- ABP Framework version: Latest Version
- UI Type: Angular /
- Database System: MySQL
- Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separete
- Exception message and full stack trace:
- Steps to reproduce the issue:
I am able to bring up all the microservices as well as the Angular App. When i click on Login it redirects me to the Auth Server and then it brings me back to the Angular App, and then it calls the api : https://dev.web-gateway.xxx.dev.aws.yyy.com/api/abp/application-configuration?includeLocalizationResources=false and i can see the berarer token as well , however the response i get is : "currentUser": { "isAuthenticated": false, "id": null, "tenantId": null, "impersonatorUserId": null, "impersonatorTenantId": null, "impersonatorUserName": null, "impersonatorTenantName": null, "userName": null, "name": null, "surName": null, "email": null, "emailVerified": false, "phoneNumber": null, "phoneNumberVerified": false, "roles": [], "sessionId": null },
which is probably not allowing me to login. So I am unable to understand if a valid token is passed (as i checked the token and compared with the token api) then why the response say isAuthenticated is false.
25 Answer(s)
-
0
can you share the server log?
-
0
I have send a lot of details to shiwei.liang@volosoft.com as I couldn't upload the log because of the size restriction.
I have put the log file, HTTP Archive file so that you can import to your chrome browser and the see the traffic what I am seeing.
I have also put in a line of code I made changes as well.
Please look into this as a priority as this is holding us up to move further.
-
0
Hi,
could you also share
gatewayandadministration servicelogs? thanks. -
0
I was able to solve the Login issue and I am adding the code here in case any one wants to take advantage of
private void ConfigureJwtBearer(ServiceConfigurationContext context, IConfiguration configuration) { context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) .AddAbpJwtBearer(options => { options.Authority = configuration["AuthServer:Authority"]; options.MetadataAddress = configuration["AuthServer:MetaAddress"]!.EnsureEndsWith('/') + ".well-known/openid-configuration"; options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); options.Audience = configuration["AuthServer:Audience"]; ** // IDX10204: Unable to validate issuer on K8s if not set options.TokenValidationParameters = new TokenValidationParameters() { ValidIssuers = new[] { configuration["AuthServer:Authority"]!.EnsureEndsWith('/') }, // IDX10500: Signature validation failed. No security keys were provided to validate the signature on K8s SignatureValidator = delegate (string token, TokenValidationParameters parameters) { var jwt = new Microsoft.IdentityModel.JsonWebTokens.JsonWebToken(token); return jwt; } }; ** }); }However I am having several CORS issue after logging in. I was able to load Audit Log page fine, but SAAS, Identity or OpenID pages are not loading.
I have sent you an email with all the logs, HAR files as well as a link to download the source code in case you want to inspect what I have configured wrong.
-
0
Request origin null does not have permission to access the resource.
see: https://abp.io/support/questions/7447/Authentication-valid-issuer-issue
-
0
I also checked the same error but was confused as I was using the default admin user and this is the only user in the system. My doubts is probably not all tables are properly getting populated with the data seeding.
Do you have the list of tables that should be getting populated for an Admin user to work prooperly ?
Also where should I look for issues during data seeding ?
This issue has become a bottle neck for the project.
-
0
This issue is stopping us to move further and I think we should set up a call to discuss this. Please read some of our finding :
- When we use AWS MQ broker as our Rabbit MQ the data seeding doesn't work properly, i.e. the table like AbpPermissionGrants are getting populated while AbpPermissionGroups and AbpPermissions are not getting populated.This tells me the way the Rabbit MQ is configured and used can only be used by the data seeder but not by the underlying programs.
We have configured the Rabbit MQ this way :
if (!env.IsDevelopment()) { Configure<AbpRabbitMqOptions>(options => { options.Connections.Default.UserName = configuration["RabbitMQ:Connections:Default:UserName"]; options.Connections.Default.Password = configuration["RabbitMQ:Connections:Default:Password"]; options.Connections.Default.HostName = configuration["RabbitMQ:Connections:Default:HostName"]; options.Connections.Default.Port = 5671; options.Connections.Default.Ssl = new RabbitMQ.Client.SslOption { Enabled = true, ServerName = configuration["RabbitMQ:Connections:Default:HostName"] }; options.Connections.Default.VirtualHost = configuration["RabbitMQ:Connections:Default:VirtualHost"]; }); }- In order to overcome this we tried to create the database using our localhost and local RabbitMQ and the permissions are getting populated properly, then we connected the database to our hosted application. And we made sure all URLS and clientids are properly configured. However the issue still persist. The thing what we observed here is lets when we wanted to get the list of users in our angular app and we hit the web Gateway and the WebGateway returns a 301 error and then the request is transfeered to the Identity End Point , however the request doesnt contain the authroization header. When we used a post man and copied the authroization header which was sent to the WebGateway and started sending to the Identity end point everything works fine. This behavior is not seen for Audit Log or for Languages end points so those screen works properly. This behaviour is also not seen in any end point in localhost. I will be sending the HAR files to your email, but please do respond with some details, all your response has been either references to other tickets or asking for more logs. I have sent a lot of information in the past and don't mind sending if that helps.
We have an enterprise account , so if there is another way to looks at this issue privately or with more focus please let me know. Our whole development has come to a stand still as we don't want to proceed without understanding how things are working.
-
0
hi @castcrewit
When we use AWS MQ broker as our Rabbit MQ the data seeding doesn't work properly, we hit the web Gateway and the WebGateway returns a 301 error
These two errors will be reflected in the logs(Logs.txt). Can you set the log level to Debug, reproduce the problem later, and share the logs of all related applications(API, authserver. gateway)?
public class Program { public async static Task<int> Main(string[] args) { Log.Logger = new LoggerConfiguration() .MinimumLevel.Debug() .MinimumLevel.Override("Microsoft.EntityFrameworkCore", LogEventLevel.Warning) .Enrich.FromLogContext() .WriteTo.Async(c => c.File("Logs/logs.txt")) .WriteTo.Async(c => c.Console()) .CreateLogger();Thanks.
liming.ma@volosoft.com
-
0
We don't know much about AWS MQ. We can't provide help with it.
But if you can share detailed logs of all applications, we will try to check it.
-
0
@maliming you never responded about the second point where I mentioned clearly that I was able to overcome the seeding issue but seeing issues with redirection from Web gateway to identity apis without the token.
-
0
Can you share your logs of all projects first?
I want to check the logs.
Thanks.
-
0
I have sent the logs for all Projects to your email. Thank you in advance for looking into it
-
0
One thing we are noticing is this :
fail: Volo.Abp.PermissionManagement.AbpPermissionManagementDomainModule[0] Unknown database 'PSLWeb_dev3_Administration' MySqlConnector.MySqlException (0x80004005): Unknown database 'PSLWeb_dev3_Administration' at MySqlConnector.Core.ServerSession.ReceiveReplyAsync(IOBehavior ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/Core/ServerSession.cs:line 894 at MySqlConnector.Core.ServerSession.ConnectAsync(ConnectionSettings cs, MySqlConnection connection, Int64 startingTimestamp, ILoadBalancer loadBalancer, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/Core/ServerSession.cs:line 532 at MySqlConnector.Core.ConnectionPool.ConnectSessionAsync(MySqlConnection connection, Action`4 logMessage, Int64 startingTimestamp, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/Core/ConnectionPool.cs:line 428 at MySqlConnector.Core.ConnectionPool.ConnectSessionAsync(MySqlConnection connection, Action`4 logMessage, Int64 startingTimestamp, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/Core/ConnectionPool.cs:line 433 at MySqlConnector.Core.ConnectionPool.GetSessionAsync(MySqlConnection connection, Int64 startingTimestamp, Int32 timeoutMilliseconds, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/Core/ConnectionPool.cs:line 111 at MySqlConnector.Core.ConnectionPool.GetSessionAsync(MySqlConnection connection, Int64 startingTimestamp, Int32 timeoutMilliseconds, Activity activity, IOBehavior ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/Core/ConnectionPool.cs:line 144 at MySqlConnector.MySqlConnection.CreateSessionAsync(ConnectionPool pool, Int64 startingTimestamp, Activity activity, Nullable`1 ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/MySqlConnection.cs:line 919 at MySqlConnector.MySqlConnection.OpenAsync(Nullable`1 ioBehavior, CancellationToken cancellationToken) in /_/src/MySqlConnector/MySqlConnection.cs:line 419 at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.OpenInternalAsync(Boolean errorsExpected, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.OpenInternalAsync(Boolean errorsExpected, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.OpenAsync(CancellationToken cancellationToken, Boolean errorsExpected) at Pomelo.EntityFrameworkCore.MySql.Storage.Internal.MySqlRelationalConnection.OpenAsync(CancellationToken cancellationToken, Boolean errorsExpected) at Microsoft.EntityFrameworkCore.Storage.RelationalCommand.ExecuteReaderAsync(RelationalCommandParameterObject parameterObject, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Query.Internal.SplitQueryingEnumerable`1.AsyncEnumerator.InitializeReaderAsync(AsyncEnumerator enumerator, CancellationToken cancellationToken) at Pomelo.EntityFrameworkCore.MySql.Storage.Internal.MySqlExecutionStrategy.ExecuteAsync[TState,TResult](TState state, Func`4 operation, Func`4 verifySucceeded, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.Query.Internal.SplitQueryingEnumerable`1.AsyncEnumerator.MoveNextAsync() at Microsoft.EntityFrameworkCore.EntityFrameworkQueryableExtensions.ToListAsync[TSource](IQueryable`1 source, CancellationToken cancellationToken) at Microsoft.EntityFrameworkCore.EntityFrameworkQueryableExtensions.ToListAsync[TSource](IQueryable`1 source, CancellationToken cancellationToken) at Volo.Abp.Domain.Repositories.EntityFrameworkCore.EfCoreRepository`2.GetListAsync(Boolean includeDetails, CancellationToken cancellationToken) at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo) at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue`1.ProceedAsync() at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation) at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed) at Volo.Abp.PermissionManagement.DynamicPermissionDefinitionStore.UpdateInMemoryStoreCache() at Volo.Abp.PermissionManagement.DynamicPermissionDefinitionStore.EnsureCacheIsUptoDateAsync() at Volo.Abp.PermissionManagement.DynamicPermissionDefinitionStore.GetGroupsAsync() at Volo.Abp.PermissionManagement.AbpPermissionManagementDomainModule.PreCacheDynamicPermissionsAsync(PermissionManagementOptions options, IServiceScope scope) fail: Volo.Abp.PermissionManagement.AbpPermissionManagementDomainModule[0] ---------- Exception Data ---------- Server Error Code = 1049 SqlState = 42000There are more and you will get to see see in the logs, but the modules seeding is getting fired before the microservice migrations are being ran and that's causing the issue.
-
0
hi
There are no error logs in gateway applications.
But I can see that RabbitMQ can't access the
PSLWeb_dev3_SaasServicedatabase andPSLWeb_dev3_SaasService.AbpEventInboxtable.Is your
SaasServicedatabase migration successful?You can ensure all services have migrated the database correctly before logging in to Angular.
An error occurred using the connection to database 'PSLWeb_dev3_SaasService' on server 'cm1giqldc35kxj7.caxfhp14t2hx.us-west-2.rds.amazonaws.com'. fail: Volo.Abp.RabbitMQ.RabbitMqMessageConsumer[0] Unknown database 'PSLWeb_dev3_SaasService' MySqlConnector.MySqlException (0x80004005): U fail: Volo.Abp.RabbitMQ.RabbitMqMessageConsumer[0] Table 'PSLWeb_dev3_SaasService.AbpEventInbox' doesn't exist MySqlConnector.MySqlException (0x80004005): Table 'PSLWeb_dev3_SaasService.AbpEventInbox' doesn't exist -
0
An error occurred using the connection to database 'PSLWeb_dev3_SaasService' on server 'cm1giqldc35kxj7.caxfhp14t2hx.us-west-2.rds.amazonaws.com'. fail: Volo.Abp.RabbitMQ.RabbitMqMessageConsumer[0]
Hi,
We see all the databases have been migrated properly but still AbpPermissionGroups and AbpPermissions table are empty.. Is there any order in which services needs to starts?
-
0
@maiiming whats the next steps ? This issue has been opened since 8 days and constant back and forth has been happening but we are unable to come to any conclusive reason. I have already shared the code in the past and bunch of logs. Please escalate this issue to the next level as we are looking for a solution as soon as possible.
-
0
Hi @castcrewit, @sgarad,
First of all, if there is a CORS origin error, it isn't related to a data seeding problem. You should add the requested URLs to the App/CorsOrigins section for the relevant microservice, gateway, or auth server applications. CORS origin errors are only caused by browser requests, which means if you don't (and shouldn't, by the way) access the microservice applications directly, you don't need to edit the CORS settings for the microservices.
Microservice applications have a different nature than monolithic or tiered applications, which means there might be race condition problems during the startup process of each microservice.
The Administration microservice provides infrastructural tables such as AbpPermissionGrants, AbpSettings, AbpFeatureValues, etc.
We can separate infrastructural tables into two groups:- Storing definitions for microservices: When you define a permission, setting, or feature in development process, it stores the definition in the related table (AbpFeatureGroups, AbpFeatures, AbpPermissionGroups, AbpPermissions, AbpSettingDefinitions).
- Storing data for users, tenants, etc.: For example, when you create a role and edit its permissions, this data is stored in AbpPermissionGrants (AbpFeatures, AbpPermissionGrants, AbpSettings).
When you deploy microservices to a cluster, each microservice starts separately and tries to insert its definitions (for Permission, Feature, Setting) into the related table. However, if the Administration microservice hasn't migrated its database yet, there may be some errors in the logs for other microservices because they can't find the Administration database at that moment. This isn't a problem because there is a retry mechanism for this process. For example, you can refer to the AbpPermissionManagementDomainModule.
Storing definitions process not using DistributedEventBus system so if there is a error it shouldn't related with the RabbitMQ. If AbpPermissionGroups and AbpPermissions tables are empty there might be following problems;
- The distributed lock is not configured properly or couldn't connect to Redis. When the StaticPermissionSaver tries to save, it locks the saving process for other microservices. The microservice template already configures the distributed lock; you can search for the ConfigureDistributedLock method.
- PermissionManagementOptions.SaveStaticPermissionsToDatabase was set to false manually. Since the default is true, it already saves automatically.
Last but not least, if you define a permission for a microservice and the administration microservice is already running, you will need to manually assign the related permission to the admin role. This is because only the AdministrationServiceDataSeeder seeds permissions for admin roles. However, when the Administration microservice starts, the permission for the related microservice may not be defined yet.
-
0
Thank You @ahmedtfarukulu. This is the kind of explanation I was looking for and upon reading we cleared the Redis and it solved the problem. I never knew there was any dependency on Redis Cache for Data Seeding as its just a cache so never thought Redis would introduce issues like this. However we were able to solve it and we are now able to access everything.
BUT then we ran across another issue related to Impersonating to a Tenant using Login With this Tenant. We literally scratched our heads as all permissions were set up correctly as well as the Grants. It consistently complained that permission was missing . We then came across this document and tried to implement what's been referred here : https://abp.io/docs/commercial/8.1/modules/account/impersonation
Then we were able to make it work. But the documentation says its enabled by default above 5.0 which is not correct as we had to change the code.
Now we are running into another issue and below is the screenshot which is self explanatory :
Can you please help us identifying or letting us know what needs to be changed. Why its appearing to be a text box, it should rather show a list of users as this tenant has 2 users
-
0
hi castcrewit
Does it work if you click the
Leave?And I think this is an angular page, right?
-
0
Yes it works when we leave the page..and yes it's an angular code. However the question here is what's the expected behaviour in terms of when there are multiple uses in the tenant should there be a grid to select from like AspnetZero or do someone has to enter the user name.
And what can we do to prevent this pop up.
Thank you in advance for all your help.
-
0
Also is there an explanation why the code is not there to begin with.
-
0
hi
And what can we do to prevent this pop up.
I will ask our angular team.
do someone has to enter the user name.
Yes, To avoid enumerating all users in the system, we need to input the username manually.
which is not correct as we had to change the code.
What code do you have to change? Is this it? https://abp.io/docs/commercial/8.1/modules/account/impersonation#angular
Maybe we miss some code in the new template.
-
0
I will consult the team and post the code here. Waiting for your response from the Angular team.
-
0
We added this :
using Volo.Abp.Account.Public.Web.Impersonation; using Volo.Saas.Host; typeof(AbpAccountPublicWebImpersonationModule), typeof(SaasHostApplicationContractsModule) public override void ConfigureServices(ServiceConfigurationContext context) { context.Services.Configure<AbpAccountOptions>(options => { //For impersonation in Saas module options.TenantAdminUserName = "admin"; options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation; //For impersonation in Identity module options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation; }); }Rest all were there . We had to add the dependencies
-
0
Hello, thank you for reporting this problem of extra alert, and it will be fixed with the next patch release. You can follow the releases through this page.
