- ABP Framework version: v7.3.2
- UI Type: MVC
- Database System: EF Core (SQL Server, Oracle, MySQL, PostgreSQL, etc..) / MongoDB
- Tiered (for MVC) or Auth Server Separated (for Angular): yes
- Exception message and full stack trace:
- Steps to reproduce the issue: We are trying to implement impersonation in ABP 7.3.2 but in the documentaton (https://docs.abp.io/en/commercial/7.3/modules/account/impersonation#authserver-2) not able to see the steps specific to relevent version, still we went ahded and tried the steps povided but getting the below error even if we keep the maxLimit to <requestLimits maxAllowedContentLength="4294967295" />
the log is as follows
2024-01-17 17:38:46.244 +05:30 [INF] IDX10242: Security token: '[PII of type 'System.IdentityModel.Tokens.Jwt.JwtSecurityToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
2024-01-17 17:38:46.244 +05:30 [INF] IDX10239: Lifetime of the token is valid.
2024-01-17 17:38:46.244 +05:30 [ERR] IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.
2024-01-17 17:38:46.245 +05:30 [INF] Failed to validate the token.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidAudienceException: IDX10214: Audience validation failed. Audiences: 'IdentityService, AdministrationService, SaasService, EmployeeService, IncidentService, AttachmentService, ObservationsService, ActionService, UserTaskService, HSEPlansService, NCRService, CustomerService, InspectionService, Forms, FileManagement, AuthServer, RMService, TMService, PTWService'. Did not match: validationParameters.ValidAudience: 'AccountService' or validationParameters.ValidAudiences: 'null'.
at Microsoft.IdentityModel.Tokens.Validators.ValidateAudience(IEnumerable`1 audiences, SecurityToken securityToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateAudience(IEnumerable`1 audiences, JwtSecurityToken jwtToken, TokenValidationParameters validationParameters)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateTokenPayload(JwtSecurityToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateJWS(String token, TokenValidationParameters validationParameters, BaseConfiguration currentConfiguration, SecurityToken& signatureValidatedToken, ExceptionDispatchInfo& exceptionThrown)
--- End of stack trace from previous location ---
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, JwtSecurityToken outerToken, TokenValidationParameters validationParameters, SecurityToken& signatureValidatedToken)
at System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.ValidateToken(String token, TokenValidationParameters validationParameters, SecurityToken& validatedToken)
at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync()
has context menu
Please advise.
34 Answer(s)
-
0
https://identityserver4.readthedocs.io/en/docs-preview/search.html?q=audience&check_keywords=yes&area=default
-
0
https://identityserver4.readthedocs.io/en/docs-preview/search.html?q=audience&check_keywords=yes&area=default
Thanks for the inputs, We will check and update accordingly
-
0
ok.
-
0
hi
Your
JwtBearerrequires anAccountServiceaudience.context.Services.AddAuthentication() .AddJwtBearer(options => { options.Authority = configuration["AuthServer:Authority"]; options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); options.Audience = "AccountService"; });but your access token doesn't have this audience.
By the way, does AccountService exist in your identity server?
AccountService does not exist in our identity server, We upgraded our Application from Version 5.1.3 to 7.3.2 and there was no AccountService in 5.1.3, Can you please what will be the best possiblesolution
-
0
hi
You need to use a existing
scopeegAuthServercontext.Services.AddAuthentication() .AddJwtBearer(options => { options.Authority = configuration["AuthServer:Authority"]; options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); options.Audience = "AuthServer"; }); -
0
hi
You need to use a existing
scopeegAuthServercontext.Services.AddAuthentication() .AddJwtBearer(options => { options.Authority = configuration["AuthServer:Authority"]; options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); options.Audience = "AuthServer"; });Thanks for the quick response, below is our Auth server Audiance, do we need to replace 'AccountService' with 'AuthServer' or we need to add new Audiance 'AuthServer'?
-
0
hi
I think you should replace all
AccountServicewithAuthServer -
0
hi
I think you should replace all
AccountServicewithAuthServerWe tried this, We replaced AccountService with AuthServer and logged in with User A. We try to Impersonate user B, it taking us to Authserver login page(https://localhost:44322/Account/Login), there are no errors in log file.
-
0
Your
AccountControllerin the web project should inherit fromAbpAccountImpersonationChallengeAccountControllerpublic class AccountController : AbpAccountImpersonationChallengeAccountController { }
