Any update?
The issue is resolved - the cleanup process is now successful. Thanks again.
You have a point here, thank you - some of the projects were missing AbpOpenIddictEntityFrameworkCoreModule dependency in their EntityFrameworkCoreModule. Nevertheless, I am planning to leave the site running overnight and will check the log in the morning.
Unfortunately, we don't have a test project - our project is heavy and customized and it's not possible to create a test version of it. I cannot share an original project either.
I have truncated the log file of the project since it was huge. So I will run a UI now and leave it till the exception get raised again - then I'll send you a complete log. Do you need a log of OpenID server as well? Just in case: there was no exception there.
Hi. Thank you. I have the window load handler both in the OpenID server module added via AbpBundlingOptions and the same logic added via app.component.ts constructor like this (the load handler code DOES get triggered when I load Angular app pages):
this.document.defaultView.addEventListener('storage', event => {
if (event.key === 'access_token' && event.newValue === null) {
this.document.defaultView.location.reload();
}
});
const stateKey = 'authentication-state-id';
const onLoad = () => {
if (!this.currentUser.isAuthenticated) { // this.configStateService.getOne('currentUser')
localStorage.removeItem(stateKey);
}
else {
localStorage.setItem(stateKey, this.currentUser.id);
}
this.document.defaultView.addEventListener('storage', (event) => {
if (event.key !== stateKey || event.oldValue === event.newValue) {
return;
}
if (event.oldValue || !event.newValue) {
this.document.defaultView.location.reload();
}
else {
location.assign('/');
}
});
};
if (this.document.readyState === 'complete') {
onLoad();
}
else {
this.document.defaultView?.addEventListener('load', onLoad);
}
However, the error 400 is still there (with the same "The provided antiforgery token was meant for a different claims-based user than the current user." exception message): when I click "Login" button in OpenID server web page in the passive tab - neither code of authentication-state-listener.js is invoked (I put the breakpoints everywhere).
What am I doing wrong?
We have added a new js to refresh the page if authentication changes. You can add this js file to your 8.1.3 version.
I've tried this file and made sure that it has been added to the markup. The following piece of code has been added to OpenID AbpModule:
Configure<AbpBundlingOptions>(options =>
{
...
options.ScriptBundles.Configure(
StandardBundles.Scripts.Global,
bundle =>
{
bundle.AddFiles("/libs/abp/aspnetcore-mvc-ui-theme-shared/authentication-state/authentication-state-listener.js");
}
);
});
But it did not affect the issue in any way.
I've placed the breakpoints inside authentication-state-listener.js and its code has not been invoked during the login process in the passive tab (after a user has already logged-in in the active tab). I think this code is not relevant - instead, there has to be reaction on "Login" button click (i.e. redirect a user to Home page instead of trying to authenticate him), etc.
Please be noted that I had to retain the code you suggested in the very beginning to automatically redirect user to Login box in the passive tab (this is placed in the constructor of app.component.ts:
this.window.addEventListener('storage', event => {
if (event.key === 'access_token' && event.newValue === null) {
this.window.location.reload();
}
});
https://learn.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-8.0#multiple-browser-tabs-and-the-synchronizer-token-pattern
Ok - thank you for this link.
In our case the message is different - "Antiforgery token validation failed. The provided antiforgery token was meant for a different claims-based user than the current user. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user." - but I think it's due to the same issue.
So the site tells "Consider alternative CSRF protection patterns if this poses an issue." - but nothing specific.
I think in the given situation I could just redirect a user (already authenticated in the first tab) to the initial (home) page in the second tab, if such situation takes place instead of trying to log him in again. I just need the hint where I should place the corresponding check, please.
hi
You can try to configure the
AbpSystemTextJsonSerializerOptionsto set theJsonSerializerSettingshttps://abp.io/docs/latest/framework/infrastructure/json#abpsystemtextjsonserializeroptions
Are you sure it's JsonSerializerSettings, not JsonSerializerOptions? Because as far as I understand, JsonSerializerSettings is related to Newtonsoft.Json, not System.Text.Json from Microsoft. And the exception is related to the latter.
Besides, where do you suggest to place it?
public class MyHttpApiModule : AbpModule
{
public override void ConfigureServices(ServiceConfigurationContext context)
{
...
Configure<JsonOptions>(options =>
{
options.JsonSerializerOptions.Converters.Add(context.Services.GetRequiredService<IStringToNullableIntConverter>() as JsonConverter);
options.JsonSerializerOptions.Converters.Add(context.Services.GetRequiredService<IStringToNullableLongConverter>() as JsonConverter);
options.JsonSerializerOptions.ReferenceHandler = ReferenceHandler.IgnoreCycles; //Maybe this will help?
});
Configure<AbpSystemTextJsonSerializerOptions>(options =>
{
//The change is here?
});
}
}
Any update here?
SignalR? Hmm, in the test project (from the attachment) I don't use SignalR.
But in our main solution we do use it. If it comes in handy to idenfity a working solution for logout, here it is:
It's a typical SignalR configuration, I guess...