Open Closed

Suspicious updates on OpenIddictApplication when token endpoint is called with client_credentials grant_type. #8068


User avatar
0
mgurer created
  • ABP Framework version: v8.3.0
  • UI Type: Blazor Server
  • Database System: EF Core (PostgreSQL)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes/no
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Hello.

When I use the token endpoint to get auth token using specific client with client_credentials grant_type, the related OpenIddictApplication entity gets updated. When I check the db, I see changes only in concurrencystamp and lastmodificationtime columns. All other columns remains unchanged. Every time I use token endpoint, an update for the application record gets sent to db.

In my application there are too many clients (more than thounsands) trying to get auth token for their apps and some users fall into concurreny exceptions because they try to get token at almost same time. Because there is no meaningful data change in the applicaiton record(only lastmodiftime), I want to prevent this table to get updated during token requests.

Do you have any suggestions for that?

Thanks. Murat


13 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Enable EF Core logs to see what happened.

    public class Program
    {
        public async static Task<int> Main(string[] args)
        {
            Log.Logger = new LoggerConfiguration()
                .MinimumLevel.Debug()
                .MinimumLevel.Override("Microsoft", LogEventLevel.Information)
                .Enrich.FromLogContext()
                .WriteTo.Async(c => c.File("Logs/logs.txt"))
                .WriteTo.Async(c => c.Console())
                .CreateLogger();
    
  • User Avatar
    0
    mgurer created

    I dont get it. Are you serious?

    I already saw the concurrency exception log and came here to ask what is going on? You want me add logs to the app.

    The behaviour is not related to my very own codes. Even a new blank application behaves as I mentioned before. If you try it for yourself, you will see the record in the OpenIddictApplication table gets updated on each call to connect/token endpoint with client_credentials granttype.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    you will see the record in the OpenIddictApplication table gets updated on each call to connect/token endpoint with client_credentials granttype.

    OK I will try that. Can you share the HTTP request logs of your connect/token endpoint with client_credentials granttype.

  • User Avatar
    0
    mgurer created

    Nope. I wont share any codes, logs with you. Check your frameworks codes? If you dont able to reproduce that behavior, we will consider what we can do then.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    The OpenIddictApplication did not change when I requested a token.

  • User Avatar
    0
    mgurer created

    Is that postgres db that you select as dbms? I suspect about some wierd behaviour on timestamped columns.

    I can provide a sample proj that I genererated recently.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    I can provide a sample proj that I genererated recently.

    Please share a simple sample. Thanks

    liming.ma@volosoft.com

  • User Avatar
    0
    mgurer created

    Sent

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you try to add MyAbpEfCoreNavigationHelper to your ef core?

    using Microsoft.EntityFrameworkCore.ChangeTracking;
    using Volo.Abp.DependencyInjection;
    using Volo.Abp.EntityFrameworkCore.ChangeTrackers;
    using Volo.Abp.OpenIddict.Tokens;
    
    namespace Pusula.Training.HealthCare.EntityFrameworkCore;
    
    [Dependency(ReplaceServices = true)]
    [ExposeServices(typeof(AbpEfCoreNavigationHelper))]
    public class MyAbpEfCoreNavigationHelper : AbpEfCoreNavigationHelper
    {
        public override void ChangeTracker_Tracked(object? sender, EntityTrackedEventArgs e)
        {
            if (e.Entry.Entity.GetType() == typeof(OpenIddictToken))
            {
                return;
            }
    
            base.ChangeTracker_Tracked(sender, e);
        }
    
        public override void ChangeTracker_StateChanged(object? sender, EntityStateChangedEventArgs e)
        {
            if (e.Entry.Entity.GetType() == typeof(OpenIddictToken))
            {
                return;
            }
    
            base.ChangeTracker_StateChanged(sender, e);
        }
    }
    
    

  • User Avatar
    0
    mgurer created

    I tested code and it does its job as expected.

    I have further questions about the topic;

    1 - I am curious about the unexpected side effects of this workaround. Is there any?

    2 - Should I suspect about other entities for this issue?

    3 - Is this buggy behavior efcore-wise problem or is it specific to OpenIddictApplication entity?

    Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer
    1. No
    2. No, the OpenIddict token was created. So, the OpenIddict application changed. We will reconsider this behavior.
    3. Only related OpenIddict

    About 2 : When one of the entity's navigation changes, we think the entity has also changed. This is useful in many scenarios, but it is not useful for OpenIddict Token. Especially your case

  • User Avatar
    0
    mgurer created

    Hi. Thanks for your support. 👍

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Have a good weekend. : )

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09