So once thing I just noticed is a solid disconnect between our HttpApi.Host and the Blazor.Client. Restarting the API in debugging mode causes the authenticated user to not longer be logged in on the host side, but that same user can still use the Client page without reauthenticating and without any issue. This may be related to the fact that every login generates two sessions, which I assumed was normal behaviour (one for host and one for client) but now I'm not so sure.
Good Morning
We're prepping for a production deployment and were expecting 8.3 Final to be released last week, instead we got rc3. Is there a new release date scheduled for when 8.3 Final will be finished and released? Thanks.
This still isn't working.
I've got the Sessions correctly being removed from the database on user login in-line with the Logout from All Devices setting but those users still have access to the system. It times out after an hour of inactivity but users with an active valid session also are timing out after an hour of inactivity.
Have upgraded to v8.3.0-rc.3 but still cannot see any changes between a new generated project and our solution in regards to modules imported and middleware being started.
What specific part of the Blazor.Client is checking the session validity? Or is it going back to the Host running OpenIddict to check that?
Have been comparing with a newly generated v8.3.0-rc.1 project, no major differences in any of the module configurations (other than the new DynamicClaims which I've implemented with no change).
Where is the Session checking actually implemented in the client projects?
End result is four active working browsers (2 in Chrome, 1 in Chrome Incognito, 1 in Firefox) with zero active sessions and Prevent Concurrent Login turned on. Refreshing any of the browsers causes the WASM page to reload, creating new sessions without asking for credentials.
Have logged on / off and restarted the Blazor and HttpApi.Host instance and rebuilt the project after setting the Prevent Concurrent Logins. Deleting all sessions out of the AbpSessions table also leaves all browsers active and logged in.
For security we've recently created a new database user with tightened up permissions for usual access (https://en.wikipedia.org/wiki/Principle_of_least_privilege), the user doesn't need to be a superuser or have any alter table permissions. Due to soft-deleting being common it shouldn't need Delete permission for most tables either.
The Volo.Abp.OpenIddict.Tokens.OpenIddictToken class is setup as a FullAuditedAggregateRoot which has soft-deleting enabled but it's not actually using it so when we revoked the delete permissions the system stopped working properly.
Quick fix is to re-grant the Delete permission, but the OpenIddictToken class should either be setup to use soft-deleting as its inheritance provides, or its inheritance should be changed so we don't have unnecessary unused columns present on the database table.
Your provided link to "Migrating to Blazor Web App" is broken and linking back to this post.
We're also in the process of upgrading to 8.2 and I came across the same issue and the lack of 8.2 guides.
For our localization configuration inside Configure<AbpLocalizationOptions> the FlagIcon parameter in the LanguageInfo constructor was identical to the CultureName parameter so I've just removed the parameter for now as I'm not sure we're actually using the FlagIcon itself anywhere so we'll see if that causes any problems.
Also had the same issue with the new IdentitySession inside our DbContext but solved that by adding a reference to the new Sessions table as required by the IIdentityProDbContext interface. public DbSet<IdentitySession> Sessions { get; set; }