Can't generate long lived auth tokens after 8.2 upgrade #7626

okains created 7 months ago

ABP Framework version: v8.2
UI Type: Blazor Web App
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
Exception message and full stack trace:
Steps to reproduce the issue:

Hi,

Before I upgraded my 7.x project to 8.2 I could generate long lived access tokens ( 1 year ) using the following code in the AuthServerModule:

PreConfigure<OpenIddictServerBuilder>(builder => { builder.SetAccessTokenLifetime(TimeSpan.FromDays(365)); builder.SetIdentityTokenLifetime(TimeSpan.FromDays(365));

});

This code still works, and I get a token in the db that seems to have everything set correctly:

However after about a day the token stops working. Nothing has changed in the db, and the token is of course the same, but for some reason I get a 401 when using the token, whereas for the first day ( could be more or less but seems like about a day ) it works fine:

I noticed that ABP 8.x has upgraded to OpenIddict 5, and I went through all of the migration steps for that, so I looked for anything that changed and I see that there is now the concept of per client token expiration settings. However the global settings supposedly override that ( if client settings are not set explicitly ) and I am not sure how to configure ABP to use the client settings.

Can you provide any insight into this, and suggest some things to try so that I can get this long lived token functionality back?

Thanks,

Karim Ainsworth

liangshiwei created 7 months ago

Support Team Fullstack Developer

Hi,

could you share some logs?

okains created 7 months ago

I can share anything you like, can you be more specific about what logs you need? What exactly are you looking for in the logs? I am deploying to Azure, so I can turn on logging there?

liangshiwei created 7 months ago

Support Team Fullstack Developer

HI,

I mean the webapp, httpapi and authserver logs.

I am deploying to Azure, so I can turn on logging there?

will it work locally?

okains created 7 months ago

Hi, I can share my full local logs now. I will then clear and run an authenticated request with a new token and share those logs. Will have to wait a day then to share the logs with the 401.

Here are the full logs, maybe there is something you can see in there that can help troubleshoot.

https://drive.google.com/file/d/1BcrCYTkWSM1Uu5fQfoEzdiCfq8L136uq/view?usp=sharing

Thanks,

Karim

okains created 7 months ago

I have just created a new token, fully authenticated, getting a proper 200 back now. Here are the logs for this:

https://drive.google.com/file/d/1BeNMJv2JSxjF68yPGT_v6uYUu3kPqrGG/view?usp=sharing

And the token:

eyJhbGciOiJSUzI1NiIsImtpZCI6Ijk3MTI0OEM5QUQxNjBGQkRBNzA3N0MzMDg4NzY2MkNDMTQxMDRCRUMiLCJ4NXQiOiJseEpJeWEwV0Q3Mm5CM3d3aUhaaXpCUVFTLXciLCJ0eXAiOiJhdCtqd3QifQ.eyJpc3MiOiJodHRwczovL2xvY2FsaG9zdDo0NDM1OS8iLCJleHAiOjE3NTQ0MTE0NzYsImlhdCI6MTcyMjg3NTQ3NiwiYXVkIjoiRVN2MiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwgRVN2MiIsImp0aSI6ImJiNDY0ZGI0LTI1ZDAtNGM1Ny1iOWE0LTJlYzYzYTZiNjY2MyIsInN1YiI6ImExMzY1MWU3LTZjYTEtZTAwNC02ZTM2LTNhMGRlZTZiNzBjOSIsInNlc3Npb25faWQiOiI4M2Y2ZjMxYy1kYjY2LTQ1YmYtODRjNi03ODZiYTMwMDQwNDgiLCJ1bmlxdWVfbmFtZSI6ImFkbWluIiwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4iLCJnaXZlbl9uYW1lIjoiYWRtaW4iLCJyb2xlIjoiYWRtaW4iLCJlbWFpbCI6ImFkbWluQGFicC5pbyIsImVtYWlsX3ZlcmlmaWVkIjoiRmFsc2UiLCJwaG9uZV9udW1iZXJfdmVyaWZpZWQiOiJGYWxzZSIsIm9pX3Byc3QiOiJFU3YyX1N3YWdnZXIiLCJjbGllbnRfaWQiOiJFU3YyX1N3YWdnZXIiLCJvaV90a25faWQiOiJiMjBiOTkzNS1kYjQzLTM0YzYtNjQ0ZC0zYTE0MzU4ZTUyYzEifQ.NDr7plqxw-I2_9D8s-T9ohsZ1YYiufoXaIYkDWXpzGeiHrfZkdBxXitwkgtfftFNApsiUTgAb2-43o_m48_IrJo74y0L3_PBhn6F-13MFw9ADIf_HTuNPlxhLUq48uTmztNEQUbvTIa6iToUj59iM3azsfHjHe2SqziLSJVNMs_b1DsHTmJB2V9faEuiwVLEJqBDCGL-ohGbFizEL5xfpDLNI1yRf4C-jSqccQ-YC41Ur5xf9Cv1kkNpzSnnfUke8oW0KRT5_xnXJY4FUECe-AaK6UWi0IbbU6PC7O7ER3tSc5BpokrdWl4kFiEklIM9n2mjMvk4HY9fCxfR0Dmang

Will be a day now when this expires, I can re-run this tomorrow and will get a 401. Can send the logs then. Please take a look in the meantime though and if there is anything obvious to you that is wrong let me know. Would like to resolve this as soon as possible.

Thanks,

Karim

liangshiwei created 7 months ago

Support Team Fullstack Developer

maybe related to the identity session.

could you try logout first, then re-login.

then navigate to Account/sessions

you should be able to see two sessions.

okains created 7 months ago

Hi,

I am getting a 404 on account/sessions, also account/session, and I tried to find it in the settings / admin menus but can't find, is that the right URL?

Also, the token I generated last night is now giving me a 401:

And here are the logs after making that API call:

https://drive.google.com/file/d/1BeYcZz4k9WFmyTGTBI8vH4SeehbsnonI/view?usp=sharing

This time we didn't get 24 hours, was working 14 hours ago. I don't see anything obvious in the logs.

I just paused for a bit, then tried hitting the API endpoint again, of course got a 401, but not much additional in the logs, that was done at 13:38:

2024-08-06 13:17:51.296 +06:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyIntrospectionResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessJsonResponse1[[OpenIddict.Server.OpenIddictServerEvents+ApplyIntrospectionResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. 2024-08-06 13:17:51.296 +06:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyIntrospectionResponseContext was marked as handled by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessJsonResponse1[[OpenIddict.Server.OpenIddictServerEvents+ApplyIntrospectionResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. 2024-08-06 13:17:51.296 +06:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Introspection+ApplyIntrospectionResponse1[[OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. 2024-08-06 13:17:51.296 +06:30 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as handled by OpenIddict.Server.OpenIddictServerHandlers+Introspection+ApplyIntrospectionResponse1[[OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. 2024-08-06 13:17:51.296 +06:30 [INF] Request finished HTTP/1.1 POST https://localhost:44359/connect/introspect - 200 348 application/json;charset=UTF-8 26.4754ms 2024-08-06 13:38:11.132 +06:30 [INF] Lock is acquired for TokenCleanupBackgroundWorker 2024-08-06 13:38:11.133 +06:30 [INF] Lock is acquired for IdentitySessionCleanupBackgroundWorker 2024-08-06 13:38:11.139 +06:30 [INF] Start cleanup. 2024-08-06 13:38:11.140 +06:30 [INF] Start cleanup tokens. 2024-08-06 13:38:11.144 +06:30 [INF] Start cleanup sessions. 2024-08-06 13:38:11.198 +06:30 [INF] Cleanup sessions completed. 2024-08-06 13:38:11.198 +06:30 [INF] Lock is released for IdentitySessionCleanupBackgroundWorker 2024-08-06 13:38:11.206 +06:30 [INF] Start cleanup authorizations. 2024-08-06 13:38:11.251 +06:30 [INF] Lock is released for TokenCleanupBackgroundWorker

Thanks,

Karim

liangshiwei created 7 months ago

Support Team Fullstack Developer

Hi,

I am getting a 404 on account/sessions, also account/session, and I tried to find it in the settings / admin menus but can't find, is that the right URL?

The URL should be AuthServerURL/account/sessions

You can try this: https://abp.io/support/questions/7626/Can%27t-generate-long-lived-auth-tokens-after-82-upgrade#answer-3a143840-1291-1f3d-7e6b-18c502a01068 this problem also happened in the ABP.io, after logout and re-login, it works fine.

okains created 7 months ago

OK, i have logged out / logged back in as admin to the auth server, I can see the sessions now. I don't see an active Session for the token that I generated last night.

Are you saying that because now I have logged in, that if I create a new token, that it won't expire? I can try that now and see how it works. Here is the current Sessions without the new token :