Activities of "thanhvl1"

Hi, I've just got the issues like this like this https://abp.io/support/questions/7447/Authentication-valid-issuer-issue But the problem is not at this

nginx.ingress.kubernetes.io/whitelist-source-range

I have deploy my app to aks and configure the code of authserver like this

PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
{
    serverBuilder.SetIssuer(new Uri(configuration["App:SelfUrl"]!));
    serverBuilder.SetAuthorizationEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/connect/authorize");
    serverBuilder.SetEndSessionEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/connect/logout");
    serverBuilder.SetDeviceAuthorizationEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/device");
    serverBuilder.SetUserInfoEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/connect/userinfo");
    serverBuilder.SetTokenEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/connect/token");
    serverBuilder.SetRevocationEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/connect/revocat");
    serverBuilder.SetIntrospectionEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/connect/introspect");
    serverBuilder.SetJsonWebKeySetEndpointUris($"{new Uri(configuration["App:SelfUrl"]!)}/.well-known/jwks");
});

and I also set forward header like

        context.Services.Configure<ForwardedHeadersOptions>(options =>
        {
            options.ForwardedHeaders =
                ForwardedHeaders.XForwardedFor | ForwardedHeaders.XForwardedProto;
        });

    if (!env.IsDevelopment())

        if (!env.IsDevelopment())
            app.UseErrorPage();
            app.UseForwardedHeaders();
            app.UseHsts();
        }

My angular is deploy at link domain/admin and my authserver is deploy at domain/authserver. But when I access to /admin, it redirect to login page and when using the right account, I can login but it redirect back to /admin and then a loop redirect.

The log of authserver is

[16:53:34 INF] Request starting HTTP/1.1 GET http://domain.com/connect/authorize?response_type=code&client_id=Angular&state=M2dScEZzS2N1fjRTM3BXZEFGMEgybDZBSXJrdHRteHp0WnMwaU4wRWpvdzJ2&redirect_uri=https%3A%2F%2Fdomain.com%2Fadmin&scope=openid%20profile%20email%20phone%20AccountService%20IdentityService%20AdministrationService%20SaasService&code_challenge=DVGK0fFWZJJqD3A0hzqNOQHOGkwBsMgbvYy0fqdQmq8&code_challenge_method=S256&nonce=M2dScEZzS2N1fjRTM3BXZEFGMEgybDZBSXJrdHRteHp0WnMwaU4wRWpvdzJ2&culture=en&ui-culture=en - null null
[16:53:34 INF] The request URI matched a server endpoint: Authorization.
[16:53:34 INF] The authorization request was successfully extracted: {
"response_type": "code",
"client_id": "Angular",
"state": "M2dScEZzS2N1fjRTM3BXZEFGMEgybDZBSXJrdHRteHp0WnMwaU4wRWpvdzJ2",
"redirect_uri": "https://domain.com/admin",
"scope": "openid profile email phone AccountService IdentityService AdministrationService SaasService",
"code_challenge": "DVGK0fFWZJJqD3A0hzqNOQHOGkwBsMgbvYy0fqdQmq8",
"code_challenge_method": "S256",
"nonce": "M2dScEZzS2N1fjRTM3BXZEFGMEgybDZBSXJrdHRteHp0WnMwaU4wRWpvdzJ2",
"culture": "en",
"ui-culture": "en"
}.
[16:53:34 INF] The authorization request was successfully validated.
[16:53:34 INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[16:53:34 INF] Route matched with {action = "Handle", controller = "Authorize", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.AuthorizeController (Volo.Abp.OpenIddict.AspNetCore).
[16:53:34 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy
[16:53:34 ERR] OnAuthorizationAsync: Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)
[16:53:34 INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
[16:53:34 INF] The authorization response was successfully returned to 'https://domain.com/admin' using the query response mode: {
"code": "[redacted]",
"state": "M2dScEZzS2N1fjRTM3BXZEFGMEgybDZBSXJrdHRteHp0WnMwaU4wRWpvdzJ2",
"iss": "https://domain.com/authserver",
"culture": "en",
"ui-culture": "en"
}.
[16:53:34 INF] Executed action Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 453.3281ms
[16:53:34 INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[16:53:34 INF] Request finished HTTP/1.1 GET https://domain.com/authserver/connect/authorize?response_type=code&client_id=Angular&state=M2dScEZzS2N1fjRTM3BXZEFGMEgybDZBSXJrdHRteHp0WnMwaU4wRWpvdzJ2&redirect_uri=https%3A%2F%2Fdomain.com%2Fadmin&scope=openid%20profile%20email%20phone%20AccountService%20IdentityService%20AdministrationService%20SaasService&code_challenge=DVGK0fFWZJJqD3A0hzqNOQHOGkwBsMgbvYy0fqdQmq8&code_challenge_method=S256&nonce=M2dScEZzS2N1fjRTM3BXZEFGMEgybDZBSXJrdHRteHp0WnMwaU4wRWpvdzJ2&culture=en&ui-culture=en - 302 0 null 775.3449ms
[16:53:35 INF] Request starting HTTP/1.1 GET http://domain.com/.well-known/openid-configuration - null null
[16:53:35 INF] The request URI matched a server endpoint: Configuration.
[16:53:35 INF] The configuration request was successfully extracted: {}.
[16:53:35 INF] The configuration request was successfully validated.
[16:53:35 INF] The response was successfully returned as a JSON document: {
"issuer": "https://domain.com/authserver",
"authorization_endpoint": "https://domain.com/authserver/connect/authorize",
"token_endpoint": "https://domain.com/authserver/connect/token",
"introspection_endpoint": "https://domain.com/authserver/connect/introspect",
"end_session_endpoint": "https://domain.com/authserver/connect/logout",
"revocation_endpoint": "https://domain.com/authserver/connect/revocat",
"userinfo_endpoint": "https://domain.com/authserver/connect/userinfo",
"device_authorization_endpoint": "https://domain.com/authserver/device",
"jwks_uri": "https://domain.com/authserver/.well-known/jwks",
"grant_types_supported": [
"authorization_code",
"implicit",
"password",
"client_credentials",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"LinkLogin",
"Impersonation"
],
"response_types_supported": [
"code",
"code id_token",
"code id_token token",
"code token",
"id_token",
"id_token token",
"token",
"none"
],
"response_modes_supported": [
"query",
"form_post",
"fragment"
],
"scopes_supported": [
"openid",
"offline_access",
"email",
"profile",
"phone",
"roles",
"address",
"AccountService",
"IdentityService",
"AdministrationService",
"SaasService"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"subject_types_supported": [
"public"
],
"prompt_values_supported": [
"consent",
"login",
"none",
"select_account"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"introspection_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"revocation_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"device_authorization_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"claims_parameter_supported": false,
"request_parameter_supported": false,
"request_uri_parameter_supported": false,
"tls_client_certificate_bound_access_tokens": false,
"authorization_response_iss_parameter_supported": true
}.
[16:53:35 INF] Request finished HTTP/1.1 GET https://domain.com/authserver/.well-known/openid-configuration - 200 2778 application/json;charset=UTF-8 16.5762ms
[16:53:35 INF] Request starting HTTP/1.1 GET http://domain.com/.well-known/jwks - null null
[16:53:35 INF] The request URI matched a server endpoint: JsonWebKeySet.
[16:53:35 INF] The JSON Web Key Set request was successfully extracted: {}.
[16:53:35 INF] The JSON Web Key Set request was successfully validated.
[16:53:35 INF] The response was successfully returned as a JSON document: {
"keys": [
{
"kid": "ABBE2D8F18E20CC5D05FF8EBD8932896F351364A",
"use": "sig",
"kty": "RSA",
"alg": "RS256",
"e": "AQAB",
"n": "xVi6Ofl-xz_DZPGOEssj69eJO4UZ5l5hhznwhZ-CaXoOYz-mW_svsLVI2x0D2JpKSII1KPAALnVQWxf0_LFr9hmSQX3CmnFO0yT6zmA-ZT7CQZlMIunkY9E_oKL4y-45zXBwMRH3BW54i9z3qI-tALaNp9UiCiAcfFbYzU3oW5lCZj05fSRf9q5gIHa6nu93Q10MilaxsBNsCFxwUcBIyK8X92wqedBwrzeEukkkyAz5qG1aD9U-3QIuCuQsNWa5a1qUAyxfM-Q8oUThWh6sk72T6xteL4ApxctqtjPEZ0VotjhVSbQVwtD_5i-DvpuiRQL461ilt35ZVDGw1QJooQ",
"x5t": "q74tjxjiDMXQX_jr2JMolvNRNko",
"x5c": [
"MIIDDTCCAfWgAwIBAgIJAMuAFCpOifXxMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDAeFw0yNTA0MTIwMzU3MzVaFw0yNjA0MTIwMzU3MzVaMBQxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMVYujn5fsc/w2TxjhLLI+vXiTuFGeZeYYc58IWfgml6DmM/plv7L7C1SNsdA9iaSkiCNSjwAC51UFsX9Pyxa/YZkkF9wppxTtMk+s5gPmU+wkGZTCLp5GPRP6Ci+MvuOc1wcDER9wVueIvc96iPrQC2jafVIgogHHxW2M1N6FuZQmY9OX0kX/auYCB2up7vd0NdDIpWsbATbAhccFHASMivF/dsKnnQcK83hLpJJMgM+ahtWg/VPt0CLgrkLDVmuWtalAMsXzPkPKFE4VoerJO9k+sbXi+AKcXLarYzxGdFaLY4VUm0FcLQ/+Yvg76bokUC+OtYpbd+WVQxsNUCaKECAwEAAaNiMGAwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwEwFwYDVR0RAQH/BA0wC4IJbG9jYWxob3N0MA8GCisGAQQBgjdUAQEEAQIwDQYJKoZIhvcNAQELBQADggEBACnRy8UwkbLUqhHfmSUliiaNQqBNxyLTOhXe+V6cHBh+6B9B96v4/HKKT2T2RWzb7hJRPUY9CX/YfDt39lXwoSNpHYKTVZGRSyS8o8auXAV0TWYJbEL8/l/O1+dq04Qkb+vcs+cOq8UxOrgRtVbYolo4nw0chC+N+LCm3YMa2qMPLgVXusIaIhkUC7BV+06kinKoyEGJl5eivaf/xo4jjxMQiMCPAWQrBUdBdSvJeyOlAwItSm9N0e4WFVDtlnqGFgOhj1LVUq3k+D0s8GKWCNajbOznkuvZsH0GGQM9mGJOXg4dFoNaDNwWdQ8lqvJaV7spg4oCbdiliIkN+TB+Dns="
]
}
]
}.
[16:53:35 INF] Request finished HTTP/1.1 GET https://domain.com/authserver/.well-known/jwks - 200 1652 application/json;charset=UTF-8 3.0629ms
[16:53:36 INF] Request starting HTTP/1.1 POST http://domain.com/connect/token - application/x-www-form-urlencoded 246
[16:53:36 INF] CORS policy execution failed.
[16:53:36 INF] Request origin https://domain.com does not have permission to access the resource.
[16:53:36 INF] The request URI matched a server endpoint: Token.
[16:53:36 INF] The token request was successfully extracted: {
"grant_type": "authorization_code",
"code": "[redacted]",
"redirect_uri": "https://domain.com/admin",
"code_verifier": "Z2VkWTVvVE1MVTJWYzRBQ3daMMkR-b1RjTjY4",
"client_id": "Angular"
}.
[16:53:36 INF] The token request was successfully validated.
[16:53:36 INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[16:53:36 INF] Route matched with {action = "Handle", controller = "Token", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.TokenController (Volo.Abp.OpenIddict.AspNetCore).
[16:53:36 INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy
[16:53:36 ERR] OnAuthorizationAsync: Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)
[16:53:36 INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
[16:53:36 INF] The token '3a194c8b-a935-2dc3-046f-aba1f5c013ee' was successfully marked as redeemed.
[16:53:36 INF] The response was successfully returned as a JSON document: {
"access_token": "[redacted]",
"token_type": "Bearer",
"expires_in": 2591999,
"scope": "openid profile email phone AccountService IdentityService AdministrationService SaasService ",
"id_token": "[redacted]"
}.
[16:53:36 INF] Executed action Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 333.3868ms
[16:53:36 INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
[16:53:36 INF] Request finished HTTP/1.1 POST https://domain.com/authserver/connect/token - 200 3145 application/json;charset=UTF-8 680.5732ms

The log of administration services:

16:52:42 INF] Request starting HTTP/1.1 GET http://dbr-st-administration/api/abp/application-configuration?includeLocalizationResources=false - null null
[16

Microsoft.IdentityModel.Tokens.SecurityTokenInvalidIssuerException: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuerAsync(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.Tokens.Validators.ValidateIssuer(String issuer, SecurityToken securityToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.Tokens.InternalValidators.ValidateAfterSignatureFailed(SecurityToken securityToken, Nullable`1 notBefore, Nullable`1 expires, IEnumerable`1 audiences, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignature(JsonWebToken jwtToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateSignatureAndIssuerSecurityKey(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
at Microsoft.IdentityModel.JsonWebTokens.JsonWebTokenHandler.ValidateJWSAsync(JsonWebToken jsonWebToken, TokenValidationParameters validationParameters, BaseConfiguration configuration)
[16:53:04 INF] Bearer was not authenticated. Failure message: IDX10204: Unable to validate issuer. validationParameters.ValidIssuer is null or whitespace AND validationParameters.ValidIssuers is null or empty.
[16:53:04 INF] Executing endpoint 'Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.AbpApplicationConfigurationController.GetAsync (Volo.Abp.AspNetCore.Mvc)'
[16:53:04 INF] Route matched with {area = "abp", action = "Get", controller = "AbpApplicationConfiguration", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.ApplicationConfigurationDto] GetAsync(Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.ApplicationConfigurationRequestOptions) on controller Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.AbpApplicationConfigurationController (Volo.Abp.AspNetCore.Mvc).
[16:53:04 WRN] The cookie 'XSRF-TOKEN' has set 'SameSite=None' and must also set 'Secure'.
[16:53:05 INF] Executing ObjectResult, writing value of type 'Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.ApplicationConfigurationDto'.

when I try comment the background worker and restart that service, then change logging to Debug, I don't see anything when initializing module. It always stuck here

[02:13:06 INF] - Volo.Abp.Http.Client.IdentityModel.AbpHttpClientIdentityModelModule [02:13:06 INF] - Volo.Abp.IdentityModel.AbpIdentityModelModule

No, It is separated. I use Azure Services for database, redis cache. Today, when the service is started by schedule, I got another freeze like the picture below

When I notice the log in the end before freezing, it's all about related to Identity But mostly it stucked at "Volo.Abp.IdentityModel.AbpIdentityModelModule" when initializing

Hi, I have deployed my app to AKS, and when start AKS at the first time, some service is freeze and not responding, at that time, I have to stop and start only that service (in AKS I have to delete that pod and it will create again), then that service can be able to run normally.

There is no any exception and stack trace, because it is freeze at the line like the image log below

In the local environment, I don't get this problem

• ABP Framework version: v7.0.3
• UI Type: Angular
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separated
• Exception message and full stack trace: I've deployed the microservice to AKS and when I access Angular, I usually get this error. I don't know if this is the error of redis or MS SQL. I use redis as a docker and use Azure SQL

This is the stracktrace image:

This cause I've taken a lot of time to browse the web

Thanks. Thanh Vo

Hi,

I’m also looking for an example to use with AzureS SignalR service, but cannot find

hi

Please use the template project to reproduce the problem and share it, thanks

When I run with my project in local, it was successfully authenticated by using azureAD. The issue appeared when I deploy to AKS, noted that only authenticated by using AzureAD make it error.

I found detail error is The antiforgery cookie token and request token do not match. although I tried to disable auto valivate antiforgery in the authserver module.

How can I temporarily disable the antiforgery in authserver?

Thanks

hi

Can you share the project?

liming.ma@volosoft.com

I've figured out some information about this problem.

The first time when I try to click button Microsoft, it redirects to the page Register and then I click to the button Register, the Error 400 appeared. But when I click go back link, and click Register button again, it comes success and at that time I can logged into the application using SSO

This is the log when error 400

This is the log when success after clicking go back link

hi

It seems you are using refresh_token to request the token endpoint of AuthServer

How can we reproduce the problem?

Hi,

I've just download the microservice template, add some config as the following

And then config redirect Urls in the Azure Active Directory

Then I run Angular frontend and try to login using Microsoft. Nothing changed in the config of angular

Regards, Thanh

• ABP Framework version: v7.0.0
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes

I've got the following error when I signin to the application through AzureAD

The step is when I click button Microsoft (it is configured in the AuthServer with TenantID and clientId, clientSecret), it redirect to the Register page

But when I click register button, It show error HTTP 400 and I checked the ELK log, I saw the error like the first picture.

Please help me to resolve this problem. Contact me if you need the AzureAD settings for checking