Open Closed

DefaultTokenService #3938


User avatar
0
mgurer created
  • ABP Framework version: v6.0.0
  • UI type: Blazor
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

Hi, there was a class named DefaultTokenService of IdentityServer4. After switching to OpendIddict, the class is missing. I used to override that class in AuthServer project and add some dynamic claims to token.

Can you suggest me a new way for the missing class?

Thanks.


17 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team

    hi

    https://docs.abp.io/en/abp/latest/Modules/OpenIddict#updating-claims-in-access_token-and-id_token

  • User Avatar
    0
    mgurer created

    Hi,

    I think the document is not about adding new claims to the token. It is about switching the destination of an already added claim. It helps to decide where the claim exists (idtoken or accesstoken).

    The claims property of the context is a readonly array and can not be altered. Using this class, I can not add a new claim to the context but I can alter it is destination.

    I need to add new claims to the context, not to alter their locations.

    Thanks

  • User Avatar
    0
    maliming created
    Support Team

    hi

    https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory

  • User Avatar
    0
    mgurer created

    It works as expected on password flow.

    I could not test it on refresh_token flow. I will open another ticket for that issue.

    Thank for your support.

  • User Avatar
    0
    mgurer created

    I just tested the refresh_token flow. Suggested solution does not suitable for refresh_tokens. The solutions is fine for password flow. IdentityServer4's DefaultTokenService was working as expected. I need to alter/add claims to token even in the refresh_token flow.

  • User Avatar
    0
    maliming created
    Support Team

    I just tested the refresh_token flow

    Can you share your steps?

  • User Avatar
    0
    mgurer created

    I created a micro service pro project Run the solution Added a demo client with client_credentials and refresh_token options available.

    Folowed the steps in the document; https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory

    Added a ClaimsPrincipalContributor file to authserver project

    Called the token endpoint using client_credentials flow. I successfully interrupted the flow and breakpoint on ContributeAsync method hit. I called the token endpoint using refresh_token flow. The ContributeAsync is not visited.

    So the ContributeAsync method is only visited on client_credentials flow. On IS4 version, I created DefaultTokenService class and this class is visited on both flows.

  • User Avatar
    0
    maliming created
    Support Team

    I called the token endpoint using refresh_token flow.

    Can you share your access_token and HTTP request info?

  • User Avatar
    0
    mgurer created

    Nope, I will not supply any further information. I am sick of endless questions.The issues is so clear, I asked you where the DefaultTokenService is gone, you said there is an alternative. I said alternative is not acting same when the flow is refresh_token. This is the summary and enough to see what is going on. If you have something to say, this information is enough. I am not your beta tester. I am tired of this buggy abp version. It already took 15 days to migrate. I am on live, stressed enough and I dont accept any meaningless questions anymore. If you are not able to give me a proper answer, please dont pretend to do so. This version of abp sucksssssss.. It is 5 times slower than before.. If you have nothing to say, close the ticket.

  • User Avatar
    0
    maliming created
    Support Team

    hi

    refresh_token basically uses the claims from the access_token. So it shouldn't be a problem.

  • User Avatar
    0
    mgurer created

    Bu there is a problem. I insist that IAbpClaimsPrincipalContributor is nothing to do with refresh_token flow. Is there anyone else can confirm me? Please do not answer if you have only assumptions but not tested for yourself.

  • User Avatar
    0
    maliming created
    Support Team

    I insist that IAbpClaimsPrincipalContributor is nothing to do with refresh_token flow

    You will get access_token and refresh_token first. Then use refresh_token to get them again.

    The IAbpClaimsPrincipalContributor will be called when generating the access_token, and refresh_token will copy claims from access_token's principal.

    Talk is cheap. You can prepare a simple demo project to reproduce your real problem.
    support@abp.io

  • User Avatar
    0
    mgurer created

    Here is the CoMedClaimsPrincipalContributor.cs used in test;

    using System.Threading.Tasks;
    using Volo.Abp.DependencyInjection;
    using Volo.Abp.Security.Claims;
    
    namespace CoMed.AuthServer;
    
    public class CoMedClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency
    {
        public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context)
        {
            await Task.CompletedTask;
        }
    }
    

    steps to create a test;

    mkdir CoMed
    cd CoMed
    abp new CoMed -t microservice-pro -u blazor
    
    cd etc
    cd docker
    .\up.ps1
    cd ..
    cd ..
    
    open \apps\auth-server\CoMed.AuthServer.sln in visual studio
    add CoMedClaimsPrincipalContributor.cs file. (path: apps\auth-server\src\CoMed.AuthServer\CoMedClaimsPrincipalContributor.cs)
    

    return to console

    dotnet restore
    dotnet build /graphBuild
    

    .\run-tye.ps1

    open browser browse https://localhost:44307 see afterLeptonXInitialization error still exists in v6.1 login with default credentials go to openid/applications tab create new application: clientid: demo displayname: Demo password: 123456 type: confidential client allow password flow allow client credentials flow allow refresh token flow give access to all scopes save the app close the browser stop the tye. ctrl+c reopen CoMed.AuthServer.sln project run project with CoMed.AuthServer profile. Place break point on CoMedClaimsPrincipalContributor/ContributeAsync method. Open postman ui. 1 - test with password flow:

    var client = new RestClient("https://localhost:44322/connect/token");
    client.Timeout = -1;
    var request = new RestRequest(Method.POST);
    request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
    request.AddParameter("client_id", "demo");
    request.AddParameter("client_secret", "123456");
    request.AddParameter("grant_type", "password");
    request.AddParameter("username", "admin");
    request.AddParameter("password", "1q2w3E*");
    request.AddParameter("scope", "offline_access");
    IRestResponse response = client.Execute(request);
    Console.WriteLine(response.Content);
    

    see break-point hits three times.

    2 - copy the refresh_token value, use in your own test. test with refresh_token flow and see break point does not hit.

    var client = new RestClient("https://localhost:44322/connect/token");
    client.Timeout = -1;
    var request = new RestRequest(Method.POST);
    request.AddHeader("Content-Type", "application/x-www-form-urlencoded");
    request.AddParameter("refresh_token", "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJraWQiOiIxNzQ5Njc3QzkwRjU1MDUyNTYwNDc0QUM4RDhGMjk2QTA2NkI4RDNCIiwidHlwIjoib2lfcmVmdCtqd3QifQ.joQFH7tLYdrHK1_g5B0p3i8Xvq-kivcQX7wtPwtHRMmxnfD_1csi1ik7GwpqWPfKKdC1X4NvXvBBw0PqgUmn11VsxJe8l8_PFZa9_p1M7OWKkbuKkkpU58Bb-cuw7VV-_lzeqKF4xqugK3Aeko5HAvESqwHoWARaw0BX1xnooue5D8lT-wtxeqbN9qY3kwFXnaIltosTQ6QqAQeGQ2Ft4NUd5QRI3hsv74LA3kDf2biJDtGxKmM-8JvA9ouA0trGg0EzS9b2vXuHDL4uFmWDrcMj9oLMgmcnXSO88d04gn--eU65VtDa_lu7ZYCiwPtJ5eX2BqVbdWl-YX9FSxsz5Q.WrtU66BNpifWT7RO3Aq-qA.kWx0LOOQmNmOHKJF79J_8eBzNytPr4pAR8AULxBHFRUAa4DkTVCKuxMbadF_lo9-Pw7Wr0cqKLvMl5DEh80J5Y726aO4qJRpBZQnkdLO_lKyfqKFohc86r9Cu0GWVfgJUvRd7e12_gJD7cWLZYN_wsfB1XQtGp-HnmzarJnECcAKUE4l__Ri_0cxQInoZhsdN27quYj3Qy-DiAoL6I3kmtjUalv3Qr00g8mPdnho3Ej3l-riu8ZvjNQokvsnCnkaCbCHQ_B4Do1ecYHEXPmVeObTf-L_GQmFan29AnuktXwPJfBQko0obDkRSdL5kLp1mroi-pgMo-ExFpYlgnAyt6fq0173vS4cnHcBHrnDWkeSZmcuT0PzSBmQc4C4KV0vEJxCPA8TqWUzixJ7IWwtWUfqMseDmgJG3pXTL43RiW1ZhdehnHmrw3hFRK5zG539OwCXTNGPcaVMB4kO29qihlRhiyxIvz9-DmPSXyzxFVDJVEsXbv5PLy0hv-OnBJgW7o3T7-FTmr1ckvmeb7yiXL35JFJ4JKbDJuVtHwQV-2bSssNIwjdOeNoJqxMoaH9rnmcAtn97PJt0hWH5nB8y4m1tXW4zP1fkmS2yPZmDEP3aFhgK1RlXW3tQWpSYN_TvT92_1BSyTo6nkNwNAraZGaTin9JLHp4uUUfORvwlqGmH3ji7UD4t1SXWAXYo09w5RjIc9ANnkN5d17JTeZGTrEj9A0_kXriLyjUm5GDJAKu2x-isp0zqHlnUXxBQpQn06XO9R2Aeu0jVcoX0Mxi36zS0yER_d1TX0mShbdU9rec4f9E5E-c53_tvIKW2yD6dbp-YnwMlgwi7AP0_YOQbpCwIvi04qZ77KJOLt2tRp0gHSk5oC4lepB7a4wGchdO0dAcj-BjLbVIqau-8YK_OLE3UfpxNU0Xp0AAB1XCWrijd3d3sD_9Qq52D7xy4JN7E0Rs_3sDQhGr36AX5Iew1lOZ-FWvUb7Cr30N_Eq6tbj7y-ubF4zxsFgb97frN9fupO71OKQx1ql1AF0TbAyT9Rs1fdHqYkPOkpoDEUflraitwYehnRFWumLfQCp7oaZ0hwdwpgJF9q4IATdf4fCJ0TRjXmmFk5YG7n6j7XIYBzXBd1ucg2XOybMI2YaU5mAvDj0O2esTEJd-EwUTt719myGyixUVLzFw25LUxc9fdcdIinvBffuMytkJbLe2LREs95SuACVMeZ6RT_x151gtl93vBwQWkuil_5UgyJVjdWVwOrRE5pPNU1siU3e6-ofxBPlZo7motsgAB3kyEdHrIIhd8Of1HwEuXefLPKV9LAurMGNau8x5HwkyJ6WkxVKuXRaIq1iGlR977WCqLA5WHw9j3MYPxkpB255KaQk3SDHke1KASduX5NbEfj3N9ttDOGB-cTGzRuItgI0vG8-hlRrC0xOP2g7sL6SElRAwWtiD3uxURFAJOt6TK12TAQ_RlNLWhvve-TVpbIqJkE4XdAJYHxaGegCbg07_iBvXX8qGByr1KLDaueAH0D2Zs-JkCbawJHa7lTAddkLRO19AdtGczRb-8vQhpFvPP3i526MBrY23pMeeRUasgbP4Tda1bTetbN7gNbVUm-icesy2gL9KPlJJQ0jnrA_miE3Vt89RQnevv5SVJgtNrXZlOASqHSLWozpj3E7sPAXDUH-jTi6KH71GgqG5GzwRenH5AN8Y2VdXllY24uzXt6tf_6x-recZGHY8AbQoP5DLhS9hSmfrCVAFPhfdhGuK77aiNPJMLPGLFSgnmu84BhXd7j5Qv0YhOH4FTm7cAlAxJGVatcg9wP_wu1HMdmPMWJ7q38aRlUawaGBeRzdQHnzq5UvlOcK1LboxbJe4-sulXSnxaiPXM2ZdbSY0l3ZkmNZrC5snhAsnGSUaF_soLRRBaDthtVza8q97Jqpi4y97vKRM_UwZubbaWv5VLF3K358BBabM9nz7qiUdR0B4Ib00UTrUIUY9Kjs7TWftPAAR7CdbKxo96hCf8rXMo7aXAOzG6t2t7a0IujucKK2i4wpYJZlj1-8xcFcu1vcvxXrGdLHXxlQU39Tgmus5OpHLkZY4hbLvsUpjV7jy4Cf_n7WGMR910fCtiZCfhPN9bvZ7oklh-HeAv34mvb94kfjjilHDqrbk.jC3WoYCk0LGa9NzsuVvE1GC0mv65plGJk-1swnm17iQ");
    request.AddParameter("client_id", "demo");
    request.AddParameter("client_secret", "123456");
    request.AddParameter("grant_type", "refresh_token");
    IRestResponse response = client.Execute(request);
    Console.WriteLine(response.Content);
    
  • User Avatar
    0
    mgurer created

    Any suggestions????

  • User Avatar
    0
    maliming created
    Support Team

    hi mgurer

    I confirmed that CoMedClaimsPrincipalContributor will not be called, Dynamic cliams may not be added or replaced. I will provide a solution as soon as possible,

  • User Avatar
    0
    maliming created
    Support Team
    public override void PreConfigureServices(ServiceConfigurationContext context)
    {
        PreConfigure<OpenIddictServerBuilder>(builder =>
        {
            builder.AddEventHandler(MyPrepareAccessTokenPrincipal.Descriptor);
        });
    }
    
    
    
    using System.Security.Claims;
    using OpenIddict.Abstractions;
    using OpenIddict.Server;
    using Volo.Abp.DependencyInjection;
    using Volo.Abp.Security.Claims;
    
    namespace MyPrepareAccessTokenPrincipal;
    
    public class CoMedClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency
    {
        public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context)
        {
            var identity = context.ClaimsPrincipal.Identities.FirstOrDefault();
            identity?.AddClaim(new Claim("SocialSecurityNumber", "Old SocialSecurityNumber"));
            await Task.CompletedTask;
        }
    }
    
    
    public class MyPrepareAccessTokenPrincipal : IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignInContext>
    {
        public static OpenIddictServerHandlerDescriptor Descriptor { get; }
                = OpenIddictServerHandlerDescriptor.CreateBuilder<OpenIddictServerEvents.ProcessSignInContext>()
                    .AddFilter<OpenIddictServerHandlerFilters.RequireAccessTokenGenerated>()
                    .UseSingletonHandler<MyPrepareAccessTokenPrincipal>()
                    .SetOrder(OpenIddictServerHandlers.PrepareAccessTokenPrincipal.Descriptor.Order + 1)
                    .SetType(OpenIddictServerHandlerType.Custom)
                    .Build();
    
        public ValueTask HandleAsync(OpenIddictServerEvents.ProcessSignInContext context)
        {
            var identity = context.AccessTokenPrincipal?.Identities.FirstOrDefault();
            identity?.RemoveClaims("SocialSecurityNumber");
            identity?.AddClaim(new Claim("SocialSecurityNumber", DateTime.Now.ToString("s")));
            return default;
        }
    }
    
    
  • User Avatar
    1
    mgurer created

    Hi maliming.

    Thank you.

    The new solution works as expected.

    It is way better than the previous one.

Made with ❤️ on ABP v9.1.0-rc.1. Updated on January 17, 2025, 14:13