I am creating a react app and use the SSO, it worked locally, however, the production env gives me this error
{ "error": "invalid_grant", "error_description": "The specified token is invalid.", "error_uri": "https://documentation.openiddict.com/errors/ID2004" }
from Request URL Request Method POST
any suggestions
18 Answer(s)
- 
    0hi Can you check and share the logs.txt of https://trust.itotem.io website? Thanks. 
- 
    02025-10-10 04:13:58.315 +00:00 [Information] Authorization failed. "These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user." 
- 
    0hi Please set your log level to Debugand share the full logs.txt to liming.ma@volosoft.comsee https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems Thanks. 
- 
    0thanks, will do. by the way, how can I see the source code for this endpoint: connect/token? 
- 
    0hi The source code of connect/tokenis in the OpenIddict library, and it is not a single endpoint. It has many handlers.Thanks. 
- 
    0just sent, thanks 
- 
    0hi the production env gives me this error Can you share your EncryptionAndSigningCertificatecode?if (!hostingEnvironment.IsDevelopment()) { PreConfigure<AbpOpenIddictAspNetCoreOptions>(options => { options.AddDevelopmentEncryptionAndSigningCertificate = false; }); PreConfigure<OpenIddictServerBuilder>(serverBuilder => { serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", configuration["AuthServer:CertificatePassPhrase"]!); serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!)); }); }
- 
    0I have just sent you via email thx 
- 
    0I manually created the new application here, should I update db migrator, add the application in and run it? - maybe it has sth to do with the way I created this new application, do you have an instruction for this? 
- when should we use public client vs confidential client, I am using a react app to connect, should I use public client? 
- what's hybird flow, password flow, etc.. 
- what's extension grant types 
 
- 
    0hi using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); This line of code has a problem. The Azure hosting environment does not allow your application to access the CurrentUser certificate store by default. Can you try to use a pfxin the Azure environment?see https://abp.io/docs/latest/deployment/configuring-openiddict#production-environment Thanks. 
- 
    0do you mean putting openiddict.pfx in the root folder and use it like this? serverBuilder.AddProductionEncryptionAndSigningCertificate( "openiddict.pfx", "your-password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet); thx 
- 
    0Yes generate a pfxfile:dotnet dev-certs https -v -ep openiddict.pfx -p your_passwordUse it in your authserver: PreConfigure<OpenIddictServerBuilder>(serverBuilder => { serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "your_password"); });
- 
    0after generating the file and updating the code, should I update any other place? since it's the important certificate file, I am wondering if I have to do more and let the whole system to use it? 
- 
    0hi No additional steps are needed. AddProductionEncryptionAndSigningCertificateis enough.Thanks. 
- 
    0I got a question, currently the site is working fine, it's multi-tenacy site. if this line of code is not working, why the auth, login, sign up pages are still working? thanks using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser); This line of code has a problem. The Azure hosting environment does not allow your application to access the CurrentUser certificate store by default. 
- 
    0Hi The login, register will use cookies authentication. Only auth2 token will failed. Thanks. 
- 
    0hi, it worked serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "your_password"); however, I have to put the pfx in the server folder directly, which is not the best practice, any better way to manage the pfx file? thanks 
- 
    0hi You can read pfx from a stream or an embedded/virtual file. https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/Extensions/DependencyInjection/OpenIddictServerBuilderExtensions.cs#L15-L20 Thanks. 
 
                                