- ABP Framework version: v6.0.0
- UI type: Blazor
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace:
- Steps to reproduce the issue:"
Hi, there was a class named DefaultTokenService of IdentityServer4. After switching to OpendIddict, the class is missing. I used to override that class in AuthServer project and add some dynamic claims to token.
Can you suggest me a new way for the missing class?
Thanks.
17 Answer(s)
-
0
hi
https://docs.abp.io/en/abp/latest/Modules/OpenIddict#updating-claims-in-access_token-and-id_token
-
0
Hi,
I think the document is not about adding new claims to the token. It is about switching the destination of an already added claim. It helps to decide where the claim exists (idtoken or accesstoken).
The claims property of the context is a readonly array and can not be altered. Using this class, I can not add a new claim to the context but I can alter it is destination.
I need to add new claims to the context, not to alter their locations.
Thanks
-
0
hi
https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory
-
0
It works as expected on password flow.
I could not test it on refresh_token flow. I will open another ticket for that issue.
Thank for your support.
-
0
I just tested the refresh_token flow. Suggested solution does not suitable for refresh_tokens. The solutions is fine for password flow. IdentityServer4's DefaultTokenService was working as expected. I need to alter/add claims to token even in the refresh_token flow.
-
0
I just tested the refresh_token flow
Can you share your steps?
-
0
I created a micro service pro project Run the solution Added a demo client with client_credentials and refresh_token options available.
Folowed the steps in the document; https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory
Added a ClaimsPrincipalContributor file to authserver project
Called the token endpoint using client_credentials flow. I successfully interrupted the flow and breakpoint on ContributeAsync method hit. I called the token endpoint using refresh_token flow. The ContributeAsync is not visited.
So the ContributeAsync method is only visited on client_credentials flow. On IS4 version, I created DefaultTokenService class and this class is visited on both flows.
-
0
I called the token endpoint using refresh_token flow.
Can you share your access_token and HTTP request info?
-
0
Nope, I will not supply any further information. I am sick of endless questions.The issues is so clear, I asked you where the DefaultTokenService is gone, you said there is an alternative. I said alternative is not acting same when the flow is refresh_token. This is the summary and enough to see what is going on. If you have something to say, this information is enough. I am not your beta tester. I am tired of this buggy abp version. It already took 15 days to migrate. I am on live, stressed enough and I dont accept any meaningless questions anymore. If you are not able to give me a proper answer, please dont pretend to do so. This version of abp sucksssssss.. It is 5 times slower than before.. If you have nothing to say, close the ticket.
-
0
hi
refresh_token basically uses the claims from the access_token. So it shouldn't be a problem.
-
0
Bu there is a problem. I insist that IAbpClaimsPrincipalContributor is nothing to do with refresh_token flow. Is there anyone else can confirm me? Please do not answer if you have only assumptions but not tested for yourself.
-
0
I insist that IAbpClaimsPrincipalContributor is nothing to do with refresh_token flow
You will get
access_tokenandrefresh_tokenfirst. Then userefresh_tokento get them again.The
IAbpClaimsPrincipalContributorwill be called when generating theaccess_token, andrefresh_tokenwill copy claims fromaccess_token's principal.Talk is cheap. You can prepare a simple demo project to reproduce your real problem.
support@abp.io -
0
Here is the CoMedClaimsPrincipalContributor.cs used in test;
using System.Threading.Tasks; using Volo.Abp.DependencyInjection; using Volo.Abp.Security.Claims; namespace CoMed.AuthServer; public class CoMedClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency { public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context) { await Task.CompletedTask; } }
steps to create a test;
mkdir CoMed cd CoMed abp new CoMed -t microservice-pro -u blazor cd etc cd docker .\up.ps1 cd .. cd .. open \apps\auth-server\CoMed.AuthServer.sln in visual studio add CoMedClaimsPrincipalContributor.cs file. (path: apps\auth-server\src\CoMed.AuthServer\CoMedClaimsPrincipalContributor.cs)return to console
dotnet restore dotnet build /graphBuild.\run-tye.ps1
open browser browse https://localhost:44307 see afterLeptonXInitialization error still exists in v6.1 login with default credentials go to openid/applications tab create new application: clientid: demo displayname: Demo password: 123456 type: confidential client allow password flow allow client credentials flow allow refresh token flow give access to all scopes save the app close the browser stop the tye. ctrl+c reopen CoMed.AuthServer.sln project run project with CoMed.AuthServer profile. Place break point on CoMedClaimsPrincipalContributor/ContributeAsync method. Open postman ui. 1 - test with password flow:
var client = new RestClient("https://localhost:44322/connect/token"); client.Timeout = -1; var request = new RestRequest(Method.POST); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddParameter("client_id", "demo"); request.AddParameter("client_secret", "123456"); request.AddParameter("grant_type", "password"); request.AddParameter("username", "admin"); request.AddParameter("password", "1q2w3E*"); request.AddParameter("scope", "offline_access"); IRestResponse response = client.Execute(request); Console.WriteLine(response.Content);see break-point hits three times.
2 - copy the refresh_token value, use in your own test. test with refresh_token flow and see break point does not hit.
var client = new RestClient("https://localhost:44322/connect/token"); client.Timeout = -1; var request = new RestRequest(Method.POST); request.AddHeader("Content-Type", "application/x-www-form-urlencoded"); request.AddParameter("refresh_token", "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOiIxNzQ5Njc3QzkwRjU1MDUyNTYwNDc0QUM4RDhGMjk2QTA2NkI4RDNCIiwidHlwIjoib2lfcmVmdCtqd3QifQ.joQFH7tLYdrHK1_g5B0p3i8Xvq-kivcQX7wtPwtHRMmxnfD_1csi1ik7GwpqWPfKKdC1X4NvXvBBw0PqgUmn11VsxJe8l8_PFZa9_p1M7OWKkbuKkkpU58Bb-cuw7VV-_lzeqKF4xqugK3Aeko5HAvESqwHoWARaw0BX1xnooue5D8lT-wtxeqbN9qY3kwFXnaIltosTQ6QqAQeGQ2Ft4NUd5QRI3hsv74LA3kDf2biJDtGxKmM-8JvA9ouA0trGg0EzS9b2vXuHDL4uFmWDrcMj9oLMgmcnXSO88d04gn--eU65VtDa_lu7ZYCiwPtJ5eX2BqVbdWl-YX9FSxsz5Q.WrtU66BNpifWT7RO3Aq-qA.kWx0LOOQmNmOHKJF79J_8eBzNytPr4pAR8AULxBHFRUAa4DkTVCKuxMbadF_lo9-Pw7Wr0cqKLvMl5DEh80J5Y726aO4qJRpBZQnkdLO_lKyfqKFohc86r9Cu0GWVfgJUvRd7e12_gJD7cWLZYN_wsfB1XQtGp-HnmzarJnECcAKUE4l__Ri_0cxQInoZhsdN27quYj3Qy-DiAoL6I3kmtjUalv3Qr00g8mPdnho3Ej3l-riu8ZvjNQokvsnCnkaCbCHQ_B4Do1ecYHEXPmVeObTf-L_GQmFan29AnuktXwPJfBQko0obDkRSdL5kLp1mroi-pgMo-ExFpYlgnAyt6fq0173vS4cnHcBHrnDWkeSZmcuT0PzSBmQc4C4KV0vEJxCPA8TqWUzixJ7IWwtWUfqMseDmgJG3pXTL43RiW1ZhdehnHmrw3hFRK5zG539OwCXTNGPcaVMB4kO29qihlRhiyxIvz9-DmPSXyzxFVDJVEsXbv5PLy0hv-OnBJgW7o3T7-FTmr1ckvmeb7yiXL35JFJ4JKbDJuVtHwQV-2bSssNIwjdOeNoJqxMoaH9rnmcAtn97PJt0hWH5nB8y4m1tXW4zP1fkmS2yPZmDEP3aFhgK1RlXW3tQWpSYN_TvT92_1BSyTo6nkNwNAraZGaTin9JLHp4uUUfORvwlqGmH3ji7UD4t1SXWAXYo09w5RjIc9ANnkN5d17JTeZGTrEj9A0_kXriLyjUm5GDJAKu2x-isp0zqHlnUXxBQpQn06XO9R2Aeu0jVcoX0Mxi36zS0yER_d1TX0mShbdU9rec4f9E5E-c53_tvIKW2yD6dbp-YnwMlgwi7AP0_YOQbpCwIvi04qZ77KJOLt2tRp0gHSk5oC4lepB7a4wGchdO0dAcj-BjLbVIqau-8YK_OLE3UfpxNU0Xp0AAB1XCWrijd3d3sD_9Qq52D7xy4JN7E0Rs_3sDQhGr36AX5Iew1lOZ-FWvUb7Cr30N_Eq6tbj7y-ubF4zxsFgb97frN9fupO71OKQx1ql1AF0TbAyT9Rs1fdHqYkPOkpoDEUflraitwYehnRFWumLfQCp7oaZ0hwdwpgJF9q4IATdf4fCJ0TRjXmmFk5YG7n6j7XIYBzXBd1ucg2XOybMI2YaU5mAvDj0O2esTEJd-EwUTt719myGyixUVLzFw25LUxc9fdcdIinvBffuMytkJbLe2LREs95SuACVMeZ6RT_x151gtl93vBwQWkuil_5UgyJVjdWVwOrRE5pPNU1siU3e6-ofxBPlZo7motsgAB3kyEdHrIIhd8Of1HwEuXefLPKV9LAurMGNau8x5HwkyJ6WkxVKuXRaIq1iGlR977WCqLA5WHw9j3MYPxkpB255KaQk3SDHke1KASduX5NbEfj3N9ttDOGB-cTGzRuItgI0vG8-hlRrC0xOP2g7sL6SElRAwWtiD3uxURFAJOt6TK12TAQ_RlNLWhvve-TVpbIqJkE4XdAJYHxaGegCbg07_iBvXX8qGByr1KLDaueAH0D2Zs-JkCbawJHa7lTAddkLRO19AdtGczRb-8vQhpFvPP3i526MBrY23pMeeRUasgbP4Tda1bTetbN7gNbVUm-icesy2gL9KPlJJQ0jnrA_miE3Vt89RQnevv5SVJgtNrXZlOASqHSLWozpj3E7sPAXDUH-jTi6KH71GgqG5GzwRenH5AN8Y2VdXllY24uzXt6tf_6x-recZGHY8AbQoP5DLhS9hSmfrCVAFPhfdhGuK77aiNPJMLPGLFSgnmu84BhXd7j5Qv0YhOH4FTm7cAlAxJGVatcg9wP_wu1HMdmPMWJ7q38aRlUawaGBeRzdQHnzq5UvlOcK1LboxbJe4-sulXSnxaiPXM2ZdbSY0l3ZkmNZrC5snhAsnGSUaF_soLRRBaDthtVza8q97Jqpi4y97vKRM_UwZubbaWv5VLF3K358BBabM9nz7qiUdR0B4Ib00UTrUIUY9Kjs7TWftPAAR7CdbKxo96hCf8rXMo7aXAOzG6t2t7a0IujucKK2i4wpYJZlj1-8xcFcu1vcvxXrGdLHXxlQU39Tgmus5OpHLkZY4hbLvsUpjV7jy4Cf_n7WGMR910fCtiZCfhPN9bvZ7oklh-HeAv34mvb94kfjjilHDqrbk.jC3WoYCk0LGa9NzsuVvE1GC0mv65plGJk-1swnm17iQ"); request.AddParameter("client_id", "demo"); request.AddParameter("client_secret", "123456"); request.AddParameter("grant_type", "refresh_token"); IRestResponse response = client.Execute(request); Console.WriteLine(response.Content); -
0
Any suggestions????
-
-1
hi mgurer
I confirmed that CoMedClaimsPrincipalContributor will not be called, Dynamic cliams may not be added or replaced. I will provide a solution as soon as possible,
-
0
public override void PreConfigureServices(ServiceConfigurationContext context) { PreConfigure<OpenIddictServerBuilder>(builder => { builder.AddEventHandler(MyPrepareAccessTokenPrincipal.Descriptor); }); }using System.Security.Claims; using OpenIddict.Abstractions; using OpenIddict.Server; using Volo.Abp.DependencyInjection; using Volo.Abp.Security.Claims; namespace MyPrepareAccessTokenPrincipal; public class CoMedClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency { public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context) { var identity = context.ClaimsPrincipal.Identities.FirstOrDefault(); identity?.AddClaim(new Claim("SocialSecurityNumber", "Old SocialSecurityNumber")); await Task.CompletedTask; } } public class MyPrepareAccessTokenPrincipal : IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignInContext> { public static OpenIddictServerHandlerDescriptor Descriptor { get; } = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ProcessSignInContext>() .AddFilter<OpenIddictServerHandlerFilters.RequireAccessTokenGenerated>() .UseSingletonHandler<MyPrepareAccessTokenPrincipal>() .SetOrder(OpenIddictServerHandlers.PrepareAccessTokenPrincipal.Descriptor.Order + 1) .SetType(OpenIddictServerHandlerType.Custom) .Build(); public ValueTask HandleAsync(OpenIddictServerEvents.ProcessSignInContext context) { var identity = context.AccessTokenPrincipal?.Identities.FirstOrDefault(); identity?.RemoveClaims("SocialSecurityNumber"); identity?.AddClaim(new Claim("SocialSecurityNumber", DateTime.Now.ToString("s"))); return default; } } -
1
Hi maliming.
Thank you.
The new solution works as expected.
It is way better than the previous one.
