Did you solved this odd behavior? I have the same issue like you
I came in to post something similar I have been having recently. I saw this post so I am posting it here first since it could be related. In production: I log in. (even as admin) the user logs in but no pages that require permission is showing, This also happens when the user session timeout.
If I logout then log in with same user. That does not help
If I log out and then login with a DIFFERENT user. then I see the pages.
Sometimes clearing browser cache for the app AND the auth server both helps.
This is weird and started recently.
I am on latest (7)
If this is not related then I apologize for the OP. but please try to logout and log in with a different user and see if that help?
I have tried using different users to login, so I find this issue on the production, it has the same problem that is why I am worried it, because low level user could see the data which granted for the high level user.
hi
Did you add some custom code for permissions or seed permissions?
Can you share a username and password so I can reproduce it online?
liming.ma@volosoft.com
No customized code for permission related code.
I did a stupid thing, deleted all the permission grant records directly on the production environment, now, can not find a production data to reproduce it, I am observing the permission grant records changes when adding them manually, but before I deleted them there were some odd records with "ProviderKey" filed value, it is a Guid not is a role name, I am not sure how them generated.
I will share the information with you as new permission grant generating
hi
You can find a way to reproduce it. Then I can resolve it.
It occurred in production, I can not find a way to fix it, I can not wait anymore, I have deleted all the permission grant records. Now, I am adding the permission grant again manually
I tried delete all the records in the PermissionGrant table
What were the previous records?
More than 4 thousands record for variant roles.....
hi
Can I reproduce this in a new template project?
You can also try to clear the Reids.
I had tried clear the redis caching, no effort It works well with a new template, this problem occurred on my production environment after upgraded to abp 7.0.
it is so strange, I tried delete all the records in the PermissionGrant table, now, all the user cannot get any permission
Thanks, maliming, problems resolved by your suggestions
The specified access token is bound to an account that no longer exists
Please try to clear the Redis cache.
Tried, still occurred
deployed to IIS server, when selected a tenant login, the auth server logging below logs:
2023-03-08 12:23:23.963 +08:00 [INF] Request finished HTTP/2 POST https://account2.yxx.top/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient\_id%3DSchool\_Web%26redirect\_uri%3Dhttps%253A%252F%252Fschool.yxx.top%252Fsignin-oidc%26response\_type%3Dcode%2520id\_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520School%26response\_mode%3Dform\_post%26nonce%3D638138461909738860.MGM4ZDQ3Y2ItZWExYi00OGI4LTkxMjgtODg1MGEzYTNjNmYwOGQxYzZiNjEtYTAxYS00NDFiLTliNDAtMDE4OGQwMzE4NDUz%26state%3DCfDJ8B3bBiDHFkhLrQs4\_gVsubaVXWUDC8HmYXMqpCor7wWSN3Jjp-Ek3A6yFKbchuQwhJXjzi\_lT8R-ZsX6YhqmSWQFlKcfLuW8mSVSmYtpwBffjJo8iO-Abv6tQmZdijuUS4jhKvUmGiieeaCOkYNHE7MCdmx4Dr5\_p0P\_MKt6Ano6XGkKraandkBPY\_xfdR3aSSXMRB8vQsvKSfTyElsi1qsiAYaiDhuNHoeJ8ZpJCWcRazQ5hozb0897wbPVVRZecQS2X8PX9Ca-V76KkV7KFZKjcIRJ2kEm8SVcmHbzTBVL35nGFKGpkQCbShbh7dpn6Q%26x-client-SKU%3DID\_NET6\_0%26x-client-ver%3D6.15.1.0 application/x-www-form-urlencoded 291 - 302 - - 282.5697ms
2023-03-08 12:23:23.971 +08:00 [INF] CAP message 'Volo.Abp.Users.User.Updated' published, internal id '7648707208777474049'
2023-03-08 12:23:24.001 +08:00 [INF] Request starting HTTP/2 GET https://account2.yxx.top/connect/authorize?client\_id=School\_Web&redirect\_uri=https%3A%2F%2Fschool.yxx.top%2Fsignin-oidc&response\_type=code%20id\_token&scope=openid%20profile%20roles%20email%20phone%20School&response\_mode=form\_post&nonce=638138461909738860.MGM4ZDQ3Y2ItZWExYi00OGI4LTkxMjgtODg1MGEzYTNjNmYwOGQxYzZiNjEtYTAxYS00NDFiLTliNDAtMDE4OGQwMzE4NDUz&state=CfDJ8B3bBiDHFkhLrQs4\_gVsubaVXWUDC8HmYXMqpCor7wWSN3Jjp-Ek3A6yFKbchuQwhJXjzi\_lT8R-ZsX6YhqmSWQFlKcfLuW8mSVSmYtpwBffjJo8iO-Abv6tQmZdijuUS4jhKvUmGiieeaCOkYNHE7MCdmx4Dr5\_p0P\_MKt6Ano6XGkKraandkBPY\_xfdR3aSSXMRB8vQsvKSfTyElsi1qsiAYaiDhuNHoeJ8ZpJCWcRazQ5hozb0897wbPVVRZecQS2X8PX9Ca-V76KkV7KFZKjcIRJ2kEm8SVcmHbzTBVL35nGFKGpkQCbShbh7dpn6Q&x-client-SKU=ID\_NET6\_0&x-client-ver=6.15.1.0 - -
2023-03-08 12:23:24.002 +08:00 [INF] The request URI matched a server endpoint: "Authorization".
2023-03-08 12:23:24.002 +08:00 [INF] The authorization request was successfully extracted: {
"client\_id": "School\_Web",
"redirect\_uri": "https://school.yxx.top/signin-oidc",
"response\_type": "code id\_token",
"scope": "openid profile roles email phone School",
"response\_mode": "form\_post",
"nonce": "638138461909738860.MGM4ZDQ3Y2ItZWExYi00OGI4LTkxMjgtODg1MGEzYTNjNmYwOGQxYzZiNjEtYTAxYS00NDFiLTliNDAtMDE4OGQwMzE4NDUz",
"state": "CfDJ8B3bBiDHFkhLrQs4\_gVsubaVXWUDC8HmYXMqpCor7wWSN3Jjp-Ek3A6yFKbchuQwhJXjzi\_lT8R-ZsX6YhqmSWQFlKcfLuW8mSVSmYtpwBffjJo8iO-Abv6tQmZdijuUS4jhKvUmGiieeaCOkYNHE7MCdmx4Dr5\_p0P\_MKt6Ano6XGkKraandkBPY\_xfdR3aSSXMRB8vQsvKSfTyElsi1qsiAYaiDhuNHoeJ8ZpJCWcRazQ5hozb0897wbPVVRZecQS2X8PX9Ca-V76KkV7KFZKjcIRJ2kEm8SVcmHbzTBVL35nGFKGpkQCbShbh7dpn6Q",
"x-client-SKU": "ID\_NET6\_0",
"x-client-ver": "6.15.1.0"
}.
2023-03-08 12:23:24.008 +08:00 [INF] Executing subscriber method 'CmsUserSynchronizer.HandleEventAsync' on group 'cap.queue.viewtance.srp.authserver.0.v1'
2023-03-08 12:23:24.039 +08:00 [INF] The authorization request was successfully validated.
2023-03-08 12:23:24.052 +08:00 [INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2023-03-08 12:23:24.053 +08:00 [INF] Route matched with {action = "Handle", controller = "Authorize", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.AuthorizeController (Volo.Abp.OpenIddict.AspNetCore). 2023-03-08 12:23:24.053 +08:00 [INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy 2023-03-08 12:23:24.091 +08:00 [INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal. 2023-03-08 12:23:24.131 +08:00 [INF] The authorization response was successfully returned to 'https://school.yxx.top/signin-oidc' using the form post response mode: { "code": "[redacted]", "id_token": "[redacted]", "state": "CfDJ8B3bBiDHFkhLrQs4_gVsubaVXWUDC8HmYXMqpCor7wWSN3Jjp-Ek3A6yFKbchuQwhJXjzi_lT8R-ZsX6YhqmSWQFlKcfLuW8mSVSmYtpwBffjJo8iO-Abv6tQmZdijuUS4jhKvUmGiieeaCOkYNHE7MCdmx4Dr5_p0P_MKt6Ano6XGkKraandkBPY_xfdR3aSSXMRB8vQsvKSfTyElsi1qsiAYaiDhuNHoeJ8ZpJCWcRazQ5hozb0897wbPVVRZecQS2X8PX9Ca-V76KkV7KFZKjcIRJ2kEm8SVcmHbzTBVL35nGFKGpkQCbShbh7dpn6Q", "iss": "https://account2.yxx.top/" }. 2023-03-08 12:23:24.132 +08:00 [INF] Executed action Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 79.1682ms 2023-03-08 12:23:24.132 +08:00 [INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)' 2023-03-08 12:23:24.134 +08:00 [INF] Request finished HTTP/2 GET https://account2.yxx.top/connect/authorize?client_id=School_Web&redirect_uri=https%3A%2F%2Fschool.yxx.top%2Fsignin-oidc&response_type=code%20id_token&scope=openid%20profile%20roles%20email%20phone%20School&response_mode=form_post&nonce=638138461909738860.MGM4ZDQ3Y2ItZWExYi00OGI4LTkxMjgtODg1MGEzYTNjNmYwOGQxYzZiNjEtYTAxYS00NDFiLTliNDAtMDE4OGQwMzE4NDUz&state=CfDJ8B3bBiDHFkhLrQs4_gVsubaVXWUDC8HmYXMqpCor7wWSN3Jjp-Ek3A6yFKbchuQwhJXjzi_lT8R-ZsX6YhqmSWQFlKcfLuW8mSVSmYtpwBffjJo8iO-Abv6tQmZdijuUS4jhKvUmGiieeaCOkYNHE7MCdmx4Dr5_p0P_MKt6Ano6XGkKraandkBPY_xfdR3aSSXMRB8vQsvKSfTyElsi1qsiAYaiDhuNHoeJ8ZpJCWcRazQ5hozb0897wbPVVRZecQS2X8PX9Ca-V76KkV7KFZKjcIRJ2kEm8SVcmHbzTBVL35nGFKGpkQCbShbh7dpn6Q&x-client-SKU=ID_NET6_0&x-client-ver=6.15.1.0 - - - 200 2118 text/html;charset=UTF-8 132.9270ms 2023-03-08 12:23:24.259 +08:00 [INF] Request starting HTTP/1.1 POST https://account2.yxx.top/connect/token application/x-www-form-urlencoded 183 2023-03-08 12:23:24.260 +08:00 [INF] The request URI matched a server endpoint: "Token". 2023-03-08 12:23:24.270 +08:00 [INF] The token request was successfully extracted: { "client_id": "School_Web", "client_secret": "[redacted]", "code": "[redacted]", "grant_type": "authorization_code", "redirect_uri": "https://school.yxx.top/signin-oidc" }. 2023-03-08 12:23:24.292 +08:00 [INF] Executed subscriber method 'CmsUserSynchronizer.HandleEventAsync' on group 'cap.queue.viewtance.srp.authserver.0.v1' with instance '172_21_0_11' in 278.9283ms 2023-03-08 12:23:24.306 +08:00 [INF] The token request was successfully validated. 2023-03-08 12:23:24.309 +08:00 [INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)' 2023-03-08 12:23:24.309 +08:00 [INF] Route matched with {action = "Handle", controller = "Token", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] HandleAsync() on controller Volo.Abp.OpenIddict.Controllers.TokenController (Volo.Abp.OpenIddict.AspNetCore).
2023-03-08 12:23:24.309 +08:00 [INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy
2023-03-08 12:23:24.323 +08:00 [INF] Executing SignInResult with authentication scheme (OpenIddict.Server.AspNetCore) and the following principal: System.Security.Claims.ClaimsPrincipal.
2023-03-08 12:23:24.338 +08:00 [INF] The token 'a82fcef4-1f86-77c8-2539-3a09d1a27ebe' was successfully marked as redeemed.
2023-03-08 12:23:24.382 +08:00 [INF] The response was successfully returned as a JSON document: {
"access\_token": "[redacted]",
"token\_type": "Bearer",
"expires\_in": 3600,
"scope": "openid profile roles email phone School",
"id\_token": "[redacted]"
}.
2023-03-08 12:23:24.382 +08:00 [INF] Executed action Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore) in 72.9924ms
2023-03-08 12:23:24.382 +08:00 [INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.TokenController.HandleAsync (Volo.Abp.OpenIddict.AspNetCore)'
2023-03-08 12:23:24.389 +08:00 [INF] Request finished HTTP/1.1 POST https://account2.yxx.top/connect/token application/x-www-form-urlencoded 183 - 200 2783 application/json;charset=UTF-8 129.8559ms
2023-03-08 12:23:24.390 +08:00 [INF] Request starting HTTP/1.1 GET https://account2.yxx.top/connect/userinfo - -
2023-03-08 12:23:24.390 +08:00 [INF] The request URI matched a server endpoint: "Userinfo".
2023-03-08 12:23:24.391 +08:00 [INF] The userinfo request was successfully extracted: {
"access\_token": "[redacted]"
}.
2023-03-08 12:23:24.395 +08:00 [INF] The userinfo request was successfully validated.
2023-03-08 12:23:24.398 +08:00 [INF] The authentication demand was rejected because the token had no valid audience.
2023-03-08 12:23:24.399 +08:00 [INF] OpenIddict.Validation.AspNetCore was not authenticated. Failure message: An error occurred while authenticating the current request.
2023-03-08 12:23:24.399 +08:00 [INF] OpenIddict.Validation.AspNetCore was not authenticated. Failure message: An error occurred while authenticating the current request.
2023-03-08 12:23:24.401 +08:00 [INF] Executing endpoint 'Volo.Abp.OpenIddict.Controllers.UserInfoController.Userinfo (Volo.Abp.OpenIddict.AspNetCore)'
2023-03-08 12:23:24.401 +08:00 [INF] Route matched with {action = "Userinfo", controller = "UserInfo", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Userinfo() on controller Volo.Abp.OpenIddict.Controllers.UserInfoController (Volo.Abp.OpenIddict.AspNetCore). 2023-03-08 12:23:24.401 +08:00 [INF] Skipping the execution of current filter as its not the most effective filter implementing the policy Microsoft.AspNetCore.Mvc.ViewFeatures.IAntiforgeryPolicy 2023-03-08 12:23:24.404 +08:00 [INF] Executing ChallengeResult with authentication schemes (["OpenIddict.Server.AspNetCore"]). 2023-03-08 12:23:24.412 +08:00 [INF] The response was successfully returned as a challenge response: { "error": "invalid_token", "error_description": "The specified access token is bound to an account that no longer exists.", "error_uri": "https://documentation.openiddict.com/errors/ID2025" }. 2023-03-08 12:23:24.412 +08:00 [INF] AuthenticationScheme: OpenIddict.Server.AspNetCore was challenged. 2023-03-08 12:23:24.412 +08:00 [INF] Executed action Volo.Abp.OpenIddict.Controllers.UserInfoController.Userinfo (Volo.Abp.OpenIddict.AspNetCore) in 11.271ms 2023-03-08 12:23:24.412 +08:00 [INF] Executed endpoint 'Volo.Abp.OpenIddict.Controllers.UserInfoController.Userinfo (Volo.Abp.OpenIddict.AspNetCore)' 2023-03-08 12:23:24.413 +08:00 [INF] Request finished HTTP/1.1 GET https://account2.yxx.top/connect/userinfo - - - 302 - - 23.6954ms 2023-03-08 12:23:24.414 +08:00 [INF] Request starting HTTP/1.1 GET https://account2.yxx.top/Error?httpStatusCode=401 - - 2023-03-08 12:23:24.417 +08:00 [INF] Executing endpoint 'Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared.Controllers.ErrorController.Index (Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared)' 2023-03-08 12:23:24.418 +08:00 [INF] Route matched with {action = "Index", controller = "Error", area = "", page = ""}. Executing controller action with signature System.Threading.Tasks.Task`1[Microsoft.AspNetCore.Mvc.IActionResult] Index(Int32) on controller Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared.Controllers.ErrorController (Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared).
2023-03-08 12:23:24.424 +08:00 [INF] Executing ViewResult, running view \~/Views/Error/401.cshtml.
2023-03-08 12:23:24.438 +08:00 [INF] Executed ViewResult - view \~/Views/Error/401.cshtml executed in 14.5437ms.
2023-03-08 12:23:24.438 +08:00 [INF] Executed action Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared.Controllers.ErrorController.Index (Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared) in 20.2675ms
2023-03-08 12:23:24.438 +08:00 [INF] Executed endpoint 'Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared.Controllers.ErrorController.Index (Volo.Abp.AspNetCore.Mvc.UI.Theme.Shared)'
2023-03-08 12:23:24.439 +08:00 [INF] Request finished HTTP/1.1 GET https://account2.yxx.top/Error?httpStatusCode=401 - - - 401 - text/html;+charset=utf-8 24.7454ms
2023-03-08 12:23:35.459 +08:00 [INF] Request starting HTTP/2 GET https://account2.yxx.top/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient\_id%3DSchool\_Web%26redirect\_uri%3Dhttps%253A%252F%252Fschool.yxx.top%252Fsignin-oidc%26response\_type%3Dcode%2520id\_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520School%26response\_mode%3Dform\_post%26nonce%3D638138461909738860.MGM4ZDQ3Y2ItZWExYi00OGI4LTkxMjgtODg1MGEzYTNjNmYwOGQxYzZiNjEtYTAxYS00NDFiLTliNDAtMDE4OGQwMzE4NDUz%26state%3DCfDJ8B3bBiDHFkhLrQs4\_gVsubaVXWUDC8HmYXMqpCor7wWSN3Jjp-Ek3A6yFKbchuQwhJXjzi\_lT8R-ZsX6YhqmSWQFlKcfLuW8mSVSmYtpwBffjJo8iO-Abv6tQmZdijuUS4jhKvUmGiieeaCOkYNHE7MCdmx4Dr5\_p0P\_MKt6Ano6XGkKraandkBPY\_xfdR3aSSXMRB8vQsvKSfTyElsi1qsiAYaiDhuNHoeJ8ZpJCWcRazQ5hozb0897wbPVVRZecQS2X8PX9Ca-V76KkV7KFZKjcIRJ2kEm8SVcmHbzTBVL35nGFKGpkQCbShbh7dpn6Q%26x-client-SKU%3DID\_NET6\_0%26x-client-ver%3D6.15.1.0 - -
2023-03-08 12:23:35.466 +08:00 [INF] Executing endpoint '/Account/Login'
<br>
* **Steps to reproduce the issue**:" deployed to IIS server, login with a tenant
In development Environment, the tenant id was taken, all processes working well. with below logs:
2023-03-08 01:04:12.931 +08:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ExtractTokenRequestContext was successfully processed by OpenIddict.Server.AspNetCore.OpenIddictServerAspNetCoreHandlers+ExtractBasicAuthenticationCredentials\`1[[OpenIddict.Server.OpenIddictServerEvents+ExtractTokenRequestContext, OpenIddict.Server, Version=4.0.0.0, Culture=neutral, PublicKeyToken=35a561290d20de2f]].
2023-03-08 01:04:12.931 +08:00 [INF] The token request was successfully extracted: {
"client\_id": "School\_Web",
"client\_secret": "[redacted]",
"code": "[redacted]",
"grant\_type": "authorization\_code",
"redirect\_uri": "https://localhost:44302/signin-oidc",
"\_\_tenant": "9c328224-e94b-eae6-7586-39fbfa952785"
}.
2023-03-08 01:04:12.931 +08:00 [DBG] The event OpenIddict.Server.OpenIddictServerEvents+ProcessRequestContext was successfully processed by OpenIddict.Server.OpenIddictServerHandlers+Exchange+ExtractTokenRequest.