Open Closed

OpenIdConnectProtocolException after upgrading to ABP v8.3.0 #7953


User avatar
0
tech37 created
  • ABP Framework version: v8.3.0
  • UI Type: Blazor Server
  • Database System: EF Core (SQL Server)
    • Tiered (for MVC) or Auth Server Separated (for Angular): Yes
  • Exception message and full stack trace:

OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'SessionExpired', error_uri: 'error_uri is null'. Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)

AuthenticationFailureException: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

  • Steps to reproduce the issue:

Hi I upgraded my project to the last ABP framework (v8.3.0)

There was a compilation error in which I needed to add the following to my DbContext: public DbSet<IdentitySession> Sessions { get; set; }

I then attempted to run the solution again and go the following post logging in:

Debug log below:

[22:53:04 INF] Request finished HTTP/2 POST https://localhost:44382/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient_id%3DPekkishPOS_BlazorServerTiered%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A44370%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520PekkishPOS%26response_mode%3Dform_post%26nonce%3D638625486411992936.Yzc2NWViY2EtOWNkOS00NWJhLTkwYWUtNzU3NDQ5MjBlZTViNzhhM2Y4N2MtNzE3MS00NjMxLTkwYTUtZDllNDhkYzcxMTdj%26state%3DCfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3%26x-client-SKU%3DID_NET8_0%26x-client-ver%3D7.5.1.0 - 302 0 null 10288.7018ms [22:53:04 INF] Request starting HTTP/2 GET https://localhost:44382/connect/authorize?client_id=PekkishPOS_BlazorServerTiered&redirect_uri=https%3A%2F%2Flocalhost%3A44370%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20PekkishPOS&response_mode=form_post&nonce=638625486411992936.Yzc2NWViY2EtOWNkOS00NWJhLTkwYWUtNzU3NDQ5MjBlZTViNzhhM2Y4N2MtNzE3MS00NjMxLTkwYTUtZDllNDhkYzcxMTdj&state=CfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0 - null null

[2OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:53:58 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:53:58 INF] The authorization response was successfully returned to 'https://localhost:44370/signin-oidc' using the form post response mode: { "code": "[redacted]", "id_token": "[redacted]", "state": "CfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3", "iss": "https://localhost:44382/" }. 1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachWwwAuthenticateHeader1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by Volo.Abp.Account.Web.ExtensionGrants.LinkLoginExtensionGrantProcessJsonResponse. [22:54:00 INF] The response was successfully returned as a JSON document: { "error": "invalid_grant", "error_description": "SessionExpired" }. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessJsonResponse1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was marked as handled by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessJsonResponse1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Exchange+ApplyTokenResponse1[[OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was marked as handled by OpenIddict.Server.OpenIddictServerHandlers+Exchange+ApplyTokenResponse1[[OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 INF] Request finished HTTP/1.1 POST https://localhost:44382/connect/token - 400 74 application/json;charset=UTF-8 1465.9255ms [22:54:00 WRN] The operation was canceled. System.OperationCanceledException: The operation was canceled. at System.Threading.CancellationToken.ThrowOperationCanceledException() at System.Threading.CancellationToken.ThrowIfCancellationRequested() at Volo.Abp.Caching.StackExchangeRedis.AbpRedisCache.SetManyAsync(IEnumerable1 items, DistributedCacheEntryOptions options, CancellationToken token) at Volo.Abp.Caching.DistributedCache2.<>c__DisplayClass54_0.<<SetManyAsync>g__SetRealCache|0>d.MoveNext() [22:54:00 INF] Request finished HTTP/2 GET https://localhost:44382/connect/authorize?client_id=PekkishPOS_BlazorServerTiered&redirect_uri=https%3A%2F%2Flocalhost%3A44370%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20PekkishPOS&response_mode=form_post&nonce=638625486411992936.Yzc2NWViY2EtOWNkOS00NWJhLTkwYWUtNzU3NDQ5MjBlZTViNzhhM2Y4N2MtNzE3MS00NjMxLTkwYTUtZDllNDhkYzcxMTdj&state=CfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0 - 200 null text/html;charset=UTF-8 56699.6435ms [22:56:39 INF] Application is shutting down... [22:56:39 DBG] Stopped background worker: Volo.Abp.Identity.Session.IdentitySessionCleanupBackgroundWorker [22:56:39 DBG] Stopped background worker: Volo.Abp.OpenIddict.Tokens.TokenCleanupBackgroundWorker


17 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi

    ABP will set the sessionid to claims, cache and database.

    There are a lot of log messages; can you see them in log files?

  • User Avatar
    0
    tech37 created

    Hi

    Thank you for your response. I do see the following in the AuthServer logs:

    2024-09-23 10:21:46.065 +02:00 [DBG] Get SessionId(878aac30-416e-48db-a4de-c425a6ef793f) from IdentitySessionManager. 2024-09-23 10:21:47.448 +02:00 [WRN] Could not find SessionId(878aac30-416e-48db-a4de-c425a6ef793f) in the database.

    However if I look in the AbpSessions table in the database I do find a record for the session Id in questions (878aac30-416e-48db-a4de-c425a6ef793f)

    I hope this helps in resolving the issue.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can override the IdentitySessionManager to debug it step by step.

    [Dependency(ReplaceServices = true)]
    [ExposeServices(typeof(IdentitySessionManager))]
    public class MyIdentitySessionManager : IdentitySessionManager
    {
        public MyIdentitySessionManager(IIdentitySessionRepository identitySessionRepository, ICurrentUser currentUser, IDistributedCache<IdentitySessionCacheItem> cache, ISettingProvider settingProvider, IdentityDynamicClaimsPrincipalContributorCache identityDynamicClaimsPrincipalContributorCache) : base(identitySessionRepository, currentUser, cache, settingProvider, identityDynamicClaimsPrincipalContributorCache)
        {
        }
        
        public override async Task<IdentitySession> FindAsync(Guid id)
        {
            return await UpdateSessionFromCacheAsync(await IdentitySessionRepository.FindAsync(id));
        }
    
        public override async Task<IdentitySession> FindAsync(string sessionId)
        {
            return await UpdateSessionFromCacheAsync(await IdentitySessionRepository.FindAsync(sessionId));
        }
        
        protected override async Task<IdentitySession> UpdateSessionFromCacheAsync([CanBeNull] IdentitySession session)
        {
            if (session == null)
            {
                return null;
            }
    
            var sessionCacheItem = await Cache.GetAsync(session.SessionId);
            if (sessionCacheItem != null && await UpdateSessionFromCacheAsync(session, sessionCacheItem))
            {
                await IdentitySessionRepository.UpdateAsync(session);
            }
    
            return session;
        }
    
        protected override Task<bool> UpdateSessionFromCacheAsync(IdentitySession session, IdentitySessionCacheItem sessionCacheItem)
        {
            if (session == null)
            {
                return Task.FromResult(false);
            }
    
            if (sessionCacheItem == null)
            {
                return Task.FromResult(false);
            }
    
            var changed = false;
            if (sessionCacheItem.CacheLastAccessed != null && (session.LastAccessed == null || sessionCacheItem.CacheLastAccessed > session.LastAccessed))
            {
                session.UpdateLastAccessedTime(sessionCacheItem.CacheLastAccessed);
                changed = true;
            }
    
            if (!sessionCacheItem.IpAddress.IsNullOrWhiteSpace())
            {
                var ipAddresses = session.GetIpAddresses().ToList();
                ipAddresses.RemoveAll(x => x == sessionCacheItem.IpAddress);
                ipAddresses.Add(sessionCacheItem.IpAddress);
                session.SetIpAddresses(ipAddresses);
                changed = true;
            }
    
            return Task.FromResult(changed);
        }
    }
    
  • User Avatar
    0
    tech37 created

    Hi thank you I tried that and my findings below:

    var sessionCacheItem = await Cache.GetAsync(session.SessionId); returns null

    when I force await IdentitySessionRepository.UpdateAsync(session); i get a websocket error as below

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi

    If session is not null, then the check will pass

  • User Avatar
    0
    tech37 created

    Update:

    I ran it again and saw this issue which if you continue the code continues to run

    The override class is invoked 3 times in the process and the 3rd time is the following:

    When the page changes to https://localhost:44370/signin-oidc it runs the override class again and the function protected override async Task<IdentitySession> UpdateSessionFromCacheAsync([CanBeNull] IdentitySession session) received a null value for session which causes the underlying issue

  • User Avatar
    0
    tech37 created

    Hi There.

    Just following up to see if you have any updates on the issue?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I just think there is something wrong with your project structure.

    For Auth Server Separated solution, the Blazor.Server project should not rely on Volo.Abp.Identity.Pro.Domain project.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Could you please share a minimal reproducible project with me? i will check it.

    shiwei.liang@volosoft.com

  • User Avatar
    0
    tech37 created

    Hi thank you. Can we do a quick google meet perhaps? my email address faldielb@gmail.com

  • User Avatar
    0
    tech37 created

    I dont have the same structure as you are showing. I have:

  • User Avatar
    0
    tech37 created

    These are the packages my blazor poject depend on:

  • User Avatar
    0
    tech37 created

    Hi Just an update my side. I did some more debugging

    The above code cannot find the session in questions ("3cb289a7-6c89-410f-bce1-884ea1641a49")

    But in the new AbpSessions table (created by v8.3.0) there is a record for that session in the table:

    I would like to sort this out today as I go on a 2 week holiday tomorrow

  • User Avatar
    0
    tech37 created

    Hi

    If I place the IdentitySessionRepository.FindAsync(sessionId) request in a while loop. The second time it runs it finds the session and the application loads on the home page. This is very strange!

  • User Avatar
    0
    tech37 created

    Hi, Just another update.

    Even though the homepage loads, none of the menu options are now available as they were before the upgrade to v8.3.0.

    I am logged in as admin and even the tenant admin menu options are not loading.

  • User Avatar
    0
    tech37 created

    I see these in the debug log which could be causing the issue.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Hi thank you. Can we do a quick google meet perhaps? my email address faldielb@gmail.com

    okay

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11