Open Closed

"error": "invalid_grant", "error_description": "The specified token is invalid." #9981


User avatar
0
LiSong created

I am creating a react app and use the SSO, it worked locally, however, the production env gives me this error

{ "error": "invalid_grant", "error_description": "The specified token is invalid.", "error_uri": "https://documentation.openiddict.com/errors/ID2004" }

from Request URL Request Method POST

any suggestions


18 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you check and share the logs.txt of https://trust.itotem.io website?

    Thanks.

  • User Avatar
    0
    LiSong created

    2025-10-10 04:13:58.315 +00:00 [Information] Authorization failed. "These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user."

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Please set your log level to Debug and share the full logs.txt to liming.ma@volosoft.com

    see https://abp.io/support/questions/8622/How-to-enable-Debug-logs-for-troubleshoot-problems

    Thanks.

  • User Avatar
    0
    LiSong created

    thanks, will do. by the way, how can I see the source code for this endpoint: connect/token?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    The source code ofconnect/token is in the OpenIddict library, and it is not a single endpoint. It has many handlers.

    Thanks.

  • User Avatar
    0
    LiSong created

    just sent, thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    the production env gives me this error

    Can you share your EncryptionAndSigningCertificate code?

    if (!hostingEnvironment.IsDevelopment())
    {
        PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
        {
            options.AddDevelopmentEncryptionAndSigningCertificate = false;
        });
    
        PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
        {
            serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", configuration["AuthServer:CertificatePassPhrase"]!);
            serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
        });
    }
    
  • User Avatar
    0
    LiSong created

    I have just sent you via email thx

  • User Avatar
    0
    LiSong created

    I manually created the new application here, should I update db migrator, add the application in and run it?

    1. maybe it has sth to do with the way I created this new application, do you have an instruction for this?

    2. when should we use public client vs confidential client, I am using a react app to connect, should I use public client?

    3. what's hybird flow, password flow, etc..

    4. what's extension grant types

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    This line of code has a problem.

    The Azure hosting environment does not allow your application to access the CurrentUser certificate store by default.

    Can you try to use a pfx in the Azure environment?

    see https://abp.io/docs/latest/deployment/configuring-openiddict#production-environment

    Thanks.

  • User Avatar
    0
    LiSong created

    do you mean putting openiddict.pfx in the root folder and use it like this? serverBuilder.AddProductionEncryptionAndSigningCertificate( "openiddict.pfx", "your-password", X509KeyStorageFlags.MachineKeySet | X509KeyStorageFlags.EphemeralKeySet);

    thx

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Yes

    generate a pfx file:

    dotnet dev-certs https -v -ep openiddict.pfx -p your_password

    Use it in your authserver:

    
    PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
    {
        serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "your_password");
    });
    
  • User Avatar
    0
    LiSong created

    after generating the file and updating the code, should I update any other place? since it's the important certificate file, I am wondering if I have to do more and let the whole system to use it?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    No additional steps are needed. AddProductionEncryptionAndSigningCertificate is enough.

    Thanks.

  • User Avatar
    0
    LiSong created

    I got a question, currently the site is working fine, it's multi-tenacy site. if this line of code is not working, why the auth, login, sign up pages are still working? thanks

    using var store = new X509Store(StoreName.My, StoreLocation.CurrentUser);

    This line of code has a problem.

    The Azure hosting environment does not allow your application to access the CurrentUser certificate store by default.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Hi

    The login, register will use cookies authentication. Only auth2 token will failed.

    Thanks.

  • User Avatar
    0
    LiSong created

    hi, it worked serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", "your_password"); however, I have to put the pfx in the server folder directly, which is not the best practice, any better way to manage the pfx file? thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can read pfx from a stream or an embedded/virtual file.

    https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Microsoft/Extensions/DependencyInjection/OpenIddictServerBuilderExtensions.cs#L15-L20

    Thanks.

Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.1.0-preview. Updated on October 30, 2025, 06:33