OpenIdConnectProtocolException after upgrading to ABP v8.3.0 #7953 | Support

tech37 created 2 months ago

ABP Framework version: v8.3.0
UI Type: Blazor Server
Database System: EF Core (SQL Server)
- Tiered (for MVC) or Auth Server Separated (for Angular): Yes
Exception message and full stack trace:

OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'SessionExpired', error_uri: 'error_uri is null'. Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest)

AuthenticationFailureException: An error was encountered while handling the remote login. Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler<TOptions>.HandleRequestAsync()

Steps to reproduce the issue:

Hi I upgraded my project to the last ABP framework (v8.3.0)

There was a compilation error in which I needed to add the following to my DbContext: public DbSet<IdentitySession> Sessions { get; set; }

I then attempted to run the solution again and go the following post logging in:

Debug log below:

[22:53:04 INF] Request finished HTTP/2 POST https://localhost:44382/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient_id%3DPekkishPOS_BlazorServerTiered%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%253A44370%252Fsignin-oidc%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520PekkishPOS%26response_mode%3Dform_post%26nonce%3D638625486411992936.Yzc2NWViY2EtOWNkOS00NWJhLTkwYWUtNzU3NDQ5MjBlZTViNzhhM2Y4N2MtNzE3MS00NjMxLTkwYTUtZDllNDhkYzcxMTdj%26state%3DCfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3%26x-client-SKU%3DID_NET8_0%26x-client-ver%3D7.5.1.0 - 302 0 null 10288.7018ms [22:53:04 INF] Request starting HTTP/2 GET https://localhost:44382/connect/authorize?client_id=PekkishPOS_BlazorServerTiered&redirect_uri=https%3A%2F%2Flocalhost%3A44370%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20PekkishPOS&response_mode=form_post&nonce=638625486411992936.Yzc2NWViY2EtOWNkOS00NWJhLTkwYWUtNzU3NDQ5MjBlZTViNzhhM2Y4N2MtNzE3MS00NjMxLTkwYTUtZDllNDhkYzcxMTdj&state=CfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0 - null null

[2OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachHttpResponseCode1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:53:58 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader1[[OpenIddict.Server.OpenIddictServerEvents+ApplyAuthorizationResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:53:58 INF] The authorization response was successfully returned to 'https://localhost:44370/signin-oidc' using the form post response mode: { "code": "[redacted]", "id_token": "[redacted]", "state": "CfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3", "iss": "https://localhost:44382/" }. 1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachCacheControlHeader1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+AttachWwwAuthenticateHeader1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by Volo.Abp.Account.Web.ExtensionGrants.LinkLoginExtensionGrantProcessJsonResponse. [22:54:00 INF] The response was successfully returned as a JSON document: { "error": "invalid_grant", "error_description": "SessionExpired" }. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessJsonResponse1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext was marked as handled by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ProcessJsonResponse1[[OpenIddict.Server.OpenIddictServerEvents+ApplyTokenResponseContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Exchange+ApplyTokenResponse1[[OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext was marked as handled by OpenIddict.Server.OpenIddictServerHandlers+Exchange+ApplyTokenResponse1[[OpenIddict.Server.OpenIddictServerEvents+ProcessErrorContext, OpenIddict.Server, Version=5.5.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]]. [22:54:00 INF] Request finished HTTP/1.1 POST https://localhost:44382/connect/token - 400 74 application/json;charset=UTF-8 1465.9255ms [22:54:00 WRN] The operation was canceled. System.OperationCanceledException: The operation was canceled. at System.Threading.CancellationToken.ThrowOperationCanceledException() at System.Threading.CancellationToken.ThrowIfCancellationRequested() at Volo.Abp.Caching.StackExchangeRedis.AbpRedisCache.SetManyAsync(IEnumerable1 items, DistributedCacheEntryOptions options, CancellationToken token) at Volo.Abp.Caching.DistributedCache2.<>c__DisplayClass54_0.<<SetManyAsync>g__SetRealCache|0>d.MoveNext() [22:54:00 INF] Request finished HTTP/2 GET https://localhost:44382/connect/authorize?client_id=PekkishPOS_BlazorServerTiered&redirect_uri=https%3A%2F%2Flocalhost%3A44370%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20PekkishPOS&response_mode=form_post&nonce=638625486411992936.Yzc2NWViY2EtOWNkOS00NWJhLTkwYWUtNzU3NDQ5MjBlZTViNzhhM2Y4N2MtNzE3MS00NjMxLTkwYTUtZDllNDhkYzcxMTdj&state=CfDJ8BAQRgbFZOhKvnVuRTbVeaRCJBwfd-tIq56xB0og-OgpLwCJuL8tQa-dsroNzzABDQKY8NgBzJgG8Ho0dYhAnRY41qlSNPm54l521OhRfC3VkmiWcVJei1tNeT0nCMBxD_3Tq9aXPa02r_KD-KZP1L2FBGdbu9KLmheIMfhizDned5D8O2-WRoh9u7OcwjoPNsXv-oOfUP_2uYYQgU8j9ZE6uM1Dlo-G58VAvc0pMkADc4uaebW7ZW4ZgLVuQZZ9NvYmr7G5l7kgGHeEWe7wA_xblG30zF1ohSJcQ98_qZO3&x-client-SKU=ID_NET8_0&x-client-ver=7.5.1.0 - 200 null text/html;charset=UTF-8 56699.6435ms [22:56:39 INF] Application is shutting down... [22:56:39 DBG] Stopped background worker: Volo.Abp.Identity.Session.IdentitySessionCleanupBackgroundWorker [22:56:39 DBG] Stopped background worker: Volo.Abp.OpenIddict.Tokens.TokenCleanupBackgroundWorker

17 Answer(s)

0

liangshiwei created one month ago
Support Team Fullstack Developer

Hi

ABP will set the sessionid to claims, cache and database.

There are a lot of log messages; can you see them in log files?
0

tech37 created 2 months ago

Hi

Thank you for your response. I do see the following in the AuthServer logs:

2024-09-23 10:21:46.065 +02:00 [DBG] Get SessionId(878aac30-416e-48db-a4de-c425a6ef793f) from IdentitySessionManager. 2024-09-23 10:21:47.448 +02:00 [WRN] Could not find SessionId(878aac30-416e-48db-a4de-c425a6ef793f) in the database.

However if I look in the AbpSessions table in the database I do find a record for the session Id in questions (878aac30-416e-48db-a4de-c425a6ef793f)

I hope this helps in resolving the issue.

liangshiwei created 2 months ago

Support Team Fullstack Developer

Hi,

You can override the IdentitySessionManager to debug it step by step.

[Dependency(ReplaceServices = true)]
[ExposeServices(typeof(IdentitySessionManager))]
public class MyIdentitySessionManager : IdentitySessionManager
{
    public MyIdentitySessionManager(IIdentitySessionRepository identitySessionRepository, ICurrentUser currentUser, IDistributedCache<IdentitySessionCacheItem> cache, ISettingProvider settingProvider, IdentityDynamicClaimsPrincipalContributorCache identityDynamicClaimsPrincipalContributorCache) : base(identitySessionRepository, currentUser, cache, settingProvider, identityDynamicClaimsPrincipalContributorCache)
    {
    }
    
    public override async Task<IdentitySession> FindAsync(Guid id)
    {
        return await UpdateSessionFromCacheAsync(await IdentitySessionRepository.FindAsync(id));
    }

    public override async Task<IdentitySession> FindAsync(string sessionId)
    {
        return await UpdateSessionFromCacheAsync(await IdentitySessionRepository.FindAsync(sessionId));
    }
    
    protected override async Task<IdentitySession> UpdateSessionFromCacheAsync([CanBeNull] IdentitySession session)
    {
        if (session == null)
        {
            return null;
        }

        var sessionCacheItem = await Cache.GetAsync(session.SessionId);
        if (sessionCacheItem != null && await UpdateSessionFromCacheAsync(session, sessionCacheItem))
        {
            await IdentitySessionRepository.UpdateAsync(session);
        }

        return session;
    }

    protected override Task<bool> UpdateSessionFromCacheAsync(IdentitySession session, IdentitySessionCacheItem sessionCacheItem)
    {
        if (session == null)
        {
            return Task.FromResult(false);
        }

        if (sessionCacheItem == null)
        {
            return Task.FromResult(false);
        }

        var changed = false;
        if (sessionCacheItem.CacheLastAccessed != null && (session.LastAccessed == null || sessionCacheItem.CacheLastAccessed > session.LastAccessed))
        {
            session.UpdateLastAccessedTime(sessionCacheItem.CacheLastAccessed);
            changed = true;
        }

        if (!sessionCacheItem.IpAddress.IsNullOrWhiteSpace())
        {
            var ipAddresses = session.GetIpAddresses().ToList();
            ipAddresses.RemoveAll(x => x == sessionCacheItem.IpAddress);
            ipAddresses.Add(sessionCacheItem.IpAddress);
            session.SetIpAddresses(ipAddresses);
            changed = true;
        }

        return Task.FromResult(changed);
    }
}

0

tech37 created 2 months ago

Hi thank you I tried that and my findings below:

var sessionCacheItem = await Cache.GetAsync(session.SessionId); returns null

when I force await IdentitySessionRepository.UpdateAsync(session); i get a websocket error as below
0

liangshiwei created 2 months ago
Support Team Fullstack Developer

Hi

If session is not null, then the check will pass
0

tech37 created 2 months ago

Update:

I ran it again and saw this issue which if you continue the code continues to run

The override class is invoked 3 times in the process and the 3rd time is the following:

When the page changes to https://localhost:44370/signin-oidc it runs the override class again and the function protected override async Task<IdentitySession> UpdateSessionFromCacheAsync([CanBeNull] IdentitySession session) received a null value for session which causes the underlying issue
0

tech37 created 2 months ago

Hi There.

Just following up to see if you have any updates on the issue?
0

liangshiwei created 2 months ago
Support Team Fullstack Developer

Hi,

I just think there is something wrong with your project structure.

For Auth Server Separated solution, the Blazor.Server project should not rely on Volo.Abp.Identity.Pro.Domain project.
0

liangshiwei created 2 months ago
Support Team Fullstack Developer

Could you please share a minimal reproducible project with me? i will check it.

shiwei.liang@volosoft.com
0

tech37 created 2 months ago

Hi thank you. Can we do a quick google meet perhaps? my email address faldielb@gmail.com
0

tech37 created 2 months ago

I dont have the same structure as you are showing. I have:
0

tech37 created 2 months ago

These are the packages my blazor poject depend on:
0

tech37 created 2 months ago

Hi Just an update my side. I did some more debugging

The above code cannot find the session in questions ("3cb289a7-6c89-410f-bce1-884ea1641a49")

But in the new AbpSessions table (created by v8.3.0) there is a record for that session in the table:

I would like to sort this out today as I go on a 2 week holiday tomorrow
0

tech37 created 2 months ago

Hi

If I place the IdentitySessionRepository.FindAsync(sessionId) request in a while loop. The second time it runs it finds the session and the application loads on the home page. This is very strange!
0

tech37 created 2 months ago

Hi, Just another update.

Even though the homepage loads, none of the menu options are now available as they were before the upgrade to v8.3.0.

I am logged in as admin and even the tenant admin menu options are not loading.
0

tech37 created 2 months ago

I see these in the debug log which could be causing the issue.
0

liangshiwei created one month ago
Support Team Fullstack Developer

Hi,

Hi thank you. Can we do a quick google meet perhaps? my email address faldielb@gmail.com

okay

Have an answer to this question? Log in and write your answer.