Open Closed

Duplicate api resources in identity server #2672


User avatar
0
nicolas.muniere@soprasteria.com created

We are facing "Duplicate api resources" exception using identity server pro module. This bug has already been reported here a few month ago : https://support.abp.io/QA/Questions/1126/Bugs--Issues-v43X#answer-aee6a847-3590-2a64-81de-39fbde90446e

  • ABP Framework version: v5.1.3
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace:
  • Steps to reproduce the issue: From a new solution, not tiered

Login with admin Open IdentityServer clients, edit AuthService_Swagger client Go to advanced -> Grant types and add client_credentials then save

Open postman, create a new get query on whatever, example https://localhost:44345/api/identity/users In authorization, select oauth2, then grant type : client credential access token url : https://localhost:44345/connect/token client id : AuthService_Swagger client secret : 1q2w3e* scope : AuthService then click 'get new access token'

=> it works correctly, because we are using a single scope

return to abp with admin account create a new api scope named AuthService.Read

edit api ressource and select the 2 scopes, save

In swagger, add the new scope AuthService.Read after AuthService

=> it does not work anymore, here is the error in logs

2022-03-04 09:42:42.689 +01:00 [INF] {"Details":"System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService\r\n at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context)\r\n at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)","Category":"Error","Name":"Unhandled Exception","EventType":"Error","Id":3000,"Message":"Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService","ActivityId":"8000000a-0008-fc00-b63f-84710c7967bb","TimeStamp":"2022-03-04T08:42:42.0000000Z","ProcessId":30676,"LocalIpAddress":"::1:44345","RemoteIpAddress":"::1","$type":"UnhandledExceptionEvent"} 2022-03-04 09:42:42.689 +01:00 [FTL] Unhandled exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes) at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess) at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)

<br> we cas try to use only the new scope : In swagger, replace scope with only AuthService.Read

=> it does not work, here is the error in logs

[ERR] Client AuthService\_Swagger is not allowed access to scope AuthService.Read. 2022-03-04 09:50:08.023 +01:00 [ERR] Invalid scopes requested, {"ClientId":"AuthService\_Swagger","ClientName":"AuthService\_Swagger","GrantType":"client\_credentials","Scopes":null,"AuthorizationCode":"**","RefreshToken":"**","UserName":null,"AuthenticationContextReferenceClasses":null,"Tenant":null,"IdP":null,"Raw":{"grant\_type":"client\_credentials","scope":"AuthService.Read"},"$type":"TokenRequestValidationLog"} 2022-03-04 09:50:08.023 +01:00 [INF] {"ClientId":"AuthService\_Swagger","ClientName":"AuthService\_Swagger","RedirectUri":null,"Endpoint":"Token","SubjectId":null,"Scopes":null,"GrantType":"client\_credentials","Error":"invalid\_scope","ErrorDescription":null,"Category":"Token","Name":"Token Issued Failure","EventType":"Failure","Id":2001,"Message":null,"ActivityId":"80000051-000a-fe00-b63f-84710c7967bb","TimeStamp":"2022-03-04T08:50:08.0000000Z","ProcessId":30676,"LocalIpAddress":"::1:44345","RemoteIpAddress":"::1","$type":"TokenIssuedFailureEvent"}

We are currently blocked, and need urgently a solution. Our project is starting, and if we can't archieve authentication we will have to look atfer another technical solution. Thanks for your help


13 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I will check it out.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi

    Try named AuthService_Read instead of AuthService.Read.

    And create an Api resources named AuthService_Read.

    Add to client:

  • User Avatar
    0

    Hello, The workaround using many api resources, containing each one unique scope is working, thank you! But is cannot be a long term solution, is it a bug from abp.io or Identity Server?

    Thanks!

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    This is not a bug, this is design by identityserver

  • User Avatar
    0

    Hi, I do not agree with this, both Identity Server and abp allow administrator to configure multiple scopes on a unique api resource.

    Here is a link to documentation, http://docs.identityserver.io/en/latest/topics/resources.html You can see that ApiResources can be configured with many scopes

    public static readonly IEnumerable GetApiResources()
    {
        return new List
        {
            new ApiResource("invoice", "Invoice API")
            {
                Scopes = { "invoice.read", "invoice.pay", "manage" }
            },
            
            new ApiResource("customer", "Customer API")
            {
                Scopes = { "customer.read", "customer.contact", "manage" }
            }
        };
    }
    

    Do you have an idea?

  • User Avatar
    0

    Hi support team, any new on this subject?

  • User Avatar
    0
    gterdem created
    Support Team Senior .NET Developer

    Hi support team, any new on this subject?

    ABP design is to use single API resource to single API scope. Because we use permission management for authorization.

    If you want to use scope based authorization for your api, just fine.

    Can you explain your exact problem? Does IdentityServer Management UI not allowing you to use multiple scopes?

  • User Avatar
    0

    Hello, The problem is explained in my fisrt ticket, IdentityServer Management UI allow user to enter multiple scopes, but its not working.

  • User Avatar
    0

    Hello, Perhaps my explanations are not clear, please tell me what you need to investigate, I'm currently using multi api resources but if an admin select multi scope the sso will fail. Thanks

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    if an admin select multi scope the sso will fail.

    Is there any error logs?

  • User Avatar
    0

    Hello, yes, here is the copy of the logs :

    2022-03-04 09:42:42.689 +01:00 [INF] {"Details":"System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService\r\n at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames)\r\n at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters)\r\n at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context)\r\n at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context)\r\n at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)","Category":"Error","Name":"Unhandled Exception","EventType":"Error","Id":3000,"Message":"Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService","ActivityId":"8000000a-0008-fc00-b63f-84710c7967bb","TimeStamp":"2022-03-04T08:42:42.0000000Z","ProcessId":30676,"LocalIpAddress":"::1:44345","RemoteIpAddress":"::1","$type":"UnhandledExceptionEvent"} 2022-03-04 09:42:42.689 +01:00 [FTL] Unhandled exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService System.Exception: Duplicate api resources found. This is an invalid configuration. Use different names for API resources. Names found: AuthService at IdentityServer4.Stores.IResourceStoreExtensions.Validate(IEnumerable1 identity, IEnumerable1 apiResources, IEnumerable1 apiScopes) at IdentityServer4.Stores.IResourceStoreExtensions.FindResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Stores.IResourceStoreExtensions.FindEnabledResourcesByScopeAsync(IResourceStore store, IEnumerable1 scopeNames) at IdentityServer4.Validation.DefaultResourceValidator.ValidateRequestedResourcesAsync(ResourceValidationRequest request) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestedScopesAsync(NameValueCollection parameters, Boolean ignoreImplicitIdentityScopes, Boolean ignoreImplicitOfflineAccess) at IdentityServer4.Validation.TokenRequestValidator.ValidateClientCredentialsRequestAsync(NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.RunValidationAsync(Func2 validationFunc, NameValueCollection parameters) at IdentityServer4.Validation.TokenRequestValidator.ValidateRequestAsync(NameValueCollection parameters, ClientSecretValidationResult clientValidationResult) at IdentityServer4.Endpoints.TokenEndpoint.ProcessTokenRequestAsync(HttpContext context) at IdentityServer4.Endpoints.TokenEndpoint.ProcessAsync(HttpContext context) at IdentityServer4.Hosting.IdentityServerMiddleware.Invoke(HttpContext context, IEndpointRouter router, IUserSession session, IEventService events, IBackChannelLogoutService backChannelLogoutService)

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    It seems a problem, I will research it.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    HI,

    I create an internal issue and will fix it in the next version.

Made with ❤️ on ABP v8.2.0-preview Updated on March 25, 2024, 15:11