Open Closed

"error": "invalid_grant", "error_description": "The specified token is invalid." #9981

User avatar
0
LiSong created

I am creating a react app and use the SSO, it worked locally, however, the production env gives me this error

{ "error": "invalid_grant", "error_description": "The specified token is invalid.", "error_uri": "https://documentation.openiddict.com/errors/ID2004" }

from Request URL Request Method POST

any suggestions

Go to accepted answer
18 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you check and share the logs.txt of https://trust.itotem.io website?

    Thanks.

  • User Avatar
    0
    LiSong created

    2025-10-10 04:13:58.315 +00:00 [Information] Authorization failed. "These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user."

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please set your log level to Debug and share the full logs.txt to liming.ma@volosoft.com

    see https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

    Thanks.

  • User Avatar
    0
    LiSong created

    thanks, will do. by the way, how can I see the source code for this endpoint: connect/token?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The source code ofconnect/token is in the OpenIddict library, and it is not a single endpoint. It has many handlers.

    Thanks.

  • User Avatar
    0
    LiSong created

    just sent, thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    the production env gives me this error

    Can you share your EncryptionAndSigningCertificate code?

    if (!hostingEnvironment.IsDevelopment())
{
    PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
    {
        options.AddDevelopmentEncryptionAndSigningCertificate = false;
    });

    PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
    {
        serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", configuration["AuthServer:CertificatePassPhrase"]!);
        serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
    });
}
  • User Avatar
    0
    LiSong created

    I have just sent you via email thx

  • User Avatar
    0
    LiSong created

    I manually created the new application here, should I update db migrator, add the application in and run it?

    1. maybe it has sth to do with the way I created this new application, do you have an instruction for this?

    2. when should we use public client vs confidential client, I am using a react app to connect, should I use public client?

    3. what's hybird flow, password flow, etc..

    4. what's extension grant types

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    This line of code has a problem.

    The Azure hosting environment does not allow your application to access the CurrentUser certificate store by default.

    Can you try to use a pfx in the Azure environment?

    see https://abp.io/docs/latest/deployment/configuring-openiddict#production-environment

    Thanks.

  • User Avatar
    0
    LiSong created

    do you mean putting openiddict.pfx in the root folder and use it like this? serverBuilder.AddProductionEncryptionAndSigningCertificate( "openiddict.pfx", "your-password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);

    thx

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Yes

    generate a pfx file:

    dotnet dev-certs https -v -ep openiddict.pfx -p your_password

    Use it in your authserver:

    
PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
{
    serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "your_password");
});
  • User Avatar
    0
    LiSong created

    after generating the file and updating the code, should I update any other place? since it's the important certificate file, I am wondering if I have to do more and let the whole system to use it?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    No additional steps are needed. AddProductionEncryptionAndSigningCertificate is enough.

    Thanks.

  • User Avatar
    0
    LiSong created

    I got a question, currently the site is working fine, it's multi-tenacy site. if this line of code is not working, why the auth, login, sign up pages are still working? thanks

    using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    This line of code has a problem.

    The Azure hosting environment does not allow your application to access the CurrentUser certificate store by default.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Hi

    The login, register will use cookies authentication. Only auth2 token will failed.

    Thanks.

  • User Avatar
    0
    LiSong created

    hi, it worked serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "your_password"); however, I have to put the pfx in the server folder directly, which is not the best practice, any better way to manage the pfx file? thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can read pfx from a stream or an embedded/virtual file.

    https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/Extensions/DependencyInjection/OpenIddictServerBuilderExtensions.cs#L15-L20

    Thanks.

Assignee
User avatar maliming
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.1.0-preview. Updated on October 30, 2025, 06:33