

    It's weird.

    Can you debug the app and inject the IOptions<AbpAccountOptions to see its values?

    ok will check and update u

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok. thanks

  • User Avatar
    0
    viswajwalith created

    ok. thanks

    This is what we are getting, let us know if u need any more info.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share a project?

    liming.ma@volosoft.com

  • User Avatar
    0
    viswajwalith created

    hi

    Can you share a project?

    liming.ma@volosoft.com

    do u want just Auth server one or entire, becoz our is very big one with mutiple micro services so sharing may not be possible.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I can share the source code of the Impersonate classes.

    You can debug it in your local.

    Send the class name to liming.ma@volosoft.com

  • User Avatar
    0
    viswajwalith created

    hi

    I can share the source code of the Impersonate classes.

    You can debug it in your local.

    Send the class name to liming.ma@volosoft.com

    I just emailed

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please share the HTTP request info of this error, then I will send your source code.

    {
    "code": "Volo.Account:RequirePermissionToImpersonateUser",
    "message": "Require AbpIdentity.Users permission to impersonate user!"
    }
    
  • User Avatar
    0
    viswajwalith created

    hi

    Please share the HTTP request info of this error, then I will send your source code.

    { 
    "code": "Volo.Account:RequirePermissionToImpersonateUser", 
    "message": "Require AbpIdentity.Users permission to impersonate user!" 
    } 
    

    Please find the further details shared over ur email, due to length constraint I shared over email

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Your problem is not related to the permissions but access_token

    Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

    Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

  • User Avatar
    0
    viswajwalith created

    hi

    Your problem is not related to the permissions but access_token

    Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.

    Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'.

    Hi didnt get what exactly you mean too, can you please explain in much detail and let us know the probable fix./change

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can try to add AccountService here

  • User Avatar
    0
    viswajwalith created

    hi

    You can try to add AccountService here

    If we add 'AccountService', we are getting this error: 2024-01-25 11:56:57.402 +05:30 [ERR] Scope AccountService not found in store. 2024-01-25 11:56:57.402 +05:30 [ERR] Request validation failed

    Without 'AccountService', we are getting this error: 2024-01-25 12:01:34.565 +05:30 [INF] Executing endpoint '/Account/ImpersonateUser' 2024-01-25 12:01:34.567 +05:30 [INF] Route matched with {page = "/Account/ImpersonateUser", action = "", controller = "", area = ""}. Executing page /Account/ImpersonateUser 2024-01-25 12:01:34.567 +05:30 [INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy 2024-01-25 12:01:34.582 +05:30 [INF] Executing handler method Volo.Abp.Account.Public.Web.Pages.Account.ImpersonateUserModel.OnGetAsync - ModelState is "Valid" 2024-01-25 12:01:34.586 +05:30 [INF] Failed to validate the token. Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'. at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown) --- End of stack trace from previous location --- at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken) at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() 2024-01-25 12:01:34.586 +05:30 [INF] Bearer was not authenticated. Failure message: IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'. 2024-01-25 12:01:34.600 +05:30 [WRN] ---------- RemoteServiceErrorInfo ---------- { "code": "Volo.Account:RequirePermissionToImpersonateUser", "message": "Require AbpIdentity.Users.Impersonation permission to impersonate user!", "details": null, "data": { "PermissionName": "AbpIdentity.Users.Impersonation" }, "validationErrors": null }

    2024-01-25 12:01:34.600 +05:30 [WRN] Exception of type 'Volo.Abp.BusinessException' was thrown. Volo.Abp.BusinessException: Exception of type 'Volo.Abp.BusinessException' was thrown. at Volo.Abp.Account.Web.Pages.Account.IdentityServerImpersonateUserModel.OnGetAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Convert[T](Object taskAsObject) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.ExecutorFactory.GenericTaskHandlerMethod.Execute(Object receiver, Object[] arguments) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeHandlerMethodAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeNextPageFilterAsync() at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Rethrow(PageHandlerExecutedContext context) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted) at Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker.InvokeInnerFilterAsync() at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.<InvokeNextExceptionFilterAsync>g__Awaited|26_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted) 2024-01-25 12:01:34.658 +05:30 [WRN] Code:Volo.Account:RequirePermissionToImpersonateUser 2024-01-25 12:01:34.658 +05:30 [WRN] Details: 2024-01-25 12:01:34.660 +05:30 [WRN] ---------- Exception Data ---------- PermissionName = AbpIdentity.Users.Impersonation

    We Upgraded our application from 5.1.3 to 7.3.2 and We are using 'AuthServer' not using 'AccountService' in Scopes

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please share the source code of your Auth server module(MyProjectNameAuthServerModule-http://localhost:44322)

    liming.ma@volosoft.com

  • User Avatar
    0
    viswajwalith created

    Hi Sry for delay,

    I sahred the code to your email liming.ma@volosoft.com (via WeTransfer)

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Your JwtBearer requires an AccountService audience.

    context.Services.AddAuthentication()
        .AddJwtBearer(options =>
        {
            options.Authority = configuration["AuthServer:Authority"];
            options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
            options.Audience = "AccountService";
        });
    

    but your access token doesn't have this audience.

    By the way, does AccountService exist in your identity server?

Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35