Activities of "Josh.Cunningham"

Thank you.

Since this is creating a lot of noise for us I am intending to make the following change in the mean time to prevent the error log.

Could you please confirm whether or not you believe this is appropriate, or suggest an alternative if not.

public class OpenIddictCreateIdentitySessionExceptForClientCredentials : 
    OpenIddictCreateIdentitySession,
    IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignInContext>
{
    private static readonly OpenIddictServerHandlerDescriptor _descriptor = OpenIddictServerHandlerDescriptor
        .CreateBuilder<OpenIddictServerEvents.ProcessSignInContext>()
        .UseSingletonHandler<OpenIddictCreateIdentitySessionExceptForClientCredentials>()
        .SetOrder(100000)
        .SetType(OpenIddictServerHandlerType.Custom)
        .Build();

    public OpenIddictCreateIdentitySessionExceptForClientCredentials(
        IdentitySessionManager identitySessionManager, 
        IWebClientInfoProvider webClientInfoProvider, 
        IOptions<AbpAccountOpenIddictOptions> options) : base(identitySessionManager, webClientInfoProvider, options)
    {
    }

    public new static OpenIddictServerHandlerDescriptor Descriptor
    {
        get
        {
            return _descriptor;
        }
    }

    public new ValueTask HandleAsync(OpenIddictServerEvents.ProcessSignInContext context)
    {    
        if (context == null)
            throw new ArgumentNullException("context");
            
        if (context.Request.IsClientCredentialsGrantType())
            return ValueTask.CompletedTask;

        return base.HandleAsync(context);
    }
}
public override void PreConfigureServices(ServiceConfigurationContext context)
{
    PreConfigure<OpenIddictBuilder>(builder =>
    {
        builder.AddServer(options =>
        {
            options.RemoveEventHandler(OpenIddictCreateIdentitySession.Descriptor);
            options.AddEventHandler(OpenIddictCreateIdentitySessionExceptForClientCredentials.Descriptor);
        });
    });
}

I would also appreciate it if you could provide us with a link to any relevant issue or pull request on this ticket so that we may follow the progress of this fix and remove this code once it is redundant.

Kind regards, Josh

  • ABP Framework version: v8.2.1
  • UI Type: MVC
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace: SessionId is null. It's not possible to save the session. [OpenIddict.Server.OpenIddictServerDispatcher]
  • Steps to reproduce the issue: Call /connect/token for openiddict application using client credentials flow

Error is the same as https://abp.io/support/questions/7977/AuthServer-820-SessionId-is-null-error but the steps differ.

When logging in as a user, I can see that IdentitySessionClaimsPrincipalContributor is correctly setting the sessionId, and the error does not occur.

This error is occurring during integrations we have running as background jobs, it occurs when /connect/token is called with client credentials flow. I have been investigating the error by making the api call using Postman, examining the returned access token I there is no session id, but I'm not sure if there should.

In the course of trying to understand the error I added an IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignInContext> just before OpenIddictCreateIdentitySession (where I believe the error is occurring) to confirm that there is indeed no session id (there wasn't). I subsequently modified my handler to add in session id, not believing this to be the fix but to see what would happen; this caused an exception in OpenIddictCreateIdentitySession when it tries to get the user id, which makes sense as there isn't a user.

So I am assuming that either: there shouldn't be a session id but this handler shouldn't be being called for my client credentials, or that there should be a session id but something in the way I have configured the application is causing it to not be created. Looking at the functionality provided by the session management it doesn't seem relevant (at least with our usage) to client applications, in combination with the fact that it is trying to get the user id, I am assuming at the moment that there shouldn't be a session, but this is not my area of expertise.

I do not believe there is anything particularly special with how the application has been configured: I am not currently worried that this is causing any problems in our application, based on the fact that the handler simply logs the error and then returns, and if it didn't then the following call to IdentitySessionManager.CreateAsync would cause an exception. But the error is causing a lot of noise. I could inherit and then replace the handler, and only call the base implementation when it is not the client causing thin question; this would reduce the noise but is patently not the correct approach.

Any help would be greatly appreciated. Thanks in advance.

This was initially observed by new users (who were set up with no phone number) going to "Personal info" tab of the "/Account/Manage" page, clicking "Verify" (on their email) and then clicking "Submit" (without having made any changes). The submit changes the user's phone number from NULL to an empty string which creates a "ChangePhoneNumber" security log and updates the security stamp, this results in the verification email that was just sent being immediately invalid.

  • ABP Framework version: v7.3.2
  • UI Type: MVC
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:
    • Create new user (without phone number)
    • Log in as new user
    • Go to "My account" ("/Account/Manage")
    • Go to "Personal info" tab
    • Click "Verify" (for email)
    • Click "Submit"
    • Click link in verification email - results in "Invalid token"

I believe this is caused by how the form is submitted by serializing the form which results in the null phone number becoming an empty string.

I have resolved this with the following change:

    [Dependency(ReplaceServices = true)]
    public class CustomProfileAppService : ProfileAppService
    {
        // Constructor omitted for brevity

        public override async Task<ProfileDto> UpdateAsync(UpdateProfileDto input)
        {
            if (string.IsNullOrEmpty(input.PhoneNumber))
            {
                var user = await UserManager.GetByIdAsync(CurrentUser.GetId());
                if (string.IsNullOrEmpty(user.PhoneNumber))
                {
                    input.PhoneNumber = user.PhoneNumber;
                }
            }

            return await base.UpdateAsync(input);
        }
    }

We are immediately providing user training to ensure this does not occur whilst we release this change as this has been reported multiple times, however, whilst what they are doing is unnecessary, I do not think it is unreasonable that they would not expect the steps they are taking to invalidate their verification token.

I have noticed that on submitting the "/Identity/Users/EditModal" the security stamp is changed every time. Which leads me to believe that it is being updated unnecessarily beyond the scenario that ours users have encountered.

Additionally it would be nice to have some visibility of when and why the security stamp changes in the security logs. The ChangePhoneNumber log is already present, and was key to us being able to diagnose what had happened here, but other changes (such as roles/permissions) which I believe to be valid reasons for the security stamp to change are not present in the security logs. It would also be nice to have a security log for when the security stamp has changed (even if this were always inferable from the other logs).

Thank you very much

When the "Allow users to change their email addresses" Identity Management setting is disabled users are not able to verify their email in the "Personal info" tab of the "Account" page.

Our site is quite tightly controlled and users are created by an administrator and not able to change their email. There also doesn't appear to be a way for administrators to trigger this email on behalf of a user that I can see.

I am aware that if we require emails to be verified then they would be able to verify it on login but at present we do not want this.

Is there any way to configure this so that the user is able to verify their email but not change it?

Currently I am working around the issue using the following javascript (any comments, criticisms or suggestions would be appreciated):

$(function () {
    const $email = $('#PersonalSettingsForm').find("#Email")

    if ($email) {
        if ($email.parent().find("#VerifyEmailButton").length == 0 && $email.attr("data-email-verified") === "False") {
            $email[0].insertAdjacentHTML('afterend', `
                &lt;button id=&quot;VerifyEmailButton&quot; style=&quot;&quot; class=&quot;btn btn-warning&quot; type=&quot;button&quot; data-busy-text=&quot;Processing...&quot;&gt;
                    &lt;i class=&quot;me-1 fa fa-vcard&quot;&gt;&lt;/i&gt; Verify
                &lt;/button&gt;
            `);
        }

        if ($email.parent().find("#EmailVerified").length == 0 && $email.attr("data-email-verified") === "True") {
            $email[0].insertAdjacentHTML('afterend', `
                &lt;span class=&quot;input-group-text&quot; id=&quot;EmailVerified&quot; style=&quot;&quot;&gt;
                    &lt;i class=&quot;me-1 text-success fa fa-check-square&quot;&gt;&lt;/i&gt;&lt;span class=&quot;text-success&quot;&gt;Verified&lt;/span&gt;
                &lt;/span&gt;
            `);
        }
    }
});
  • ABP Framework version: v7.3.2
  • UI Type: MVC
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Yes that did exactly what I wanted, Thank you very much for your help Anjali

We have recently upgraded to 7.3.2 as we are very excited to leverage the newly added ability to use authenticator apps for 2FA.

It all works great out the box, however we have observed that the default "Account Name" that appears in the authenticator app is taken from the web application name. We would like to be able to customise this per deployment as we have a separate web application that handles our authorization that is deployed for multiple clients. Unfortunately it is not feasible for us to do a build per deployment so we cannot do this by changing the assembly name. We have not been able to determine any way in which this can be configured but I am hoping that there is a way that we have missed?

If not is there a way to disable 2FA using authenticator apps whilst maintaining 2FA via email?

  • ABP Framework version: v7.3.2
  • UI Type: MVC
  • Database System: EF Core (SQL Server)
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace:
  • Steps to reproduce the issue:

Throwing a UserFriendlyException from a local domain event results in http response with detail "Error: response status is 200".

  • ABP Framework version: v5.3.2
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): Tiered
  • Exception message and stack trace:
    2022-07-18 10:09:34.558 +01:00 [WRN] An exception occurred, but response has already started!
    2022-07-18 10:09:34.581 +01:00 [ERR] An unhandled exception has occurred while executing the request.
    Volo.Abp.UserFriendlyException: Cannot create a Book
    at Acme.BookStore.Books.BookCreateHandler.HandleEventAsync(EntityCreatedEventData1 eventData) in C:\_git\AbpDomainEventException\src\Acme.BookStore.Domain\Books\Book.cs:line 22
    at Volo.Abp.EventBus.EventHandlerInvoker.InvokeAsync(IEventHandler eventHandler, Object eventData, Type eventType)
    at Volo.Abp.EventBus.EventBusBase.TriggerHandlerAsync(IEventHandlerFactory asyncHandlerFactory, Type eventType, Object eventData, List1 exceptions, InboxConfig inboxConfig)
    at Volo.Abp.EventBus.EventBusBase.ThrowOriginalExceptions(Type eventType, List1 exceptions)
    at Volo.Abp.EventBus.EventBusBase.TriggerHandlersAsync(Type eventType, Object eventData)
    at Volo.Abp.EventBus.Local.LocalEventBus.PublishAsync(LocalEventMessage localEventMessage)
    at Volo.Abp.EventBus.Local.LocalEventBus.PublishToEventBusAsync(Type eventType, Object eventData)
    at Volo.Abp.EventBus.EventBusBase.PublishAsync(Type eventType, Object eventData, Boolean onUnitOfWorkComplete)
    at Volo.Abp.EventBus.UnitOfWorkEventPublisher.PublishLocalEventsAsync(IEnumerable1 localEvents)
    at Volo.Abp.Uow.UnitOfWork.CompleteAsync(CancellationToken cancellationToken)
    at Volo.Abp.AspNetCore.Uow.AbpUnitOfWorkMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
    at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
    \-\-\- End of stack trace from previous location \-\-\-
    at Volo.Abp.AspNetCore.ExceptionHandling.AbpExceptionHandlingMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
    at Volo.Abp.AspNetCore.ExceptionHandling.AbpExceptionHandlingMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
    at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
    \-\-\- End of stack trace from previous location \-\-\-
    at Volo.Abp.AspNetCore.MultiTenancy.MultiTenancyMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
    at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
    \-\-\- End of stack trace from previous location \-\-\-
    at Microsoft.AspNetCore.Builder.ApplicationBuilderAbpJwtTokenMiddlewareExtension.<>c\_\_DisplayClass0\_0.<b\_\_0>d.MoveNext()
    \-\-\- End of stack trace from previous location \-\-\-
    at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
    at Volo.Abp.AspNetCore.Security.AbpSecurityHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
    at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
    \-\-\- End of stack trace from previous location \-\-\-
    at Volo.Abp.AspNetCore.Tracing.AbpCorrelationIdMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
    at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
    \-\-\- End of stack trace from previous location \-\-\-
    at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
    at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next)
    at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c\_\_DisplayClass6\_1.<b\_\_1>d.MoveNext()
    \-\-\- End of stack trace from previous location \-\-\-
    at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
    at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
    at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
    at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)
    at Microsoft.AspNetCore.Watch.BrowserRefresh.BrowserRefreshMiddleware.InvokeAsync(HttpContext context)
    at Microsoft.AspNetCore.Server.IIS.Core.IISHttpContextOfT\`\`1.ProcessRequestAsync()
    2022-07-18 10:09:34.581 +01:00 [WRN] The response has already started, the error page middleware will not be executed.
  • Repro Steps:
    1. Created a new solution (Acme.BookStore) with ABP CLI
    2. Generated CRUD entity (Book) and pages with ABP Suite
    3. Created a LocalEventHandler to handle EntityCreatedEventData for the generated entity that throws a UserFriendlyException
    4. Doing POST /api/app/books via swagger results in a response with with an undocumented code and details stating "Error: response status is 200":
    5. Creating an entity from the generated create modal displays a dialog stating "An error has occurred! Error detail not sent by server":
    6. We would like both of these scenarios to display a more appropriate response, any help would be greatly appreciated

Thanks in advance

Showing 1 to 8 of 8 entries
Made with ❤️ on ABP v9.1.0-preview. Updated on November 01, 2024, 05:35