@maliming
Thank you. so far; The changes seem to work. I will continue testing today.
I would like to ask though; why that code for the CheckExpiresAt() not in the core ABP? Is there any other side effect?
Also should I use the same code for the API HOST project?
For reference to others having the issue I believe the issue is that the auth cookie not expiring with the session expiration.
The fix that was suggested (and seems working) by maliming):
in the WEB project Module:
private void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
{
context.Services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(365);
options.CheckExpiresAt(); // << ADDED
})
and added a file/class CookieAuthenticationOptionsExtensions.cs in the web module with the class below:
using System;
using System.Globalization;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
namespace { your namespace }.Web.Extensions
{
public static class CookieAuthenticationOptionsExtensions
{
public static CookieAuthenticationOptions CheckExpiresAt(this CookieAuthenticationOptions options,
string oidcAuthenticationScheme = "oidc")
{
var originalHandler = options.Events.OnValidatePrincipal;
options.Events.OnValidatePrincipal = async principalContext =>
{
originalHandler?.Invoke(principalContext);
if (principalContext.Principal != null && principalContext.Principal.Identity != null && principalContext.Principal.Identity.IsAuthenticated)
{
var tokenExpiresAt = principalContext.Properties.Items[".Token.expires_at"];
if (tokenExpiresAt != null &&
DateTimeOffset.TryParseExact(tokenExpiresAt, "yyyy-MM-ddTHH:mm:ss.fffffffzzz", null, DateTimeStyles.AdjustToUniversal, out var expiresAt) &&
expiresAt < DateTimeOffset.UtcNow.Subtract(TimeSpan.FromMinutes(5)))
{
principalContext.RejectPrincipal();
await principalContext.HttpContext.SignOutAsync(principalContext.Scheme.Name);
}
}
};
return options;
}
}
}
Thank you
Web. ok
just to be clear. the WEB or HOST? You said web.host and the namespace says .web
I think you mean to the HOST project
I will add and deploy now
sure i will wait for your code .. this is a production issue so I am thankful for the help
Whenever you are ready. You can send the link to my email you have it. I am on standby now
by the way, this is what Web project is using:
context.Services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(365);
options.CheckExpiresAt();
})
.AddAbpOpenIdConnect("oidc", options =>
{
options.Authority = configuration["AuthServer:Authority"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); // true
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.ClientId = configuration["AuthServer:ClientId"];
options.ClientSecret = configuration["AuthServer:ClientSecret"];
options.UsePkce = true;
options.SaveTokens = false; // I tried true or false
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("roles");
options.Scope.Add("email");
options.Scope.Add("phone");
options.Scope.Add("api"); // the API client name
});
the site is not accessible externally. Are you available for zoom?
Actually the user has access to everything
This is misleading and not correct:
Request starting HTTP/2 GET https://apps.cssea.bc.ca/Cetrs - - These requirements were not met: PermissionRequirement: Cssea.Cetrs
sent. Thanks
sorry to say but when things get stuck the application becomes useless :( this is production and now even I delete cookies I flush redis I restart the service/the application even restarted production server. no matter what I do the logged in admin now only sees home.
if (after login as admin) I try to manually type in a secure page, the auth server goes in an endless loop.
What should I do?