After migrating to v8 (and OpenID), i get unknown client error when logging in. How to proceed debugging? #7886

ArneV created 9 months ago

ABP Framework version: v8.2.2
UI Type: Angular
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
Exception message and full stack trace:

Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[09:35:56 DBG] Start authorize request
[09:35:56 DBG] No user present in authorize request
[09:35:56 DBG] Start authorize request protocol validation
[09:35:56 ERR] Unknown client or not enabled: PartnerPortal_App
{"ClientId": null, "ClientName": null, "RedirectUri": null, "AllowedRedirectUris": null, "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"response_type": "code", "client_id": "PartnerPortal_App", "state": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "redirect_uri": "http://localhost:4200", "scope": "offline_access openid profile role email phone PartnerPortal", "code_challenge": "9UgsS7QtePtvo10d2NkPR2yEsuJLVMdMfYrFmj5JvV8", "code_challenge_method": "S256", "nonce": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "culture": "en", "ui-culture": "en", "selectedTenantId": "7a50f0a8-38e8-0807-55b4-3a040dbaffd1"}, "$type": "AuthorizeRequestValidationLog"}
[09:35:56 ERR] Request validation failed
[09:35:56 INF] {"ClientId": null, "ClientName": null, "RedirectUri": null, "AllowedRedirectUris": null, "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"response_type": "code", "client_id": "PartnerPortal_App", "state": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "redirect_uri": "http://localhost:4200", "scope": "offline_access openid profile role email phone PartnerPortal", "code_challenge": "9UgsS7QtePtvo10d2NkPR2yEsuJLVMdMfYrFmj5JvV8", "code_challenge_method": "S256", "nonce": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "culture": "en", "ui-culture": "en", "selectedTenantId": "7a50f0a8-38e8-0807-55b4-3a040dbaffd1"}, "$type": "AuthorizeRequestValidationLog"}
[09:35:56 INF] {"ClientId": "PartnerPortal_App", "ClientName": null, "RedirectUri": null, "Endpoint": "Authorize", "SubjectId": null, "Scopes": "", "GrantType": null, "Error": "unauthorized_client", "ErrorDescription": "Unknown client or client not enabled", "Category": "Token", "Name": "Token Issued Failure", "EventType": "Failure", "Id": 2001, "Message": null, "ActivityId": "0HN6IVL4KETP2:00000001", "TimeStamp": "2024-09-12T07:35:56.0000000Z", "ProcessId": 13528, "LocalIpAddress": "::1:44385", "RemoteIpAddress": "::1", "$type": "TokenIssuedFailureEvent"}
[09:35:56 INF] The response could not be cached for this request.
[09:35:56 INF] Request finished HTTP/2 GET https://localhost:44385/connect/authorize?response_type=code&client_id=PartnerPortal_App&state=dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh&redirect_uri=http%3A%2F%2Flocalhost%3A4200&scope=offline_access%20openid%20profile%20role%20email%20phone%20PartnerPortal&code_challenge=9UgsS7QtePtvo10d2NkPR2yEsuJLVMdMfYrFmj5JvV8&code_challenge_method=S256&nonce=dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh&culture=en&ui-culture=en&selectedTenantId=7a50f0a8-38e8-0807-55b4-3a040dbaffd1 - 302 0 null 168.9828ms
[09:35:56 INF] Request starting HTTP/2 GET https://localhost:44385/Account/Error?errorId=CfDJ8IfPL4gEj_lBlyYCXb43SqCQlGHbLin3iWrDERZZZMPJXGXDBNB-bwtAJHEUnE242e8WY60fcVCIASDxpBEYeN0k13jJ1H9mNSImPVBZPxGi7pxqhtvS3hp8vg7b4gaNmgpnFDaHA1ooJcMlLiGutarupbmMy109a971491ckIYvI5X9rVQoizC3tdkyK133SyrHal7oPArA8y-dwRcUEinnzXAtK_C0_nxjb2c5qRprPOIsm_JDk8v-Asl9_5KT_CTyQ4Y54LqtBE_m6gFkd-z2rjqg6L9As9rfnk-i9y9vNnRDNXwn9eHonuzxcsGxjIbLad4kczs1k1fjqjQbHZ_Fb1OW8f3jCnu-hDw4wsH4oJpVGXP2Er0ULCyUq1PXcA - null null
[09:35:56 INF] No cached response available for this request.
[09:35:56 INF] Executing endpoint 'Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)'
[09:35:56 INF] Route matched with {area = "account", action = "Index", controller = "Error", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Index(System.String) on controller Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController (Volo.Abp.Account.Pro.Public.Web.IdentityServer).
[09:35:56 INF] Executing action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer) - Validation state: Valid
[09:35:56 INF] Executed action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer), returned result Microsoft.AspNetCore.Mvc.ViewResult in 5.1196ms.
[09:35:56 INF] Executing ViewResult, running view ~/Views/Error/500.cshtml.

Steps to reproduce the issue:

Start host, start angular, go to localhost:4200/loginmethod, select tenant, click sign in.

maliming created 9 months ago

Support Team Fullstack Developer

Your app is still using the IdentityServer

Please make sure you have depends on the correct modules.

https://abp.io/docs/latest/release-info/migration-guides/openiddict-step-by-step?_redirected=B8ABF606AA1BDF5C629883DF1061649A

Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[09:35:56 DBG] Start authorize request


Executed action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)

ArneV created 9 months ago

I have followed the commercial openiddict step by step migration guide (moving from IdentityServer to OpenIddict), as well as the angular part (which was just adding a trailing slash and an additional scope in the environment.ts file if I'm not mistaken). I did use the 8.2.2 versions of the packages.

I now receive this error in the browser after logging in.

error:invalid_scope
error_description:The specified 'scope' is invalid.
error_uri:https://documentation.openiddict.com/errors/ID2052

HttpApi.Host logs:


[15:41:20 INF] The request URI matched a server endpoint: Authorization.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ExtractAuthorizationRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ExtractGetOrPostRequest`1[[OpenIddict.Server.OpenIddictServerEvents+ExtractAuthorizationRequestContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
[15:41:20 INF] The authorization request was successfully extracted: {
  "response_type": "code",
  "client_id": "PartnerPortal_App",
  "state": "fn5JeHpuN1Q4c2tLVWt2Yn51UnZTcGRvZEJzZWJCekpVZkI1Z0E1dE5XYUlW",
  "redirect_uri": "http://localhost:4200",
  "scope": "offline_access openid profile role email phone PartnerPortal",
  "code_challenge": "CfsYjxje98KAV6DELm4BsKByagBqTSzjrJnIpXAEBJQ",
  "code_challenge_method": "S256",
  "nonce": "fn5JeHpuN1Q4c2tLVWt2Yn51UnZTcGRvZEJzZWJCekpVZkI1Z0E1dE5XYUlW",
  "culture": "en",
  "ui-culture": "en",
  "selectedTenantId": "7a50f0a8-38e8-0807-55b4-3a040dbaffd1"
}.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ExtractAuthorizationRequest.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateRequestParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateRequestUriParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateClientIdParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateRedirectUriParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateResponseTypeParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateResponseModeParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopeParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateNonceParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidatePromptParameter.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateProofKeyForCodeExchangeParameters.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateAuthenticationDemand.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+EvaluateValidatedTokens.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ResolveValidatedTokens.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateRequiredTokens.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateClientId.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateClientType.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateIdentityToken.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ResolveHostAuthenticationProperties.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ReformatValidatedTokens.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthentication.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateResponseType.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateClientRedirectUri.
[15:41:20 INF] The authentication request was rejected because invalid scopes were specified: ["role"].
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopes.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopes.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachErrorParameters.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachCustomErrorParameters.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachRedirectUri.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+InferResponseMode.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachResponseState.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachIssuer.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFormPostResponse.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessQueryResponse.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFragmentResponse.
[15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessStatusCodePagesErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
[15:41:20 INF] The response was successfully returned as a plain-text document: {
  "error": "invalid_scope",
  "error_description": "The specified 'scope' is invalid.",
  "error_uri": "https://documentation.openiddict.com/errors/ID2052"
}.

environment ts file:

 oAuthConfig: {
    issuer: 'https://localhost:44385/',
    redirectUri: baseUrl,
    clientId: 'PartnerPortal_App',
    responseType: 'code',
    scope: 'offline_access openid profile role email phone PartnerPortal',
    requireHttps: true
  },

ArneV created 9 months ago

Thanks maliming for pointing me back in the right direction.

I am currently continuing to debug my migrated project.

We have a landing page where we select a tenant, and then we redirect to the localhost:44385/Account/Login page.

Even though there is a "selectedTenant" query parameter, the tenant is not selected.

https://localhost:44385/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DPartnerPortal_App%26state%3DTEhmVEhYSG9sWjItV3VrRGd4b0M5dHRwOHBTdGYwRlFvWXZPRlJtNnNPZFFC%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Doffline_access%2520openid%2520profile%2520email%2520phone%2520PartnerPortal%26code_challenge%3D41hJzeacuRZcj0DOHNxFG_HW4pzZqQbpTfXL4ntrq3k%26code_challenge_method%3DS256%26nonce%3DTEhmVEhYSG9sWjItV3VrRGd4b0M5dHRwOHBTdGYwRlFvWXZPRlJtNnNPZFFC%26culture%3Den%26ui-culture%3Den%26selectedTenantId%3D7a50f0a8-38e8-0807-55b4-3a040dbaffd1

maliming created 9 months ago

Support Team Fullstack Developer

The authentication request was rejected because invalid scopes were specified: ["role"].

The scope for the role is roles.

scope: 'offline_access openid profile roles email phone PartnerPortal',

maliming created 9 months ago

Support Team Fullstack Developer

Even though there is a "selectedTenant" query parameter, the tenant is not selected.

You can add a new tenant resolver to get tenant from ReturnUrl

https://abp.io/docs/latest/framework/architecture/multi-tenancy?_redirected=B8ABF606AA1BDF5C629883DF1061649A#default-tenant-resolvers

ArneV created 9 months ago

The documentation you provided states that the QueryStringTenantResolveContributor is provided and configured by default.

I have included the login page url earlier, but the selectedTenantId query parameter is url encoded in the "returnUrl" query parameter for the login page.

Is there some authentication flow step I am missing where the tenant could be set on that login page? I would expect the selectedTenantId to be transitive.

ArneV created 9 months ago

I have updated the query parameter to be the default __tenant.

Now i get this error:

The ActivationState for that tenant is 1 (ActiveWithLimitedTime), and the ActivationEndDate is null.

maliming created 9 months ago

Support Team Fullstack Developer

ActivationEndDate should have a value and >= Clock.Now

public enum TenantActivationState : byte
{
    Active = 0,

    ActiveWithLimitedTime = 1,

    Passive = 2
}


public virtual Task<bool> IsActiveAsync(Tenant tenant)
{
    return Task.FromResult(tenant.ActivationState switch
    {
        TenantActivationState.Active => true,
        TenantActivationState.Passive => false,
        TenantActivationState.ActiveWithLimitedTime => tenant.ActivationEndDate >= Clock.Now,
        _ => false
    });
}```