Open Closed

After migrating to v8 (and OpenID), i get unknown client error when logging in. How to proceed debugging? #7886


User avatar
0
ArneV created
  • ABP Framework version: v8.2.2
  • UI Type: Angular
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
  • Exception message and full stack trace:
Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[09:35:56 DBG] Start authorize request
[09:35:56 DBG] No user present in authorize request
[09:35:56 DBG] Start authorize request protocol validation
[09:35:56 ERR] Unknown client or not enabled: PartnerPortal_App
{"ClientId": null, "ClientName": null, "RedirectUri": null, "AllowedRedirectUris": null, "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"response_type": "code", "client_id": "PartnerPortal_App", "state": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "redirect_uri": "http://localhost:4200", "scope": "offline_access openid profile role email phone PartnerPortal", "code_challenge": "9UgsS7QtePtvo10d2NkPR2yEsuJLVMdMfYrFmj5JvV8", "code_challenge_method": "S256", "nonce": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "culture": "en", "ui-culture": "en", "selectedTenantId": "7a50f0a8-38e8-0807-55b4-3a040dbaffd1"}, "$type": "AuthorizeRequestValidationLog"}
[09:35:56 ERR] Request validation failed
[09:35:56 INF] {"ClientId": null, "ClientName": null, "RedirectUri": null, "AllowedRedirectUris": null, "SubjectId": "anonymous", "ResponseType": null, "ResponseMode": null, "GrantType": null, "RequestedScopes": "", "State": null, "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": null, "Raw": {"response_type": "code", "client_id": "PartnerPortal_App", "state": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "redirect_uri": "http://localhost:4200", "scope": "offline_access openid profile role email phone PartnerPortal", "code_challenge": "9UgsS7QtePtvo10d2NkPR2yEsuJLVMdMfYrFmj5JvV8", "code_challenge_method": "S256", "nonce": "dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh", "culture": "en", "ui-culture": "en", "selectedTenantId": "7a50f0a8-38e8-0807-55b4-3a040dbaffd1"}, "$type": "AuthorizeRequestValidationLog"}
[09:35:56 INF] {"ClientId": "PartnerPortal_App", "ClientName": null, "RedirectUri": null, "Endpoint": "Authorize", "SubjectId": null, "Scopes": "", "GrantType": null, "Error": "unauthorized_client", "ErrorDescription": "Unknown client or client not enabled", "Category": "Token", "Name": "Token Issued Failure", "EventType": "Failure", "Id": 2001, "Message": null, "ActivityId": "0HN6IVL4KETP2:00000001", "TimeStamp": "2024-09-12T07:35:56.0000000Z", "ProcessId": 13528, "LocalIpAddress": "::1:44385", "RemoteIpAddress": "::1", "$type": "TokenIssuedFailureEvent"}
[09:35:56 INF] The response could not be cached for this request.
[09:35:56 INF] Request finished HTTP/2 GET https://localhost:44385/connect/authorize?response_type=code&client_id=PartnerPortal_App&state=dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh&redirect_uri=http%3A%2F%2Flocalhost%3A4200&scope=offline_access%20openid%20profile%20role%20email%20phone%20PartnerPortal&code_challenge=9UgsS7QtePtvo10d2NkPR2yEsuJLVMdMfYrFmj5JvV8&code_challenge_method=S256&nonce=dS5jYy0xNGZBenBVNk9RZkZaLURqa35ubVkzMXVlSVdlX2FnSXRJdXFoNWlh&culture=en&ui-culture=en&selectedTenantId=7a50f0a8-38e8-0807-55b4-3a040dbaffd1 - 302 0 null 168.9828ms
[09:35:56 INF] Request starting HTTP/2 GET https://localhost:44385/Account/Error?errorId=CfDJ8IfPL4gEj_lBlyYCXb43SqCQlGHbLin3iWrDERZZZMPJXGXDBNB-bwtAJHEUnE242e8WY60fcVCIASDxpBEYeN0k13jJ1H9mNSImPVBZPxGi7pxqhtvS3hp8vg7b4gaNmgpnFDaHA1ooJcMlLiGutarupbmMy109a971491ckIYvI5X9rVQoizC3tdkyK133SyrHal7oPArA8y-dwRcUEinnzXAtK_C0_nxjb2c5qRprPOIsm_JDk8v-Asl9_5KT_CTyQ4Y54LqtBE_m6gFkd-z2rjqg6L9As9rfnk-i9y9vNnRDNXwn9eHonuzxcsGxjIbLad4kczs1k1fjqjQbHZ_Fb1OW8f3jCnu-hDw4wsH4oJpVGXP2Er0ULCyUq1PXcA - null null
[09:35:56 INF] No cached response available for this request.
[09:35:56 INF] Executing endpoint 'Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)'
[09:35:56 INF] Route matched with {area = "account", action = "Index", controller = "Error", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Index(System.String) on controller Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController (Volo.Abp.Account.Pro.Public.Web.IdentityServer).
[09:35:56 INF] Executing action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer) - Validation state: Valid
[09:35:56 INF] Executed action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer), returned result Microsoft.AspNetCore.Mvc.ViewResult in 5.1196ms.
[09:35:56 INF] Executing ViewResult, running view ~/Views/Error/500.cshtml.
  • Steps to reproduce the issue:

Start host, start angular, go to localhost:4200/loginmethod, select tenant, click sign in.


10 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Your app is still using the IdentityServer

    Please make sure you have depends on the correct modules.

    https://abp.io/docs/latest/release-info/migration-guides/openiddict-step-by-step?_redirected=B8ABF606AA1BDF5C629883DF1061649A

    Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
    [09:35:56 DBG] Start authorize request
    
    
    Executed action method Volo.Abp.Account.Web.Areas.Account.Controllers.ErrorController.Index (Volo.Abp.Account.Pro.Public.Web.IdentityServer)
    
  • User Avatar
    0
    ArneV created

    I have followed the commercial openiddict step by step migration guide (moving from IdentityServer to OpenIddict), as well as the angular part (which was just adding a trailing slash and an additional scope in the environment.ts file if I'm not mistaken). I did use the 8.2.2 versions of the packages.

    I now receive this error in the browser after logging in.

    error:invalid_scope
    error_description:The specified 'scope' is invalid.
    error_uri:https://documentation.openiddict.com/errors/ID2052
    

    HttpApi.Host logs:

    
    [15:41:20 INF] The request URI matched a server endpoint: Authorization.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+InferEndpointType.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by Volo.Abp.Account.Web.Pages.Account.OpenIddictImpersonateInferEndpointType.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ValidateHostHeader.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ExtractAuthorizationRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ExtractGetOrPostRequest`1[[OpenIddict.Server.OpenIddictServerEvents+ExtractAuthorizationRequestContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
    [15:41:20 INF] The authorization request was successfully extracted: {
      "response_type": "code",
      "client_id": "PartnerPortal_App",
      "state": "fn5JeHpuN1Q4c2tLVWt2Yn51UnZTcGRvZEJzZWJCekpVZkI1Z0E1dE5XYUlW",
      "redirect_uri": "http://localhost:4200",
      "scope": "offline_access openid profile role email phone PartnerPortal",
      "code_challenge": "CfsYjxje98KAV6DELm4BsKByagBqTSzjrJnIpXAEBJQ",
      "code_challenge_method": "S256",
      "nonce": "fn5JeHpuN1Q4c2tLVWt2Yn51UnZTcGRvZEJzZWJCekpVZkI1Z0E1dE5XYUlW",
      "culture": "en",
      "ui-culture": "en",
      "selectedTenantId": "7a50f0a8-38e8-0807-55b4-3a040dbaffd1"
    }.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ExtractAuthorizationRequest.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateRequestParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateRequestUriParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateClientIdParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateRedirectUriParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateResponseTypeParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateResponseModeParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopeParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateNonceParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidatePromptParameter.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateProofKeyForCodeExchangeParameters.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateAuthenticationDemand.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+EvaluateValidatedTokens.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ResolveValidatedTokens.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateRequiredTokens.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateClientId.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateClientType.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ValidateIdentityToken.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ResolveHostAuthenticationProperties.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessAuthenticationContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+ReformatValidatedTokens.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthentication.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateResponseType.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateClientRedirectUri.
    [15:41:20 INF] The authentication request was rejected because invalid scopes were specified: ["role"].
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopes.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ValidateAuthorizationRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateScopes.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was marked as rejected by OpenIddict.Server.OpenIddictServerHandlers+Authentication+ValidateAuthorizationRequest.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachErrorParameters.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+AttachCustomErrorParameters.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachRedirectUri.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+InferResponseMode.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachResponseState.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Authentication+AttachIssuer.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFormPostResponse.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessQueryResponse.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+Authentication+ProcessFragmentResponse.
    [15:41:20 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessStatusCodePagesErrorResponse`1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
    [15:41:20 INF] The response was successfully returned as a plain-text document: {
      "error": "invalid_scope",
      "error_description": "The specified 'scope' is invalid.",
      "error_uri": "https://documentation.openiddict.com/errors/ID2052"
    }.
    

    environment ts file:

     oAuthConfig: {
        issuer: 'https://localhost:44385/',
        redirectUri: baseUrl,
        clientId: 'PartnerPortal_App',
        responseType: 'code',
        scope: 'offline_access openid profile role email phone PartnerPortal',
        requireHttps: true
      },
    
  • User Avatar
    0
    ArneV created

    Thanks maliming for pointing me back in the right direction.

    I am currently continuing to debug my migrated project.

    We have a landing page where we select a tenant, and then we redirect to the localhost:44385/Account/Login page.

    Even though there is a "selectedTenant" query parameter, the tenant is not selected.

    https://localhost:44385/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fresponse_type%3Dcode%26client_id%3DPartnerPortal_App%26state%3DTEhmVEhYSG9sWjItV3VrRGd4b0M5dHRwOHBTdGYwRlFvWXZPRlJtNnNPZFFC%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%253A4200%26scope%3Doffline_access%2520openid%2520profile%2520email%2520phone%2520PartnerPortal%26code_challenge%3D41hJzeacuRZcj0DOHNxFG_HW4pzZqQbpTfXL4ntrq3k%26code_challenge_method%3DS256%26nonce%3DTEhmVEhYSG9sWjItV3VrRGd4b0M5dHRwOHBTdGYwRlFvWXZPRlJtNnNPZFFC%26culture%3Den%26ui-culture%3Den%26selectedTenantId%3D7a50f0a8-38e8-0807-55b4-3a040dbaffd1

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The authentication request was rejected because invalid scopes were specified: ["role"].

    The scope for the role is roles.

    scope: 'offline_access openid profile roles email phone PartnerPortal',

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Even though there is a "selectedTenant" query parameter, the tenant is not selected.

    You can add a new tenant resolver to get tenant from ReturnUrl

    https://abp.io/docs/latest/framework/architecture/multi-tenancy?_redirected=B8ABF606AA1BDF5C629883DF1061649A#default-tenant-resolvers

  • User Avatar
    0
    ArneV created

    The documentation you provided states that the QueryStringTenantResolveContributor is provided and configured by default.

    I have included the login page url earlier, but the selectedTenantId query parameter is url encoded in the "returnUrl" query parameter for the login page.

    Is there some authentication flow step I am missing where the tenant could be set on that login page? I would expect the selectedTenantId to be transitive.

  • User Avatar
    0
    ArneV created

    I have updated the query parameter to be the default __tenant.

    Now i get this error:

    The ActivationState for that tenant is 1 (ActiveWithLimitedTime), and the ActivationEndDate is null.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    ActivationEndDate should have a value and >= Clock.Now

    public enum TenantActivationState : byte
    {
        Active = 0,
    
        ActiveWithLimitedTime = 1,
    
        Passive = 2
    }
    
    
    public virtual Task<bool> IsActiveAsync(Tenant tenant)
    {
        return Task.FromResult(tenant.ActivationState switch
        {
            TenantActivationState.Active => true,
            TenantActivationState.Passive => false,
            TenantActivationState.ActiveWithLimitedTime => tenant.ActivationEndDate >= Clock.Now,
            _ => false
        });
    }```
    
  • User Avatar
    0
    ArneV created

    I updated the TenantActivationState to Active, yet I still receive the same error.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Clear the Redis.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11