Activities of "Talal"

@maliming

Thank you. so far; The changes seem to work. I will continue testing today.

I would like to ask though; why that code for the CheckExpiresAt() not in the core ABP? Is there any other side effect?

Also should I use the same code for the API HOST project?

For reference to others having the issue I believe the issue is that the auth cookie not expiring with the session expiration.

The fix that was suggested (and seems working) by maliming):

in the WEB project Module:

   private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
    {
        context.Services.AddAuthentication(options =>
            {
                options.DefaultScheme = "Cookies";
                options.DefaultChallengeScheme = "oidc";
            })
            .AddCookie("Cookies", options =>
            {
                options.ExpireTimeSpan = TimeSpan.FromDays(365);
                options.CheckExpiresAt();  //  << ADDED
            })

and added a file/class CookieAuthenticationOptionsExtensions.cs in the web module with the class below:

using System;
using System.Globalization;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;

namespace { your namespace }.Web.Extensions
{
    public static class CookieAuthenticationOptionsExtensions
    {
        public static CookieAuthenticationOptions CheckExpiresAt(this CookieAuthenticationOptions options,
    string oidcAuthenticationScheme = "oidc")
        {
            var originalHandler = options.Events.OnValidatePrincipal;
            options.Events.OnValidatePrincipal = async principalContext =>
            {
                originalHandler?.Invoke(principalContext);

                if (principalContext.Principal != null && principalContext.Principal.Identity != null && principalContext.Principal.Identity.IsAuthenticated)
                {
                    var tokenExpiresAt = principalContext.Properties.Items[".Token.expires_at"];
                    if (tokenExpiresAt != null &&
                        DateTimeOffset.TryParseExact(tokenExpiresAt, "yyyy-MM-ddTHH:mm:ss.fffffffzzz", null, DateTimeStyles.AdjustToUniversal, out var expiresAt) &&
                        expiresAt < DateTimeOffset.UtcNow.Subtract(TimeSpan.FromMinutes(5)))
                    {
                        principalContext.RejectPrincipal();
                        await principalContext.HttpContext.SignOutAsync(principalContext.Scheme.Name);
                    }
                }
            };

            return options;
        }

    }
}

Thank you

Web. ok

just to be clear. the WEB or HOST? You said web.host and the namespace says .web

I think you mean to the HOST project

I will add and deploy now

sure i will wait for your code .. this is a production issue so I am thankful for the help

Whenever you are ready. You can send the link to my email you have it. I am on standby now

by the way, this is what Web project is using:

   context.Services.AddAuthentication(options =>
        {
            options.DefaultScheme = "Cookies";
            options.DefaultChallengeScheme = "oidc";
        })
        .AddCookie("Cookies", options =>
        {
            options.ExpireTimeSpan = TimeSpan.FromDays(365);
            options.CheckExpiresAt();
        })
        .AddAbpOpenIdConnect("oidc", options =>
        {
            options.Authority = configuration["AuthServer:Authority"];
            options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);  // true
            options.ResponseType = OpenIdConnectResponseType.CodeIdToken;

            options.ClientId = configuration["AuthServer:ClientId"];
            options.ClientSecret = configuration["AuthServer:ClientSecret"];

            options.UsePkce = true;
            options.SaveTokens = false;   // I tried true or false
            options.GetClaimsFromUserInfoEndpoint = true;

            options.Scope.Add("roles");
            options.Scope.Add("email");
            options.Scope.Add("phone");
            options.Scope.Add("api"); // the API client name
        });

the site is not accessible externally. Are you available for zoom?

Actually the user has access to everything

This is misleading and not correct:

Request starting HTTP/2 GET https://apps.cssea.bc.ca/Cetrs - - These requirements were not met: PermissionRequirement: Cssea.Cetrs

sent. Thanks

sorry to say but when things get stuck the application becomes useless :( this is production and now even I delete cookies I flush redis I restart the service/the application even restarted production server. no matter what I do the logged in admin now only sees home.

if (after login as admin) I try to manually type in a secure page, the auth server goes in an endless loop.

What should I do?

Showing 1 to 10 of 19 entries
Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11