Open Closed

What is linking user feature and how does it work? #1974


0
nhontran created
  • ABP Framework version: v4.4.3
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, I was searching how to achieve the SSO for user when switching tenant and saw the linking user feature, could you please explain how does it work? I could not find any document about it.

I had logged in as user1 and selected "new link user" and logged in as user2, it prompted "The target user is not linked to you!", there was an error when request for the access token:

{"ClientId": null, "ClientName": null, "ValidateLifetime": true, "AccessTokenType": "Jwt", "ExpectedScope": null, "TokenHandle": null, "JwtId": null, "Claims": {"nbf": 1634111151, "exp": 1665647151, "iss": "https://localhost:44349", "aud": "abp_latest", "client_id": "abp_latest_App", "sub": "a8346126-26bd-e475-29df-39ff8ac671b5", "auth_time": 1634111150, "idp": "local", "preferred_username": "user1", "role": "user_role", "phone_number_verified": "False", "email": "[email protected]", "email_verified": "False", "name": "user1", "sid": "C9AD8A4E92DBF82F9D6A7A5900988C02", "iat": 1634111151, "scope": ["openid", "profile", "role", "email", "phone", "abp_latest", "offline_access"], "amr": "pwd"}, "$type": "TokenValidationLog"} [15:50:08 ERR] Invalid extension grant{"error": "The target user is not linked to you!"}, details: {"ClientId": "abp_latest_App", "ClientName": "abp_latest_App", "GrantType": "LinkLogin", "Scopes": "abp_latest email offline_access openid phone profile role", "AuthorizationCode": "********", "RefreshToken": "********", "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "LinkLogin", "LinkUserId": "a8346126-26bd-e475-29df-39ff8ac671b5",


16 Answer(s)
  • 0
    albert created
    Support Team

    this exception is thrown if only the target user is not linked to you. and the -link check- is done here https://github.com/abpframework/abp/blob/dev/modules/identity/src/Volo.Abp.Identity.Domain/Volo/Abp/Identity/IdentityLinkUserManager.cs#L96

    check that your user.id and target user.id exist in AbpLinkUsers db table.

  • 0
    maliming created
    Support Team

    You can also download the source code of Account Pro module and check the LinkLoginExtensionGrantValidator

  • 0
    nhontran created

    Hi @albert, there is no record in AbpLinkUsers that's why I clicked the add new link user, it redirected me to the login screen, after login the verification failed and thew the exception. so, how to add the new link user and what is the criteria?

    I have overrided and debugged the login method and found this one return false, but I dont understand what this method doing, can help explain?

            protected override async Task<bool> VerifyLinkTokenAsync()
            {
                if (LinkToken.IsNullOrWhiteSpace() || LinkUserId == null)
                {
                    return false;
                }
    
                return await IdentityLinkUserAppService.VerifyLinkTokenAsync(new VerifyLinkTokenInput
                {
                    UserId = LinkUserId.Value,
                    TenantId = LinkTenantId,
                    Token = LinkToken
                });
            }
    
  • 0
    maliming created
    Support Team

    after login the verification failed and thew the exception. so, how to add the new link user and what is the criteria?

    Can you share the details? You can check the logs to see the error.

  • 0
    nhontran created

    Hi @maliming, this is the log that I provided already:

    {"ClientId": null, "ClientName": null, "ValidateLifetime": true, "AccessTokenType": "Jwt", "ExpectedScope": null, "TokenHandle": null, "JwtId": null, "Claims": {"nbf": 1634111151, "exp": 1665647151, "iss": "https://localhost:44349", "aud": "abp_latest", "client_id": "abp_latest_App", "sub": "a8346126-26bd-e475-29df-39ff8ac671b5", "auth_time": 1634111150, "idp": "local", "preferred_username": "user1", "role": "user_role", "phone_number_verified": "False", "email": "[email protected]", "email_verified": "False", "name": "user1", "sid": "C9AD8A4E92DBF82F9D6A7A5900988C02", "iat": 1634111151, "scope": ["openid", "profile", "role", "email", "phone", "abp_latest", "offline_access"], "amr": "pwd"}, "$type": "TokenValidationLog"} [15:50:08 ERR] Invalid extension grant{"error": "The target user is not linked to you!"}, details: {"ClientId": "abp_latest_App", "ClientName": "abp_latest_App", "GrantType": "LinkLogin", "Scopes": "abp_latest email offline_access openid phone profile role", "AuthorizationCode": "********", "RefreshToken": "********", "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"grant_type": "LinkLogin", "LinkUserId": "a8346126-26bd-e475-29df-39ff8ac671b5",

    As I explained, I want to add "new link user", there was a popup asking me to log out and log in with the new user, two accounts will be linked:

    but I got the above exception after login as the new user, the problem is the VerifyLinkTokenAsync() return false in OnPostAsync() during the login new user, I just want to know why and what is the criteria for it to return true? both users do exist in the system with the same tenant.

  • 0
    maliming created
    Support Team

    Can you share the full log of the request from start to end?

  • 0
    nhontran created

    Hi @maliming, you can refer to this link for the full log: https://1drv.ms/t/s!ApPUoIZEMrYMtm4KDQ1L_T88OQZ_?e=adGw5d

    thanks for your support.

  • 0
    maliming created
    Support Team

    hi

    [09:54:50 WRN] VerifyUserTokenAsync() failed with purpose: AbpLinkUserLogin for user.

    It seems that there is a problem with the Token. You can try:

    1. Clear the redis cache.
    2. Create a new project to try if 1 is not working.
  • 0
    nhontran created

    Hi @maliming, I just tried to clear the redis cache, it's still not working, and I have tested this in the new project already. do you want to schedule a session to check?

  • 0
    maliming created
    Support Team

    I have tested this in the new project already.

    Does it works in new project?

  • 0
    nhontran created

    no, it does not work with new project either

  • 0
    maliming created
    Support Team

    I will test it in 4.4.3. (Angular + Identity Server Separate )

  • 0
    maliming created
    Support Team

    hi

    I have confirmed that this is a problem, I will fix it and share with you the solution.

  • 0
    nhontran created

    thank maliming for your confirmation, please share with me the fix once you have.

  • 0
    maliming created
    Support Team

    hi

    Please enable the DataProtection and SetApplicationName(use_same_name)

  • 0
    nhontran created

    Hi @maliming, the fix is working, I am able to link the user now.

    Thanks for your support!