Suspicious updates on OpenIddictApplication when token endpoint is called with client_credentials grant_type. #8068 | Support

mgurer created one month ago

ABP Framework version: v8.3.0
UI Type: Blazor Server
Database System: EF Core (PostgreSQL)
Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
Exception message and full stack trace:
Steps to reproduce the issue:

Hello.

When I use the token endpoint to get auth token using specific client with client_credentials grant_type, the related OpenIddictApplication entity gets updated. When I check the db, I see changes only in concurrencystamp and lastmodificationtime columns. All other columns remains unchanged. Every time I use token endpoint, an update for the application record gets sent to db.

In my application there are too many clients (more than thounsands) trying to get auth token for their apps and some users fall into concurreny exceptions because they try to get token at almost same time. Because there is no meaningful data change in the applicaiton record(only lastmodiftime), I want to prevent this table to get updated during token requests.

Do you have any suggestions for that?

Thanks. Murat

13 Answer(s)

maliming created one month ago

Support Team Fullstack Developer

Enable EF Core logs to see what happened.

public class Program
{
    public async static Task<int> Main(string[] args)
    {
        Log.Logger = new LoggerConfiguration()
            .MinimumLevel.Debug()
            .MinimumLevel.Override("Microsoft", LogEventLevel.Information)
            .Enrich.FromLogContext()
            .WriteTo.Async(c => c.File("Logs/logs.txt"))
            .WriteTo.Async(c => c.Console())
            .CreateLogger();

0

mgurer created one month ago

I dont get it. Are you serious?

I already saw the concurrency exception log and came here to ask what is going on? You want me add logs to the app.

The behaviour is not related to my very own codes. Even a new blank application behaves as I mentioned before. If you try it for yourself, you will see the record in the OpenIddictApplication table gets updated on each call to connect/token endpoint with client_credentials granttype.
0

maliming created one month ago
Support Team Fullstack Developer

you will see the record in the OpenIddictApplication table gets updated on each call to connect/token endpoint with client_credentials granttype.

OK I will try that. Can you share the HTTP request logs of your connect/token endpoint with client_credentials granttype.
0

mgurer created one month ago

Nope. I wont share any codes, logs with you. Check your frameworks codes? If you dont able to reproduce that behavior, we will consider what we can do then.
0

maliming created one month ago
Support Team Fullstack Developer

The OpenIddictApplication did not change when I requested a token.
0

mgurer created one month ago

Is that postgres db that you select as dbms? I suspect about some wierd behaviour on timestamped columns.

I can provide a sample proj that I genererated recently.
0

maliming created one month ago
Support Team Fullstack Developer

I can provide a sample proj that I genererated recently.

Please share a simple sample. Thanks

liming.ma@volosoft.com
0

mgurer created one month ago

Sent

maliming created one month ago

Support Team Fullstack Developer

Can you try to add MyAbpEfCoreNavigationHelper to your ef core?

using Microsoft.EntityFrameworkCore.ChangeTracking;
using Volo.Abp.DependencyInjection;
using Volo.Abp.EntityFrameworkCore.ChangeTrackers;
using Volo.Abp.OpenIddict.Tokens;

namespace Pusula.Training.HealthCare.EntityFrameworkCore;

[Dependency(ReplaceServices = true)]
[ExposeServices(typeof(AbpEfCoreNavigationHelper))]
public class MyAbpEfCoreNavigationHelper : AbpEfCoreNavigationHelper
{
    public override void ChangeTracker_Tracked(object? sender, EntityTrackedEventArgs e)
    {
        if (e.Entry.Entity.GetType() == typeof(OpenIddictToken))
        {
            return;
        }

        base.ChangeTracker_Tracked(sender, e);
    }

    public override void ChangeTracker_StateChanged(object? sender, EntityStateChangedEventArgs e)
    {
        if (e.Entry.Entity.GetType() == typeof(OpenIddictToken))
        {
            return;
        }

        base.ChangeTracker_StateChanged(sender, e);
    }
}

0

mgurer created one month ago

I tested code and it does its job as expected.

I have further questions about the topic;

1 - I am curious about the unexpected side effects of this workaround. Is there any?

2 - Should I suspect about other entities for this issue?

3 - Is this buggy behavior efcore-wise problem or is it specific to OpenIddictApplication entity?

Thanks
0
maliming created one month ago
Support Team Fullstack Developer
No

No, the OpenIddict token was created. So, the OpenIddict application changed. We will reconsider this behavior.

Only related OpenIddict

About 2 : When one of the entity's navigation changes, we think the entity has also changed. This is useful in many scenarios, but it is not useful for OpenIddict Token. Especially your case
0

mgurer created one month ago

Hi. Thanks for your support. 👍
0

maliming created one month ago
Support Team Fullstack Developer

Have a good weekend. : )

Have an answer to this question? Log in and write your answer.