不知道如何复现,但是导致权限丢失之后的现象是,application-configuration cache,可以 currentUser.Id 是用户信息
application-configuration value,currentUser 却是null,手动删除这个key 可以恢复
不是一个问题,https://github.com/abpframework/abp/pull/24486 是通过角色和用户赋权之后,权限不刷新的问题(延迟问题), 没有操作用户权限情况下,权限丢失,application-configuration cache 的用户信息和权限信息都不对
blazorserver 前后端分离blazorHost ApiHost, application-configuration cache 存储请求上下文权限和身份信息。 ` public async Task
if (httpContext != null && httpContext.Items[cacheKey] is ApplicationConfigurationDto configuration)
{
return configuration;
}
configuration = (await Cache.GetOrAddAsync(
cacheKey,
async () => await GetRemoteConfigurationAsync(),
() => new DistributedCacheEntryOptions
{
AbsoluteExpirationRelativeToNow = Options.ApplicationConfigurationDtoCacheAbsoluteExpiration
}
))!;
if (httpContext != null)
{
httpContext.Items[cacheKey] = configuration;
}
return configuration;
}
` 源码 MvcCachedApplicationConfigurationClient和RemotePermissionChecker
有一个现象,当权限丢失的时候,application-configuration key userid
,但是value 对应的值,currentUser is null, "auth": { "grantedPolicies": {} },
不行,使用CheckTokenExpiration会导致用户在不登录的情况下,直接访问内部地址,而IntrospectAccessToken不会
openiddict 多个应用,多个app地址,单点登录 appurl /signin-oidc
[OpenIddict.Server.OpenIddictServerDispatcher] The introspection request was rejected because the access token was issued to a different client or for another resource server.
整体站点采用http,单点登录 cookie 共享
[OpenIddict.Server.OpenIddictServerDispatcher] The introspection request was rejected because the access token was issued to a different client or for another resource server.
[2026-01-07 16:51:58.183 +00:00] [INF] [OpenIddict.Server.OpenIddictServerDispatcher] Potentially sensitive application claims were excluded from the introspection response as the client 'EAP' was not explicitly listed as an audience.
