Unable to access Identity Microservice api's with tenant in token #9178

9 Answer(s)

• 

  0

  maliming created 21 days ago

  Support Team Fullstack Developer

  hi

  Get a token for the user in a SaaS tenant

  How did you get the new token?

  Please share your HTTP request

  Thanks..

  Save Cancel
• 

  0

  rogercprops created 20 days ago

  We developed an API that gets the token from the authserver using Duende.IdentityModel 7.0.0 ` public async Task

      var apiEndpoint = _configuration.GetValue<string>("AuthServiceBaseUrl");
      var scope = string.Join(" ", scopes);
      var discoveryCache = new DiscoveryCache(apiEndpoint);
      var disco = await discoveryCache.GetAsync();
  
      if (disco.IsError)
      {
          Console.WriteLine(disco.Error);
          throw new UserFriendlyException($"Error retrieving discovery document: {disco.Error}");
      }
  
      var client = new HttpClient();
  
      var passwordTokenRequest = new PasswordTokenRequest
      {
          Address = disco.TokenEndpoint,
          ClientId = clientId,
          ClientSecret = clientSecret,
          UserName = userName,
          Password = password,
          Scope = scope
      };
  
      if (Tenant != null) passwordTokenRequest.Headers.Add("tenant", Tenant);
      var tokenResponse = await client.RequestPasswordTokenAsync(passwordTokenRequest);
  
      TokenResponseDto tokenRequestResponse = new();
  
      if (tokenResponse.IsError)
      {
          Console.WriteLine("error", tokenResponse);
          throw new UserFriendlyException($"Error retrieving token: {tokenResponse.ErrorDescription}");
      }
      else
      {
          tokenRequestResponse.AccessToken = tokenResponse.AccessToken;
          tokenRequestResponse.RefreshToken = tokenResponse.RefreshToken;
          tokenRequestResponse.ExpiresIn = tokenResponse.ExpiresIn;
      }
  
      return tokenRequestResponse;
  }
  

  `

  Here's the curl request to get the token: ` curl --location 'http://localhost:44326/api/token'
  --header 'X-Forwarded-For: 192.0.2.172'
  --header 'Content-Type: application/json'
  --header 'Cookie: .AspNetCore.Culture=c%3Den%7Cuic%3Den'
  --data-raw '{ "tenant": "homefree",

  "clientId": "CloverleafApi",
  "clientSecret": "Fgf@E98M6XZs3w",
  "userName": "testadmin",
  "password": "Lucky7E!",
  "scopes": ["AdministrationService","AuditLoggingService","AuthServer","ClientService","GdprService","IdentityService", "LanguageService","SaasService","ServicesService", "CommunicationsTemplateService","MemberConfigService","ClientServicesQuery","FinancialService","ContactService","StaffService", "HousingService","EngagementLogService", "DocumentService", "NoteService"]
  

  }'`

  Here's the curl request to get the users (the authorization bearer is from the token response: curl --location 'http://localhost:44326/api/identity/users' \ --header 'Authorization: Bearer **** \ --header 'Cookie: .AspNetCore.Culture=c%3Den%7Cuic%3Den'

  Save Cancel
• 

  0

  maliming created 20 days ago

  Support Team Fullstack Developer

  hi

  Please add profile roles email phone to your scopes

  "scopes": [
     "AdministrationService",
     "AuditLoggingService",
     "AuthServer",
     "ClientService",
     "GdprService",
     "IdentityService",
     "LanguageService",
     "SaasService",
     "ServicesService",
     "CommunicationsTemplateService",
     "MemberConfigService",
     "ClientServicesQuery",
     "FinancialService",
     "ContactService",
     "StaffService",
     "HousingService",
     "EngagementLogService",
     "DocumentService",
     "NoteService"
  ]
  

  Save Cancel
• 

  0

  rogercprops created 19 days ago

  Same error.

  Here's the decoded token with the updated scopes

  { "header": { "alg": "RS256", "kid": "******", "x5t": "******", "typ": "at+jwt" }, "payload": { "iss": "http://localhost:44311/", "exp": 1745502008, "iat": 1745498408, "aud": [ "AuthServer", "IdentityService", "AdministrationService", "ServicesService", "SaasService", "AuditLoggingService", "GdprService", "LanguageService", "ClientService", "CommunicationsTemplateService", "ClientServicesQuery", "ContactService", "StaffService", "MemberConfigService", "FinancialService", "HousingService", "EngagementLogService", "DocumentService", "NoteService" ], "scope": "roles phone email profile address AdministrationService AuditLoggingService AuthServer ClientService GdprService IdentityService LanguageService SaasService ServicesService CommunicationsTemplateService MemberConfigService ClientServicesQuery FinancialService ContactService StaffService HousingService EngagementLogService DocumentService NoteService", "jti": "******", "sub": "******", "preferred_username": "testuser", "email": "******", "role": "admin", "tenantid": "6271b9cb-31a4-07e1-e895-3a18325419b0", "given_name": "******", "family_name":"******", "phone_number_verified": "False", "email_verified": "False", "session_id": "******", "unique_name": "******", "oi_prst": "CloverleafApi", "client_id": "CloverleafApi", "oi_tkn_id": "******" } }

  Save Cancel
• 

  0

  maliming created 19 days ago

  Support Team Fullstack Developer

  hi

  Can you set a breakpoint to check the current user claims?

  The access token seems no problem

  Thanks.

  Save Cancel
• 

  0

  rogercprops created 19 days ago

  I'm not sure what you mean by checking the user claims. In the admin console I went to Claims for the user in the host & the user in the tenant and there were none.

  Again, I don't get the authorization error when I get a token for a user in the host tenant and of course it only returns users where TenantId is null.

  Here's the host token decoded: { "header": { "alg": "RS256", "kid": "", "x5t": "", "typ": "at+jwt" }, "payload": { "iss": "http://localhost:44311/", "exp": 1745505879, "iat": 1745502279, "aud": [ "AuthServer", "IdentityService", "AdministrationService", "ServicesService", "SaasService", "AuditLoggingService", "GdprService", "LanguageService", "ClientService", "CommunicationsTemplateService", "ClientServicesQuery", "ContactService", "StaffService", "MemberConfigService", "FinancialService", "HousingService", "EngagementLogService", "DocumentService", "NoteService" ], "scope": "roles phone email profile address AdministrationService AuditLoggingService AuthServer ClientService GdprService IdentityService LanguageService SaasService ServicesService CommunicationsTemplateService MemberConfigService ClientServicesQuery FinancialService ContactService StaffService HousingService EngagementLogService DocumentService NoteService", "jti": "c679b9ed-83dd-4f49-867a-4606cd822dd4", "sub": "3503fbd8-b3bb-e0de-d82f-3a18407a620a", "preferred_username": "cpradmin", "email": "", "role": "admin", "given_name": "", "family_name": "", "phone_number_verified": "False", "email_verified": "False", "session_id": "", "unique_name": "cpradmin", "oi_prst": "CloverleafApi", "client_id": "CloverleafApi", "oi_tkn_id": "******" } }

  Save Cancel
• 

  0

  maliming created 19 days ago

  Support Team Fullstack Developer

  hi

  Can you share a test project and steps?

  I will download and debug it.

  liming.ma@volosoft.com

  Thanks

  Save Cancel
• 

  0

  rogercprops created 17 days ago

  Hi,

  In attempting to build you a small test project to replicate our issue, I built a new micro service solution with ABP Studio but elected to use Abp 9.1 (our current solution is 9.0.4).

  I tried to replicate the error with the new solution but able to get a token for a tenant user then get users from api/identity/users without error. That tells me that the error was corrected in either 9.1 or in the micro-service templates.

  So I tried to upgrade our Abp packages by first upgrading to the latest version of the ABP CLI. Then I tried to use the ABP Studio, then Abp Suite, then using the ABP CLI from a terminal to upgrade our IdentityService. These only updated the application service project file <PackageReference Include="Volo.Abp.Studio.Client.AspNetCore" Version="0.9.23" /> to <PackageReference Include="Volo.Abp.Studio.Client.AspNetCore" Version="0.9.25" />

  None of the other packages were updated. I think this must be a bug in the latest version of ABP CLI/ABP Studio.

  In the end, I replaced all of the solutions from the Abp micro-service template with the ones generated I created with 9.1.

  You should note that the only change we made to any of the Abp template solutions was to the Auth server CloverleafCMSAuthServerModule. We added this to support getting a token for multi-tenancy to our 9.0.4 version, which I also added to the version created with 9.1. private void ConfigureMultiTenancy() { Configure<AbpMultiTenancyOptions>(options => { options.IsEnabled = true; }); }

  So, without going through the differences between the latest micro-service templates and the ones we created with ABP Studio back in February, I don't know if you all fixed the issue in the 9.1 packages or the micro-service templates.

  Save Cancel
• 

  0

  maliming created 16 days ago

  Support Team Fullstack Developer

  hi

  I think this is a claim-type problem.

  The claim type and value in your access token don't match the API website.

  https://abp.io/community/articles/how-claim-type-works-in-asp-net-core-and-abp-framework-km5dw6g1

  Thanks.

  Save Cancel