McAfee Antivirus reporting Volo.Abp.AuditLogging.HttpApi.Client.dll and Volo.Abp.IdentityServer.HttpApi.Client.dll as virus. Due to this we are not able to compile code. Kindly let us know how to resolve the issue.
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
I couldn't understand your scenario. If you set
AbsoluteRefreshTokenLifetime
to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.This is not related with ABP, you can check identity server docs for more information
Hi,
Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes.
Set AccessTokenLifetime to 605 i.e. 5 minutes.
Set IdentityTokenLifetime to 60*5 i.e. 5 minutes.
User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?Hello, This issue is related to SecurityStampValidator, you will have to just add below line in WebModule class in ConfigureServices method. It needs this package Microsoft.AspNetCore.Identity in case gives error for SecurityStampValidatorOptions. This will keep user active for 24 hours/ you can change as per your conveniece.
context.Services.Configure<SecurityStampValidatorOptions>(options => options.ValidationInterval = TimeSpan.FromHours(24));
Unfortunately the suggested code changes didn't worked for us. We added the code into Host module class and the user is still logged out forcefully after 5 minutes. Please note we are using .Net + Angular code template (ABP version 4.3.1). Can we have a short remote call to discuss and resolve this issue?
hi
You can implementation your own
AWSSESEmailSender
, Just likeMailKitSmtpEmailSender
.https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.MailKit/Volo/Abp/MailKit/MailKitSmtpEmailSender.cs#L15 https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.MailKit/Volo/Abp/MailKit/AbpMailKitModule.cs https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.MailKit/Volo/Abp/MailKit/IMailKitSmtpEmailSender.cs https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.MailKit/Volo/Abp/MailKit/AbpMailKitOptions.cs
Hi,
Please note we already have a SESEmailSender class in our project which is used to send out email notifications thru AWS SES. We want to understand how to invoke/integrate email send method of this class when password is reset by clicking "Forgot Password" ? In the interest of time, can we have a quick call remotely to understand and resolve this issue?
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
I couldn't understand your scenario. If you set
AbsoluteRefreshTokenLifetime
to 60*5, it will absolutely log you out after 5 mins. Keep this time longer and keep your Access and Identity tokens life time shorter so that, if the access token is compromised, it will be refreshed in short amount of time.This is not related with ABP, you can check identity server docs for more information
Hi, Thanks for your suggestion. I understand this is not related to ABP but the Identity server is integrated with ABP and thus reaching out to you for advise. Here is what we did but still not able to fix the problem. Will appreciate if you can do a remote call with us to understand and resolve the issue.
Set AbsoluteRefreshTokenLifetime to 60100 i.e. 100 minutes. Set AccessTokenLifetime to 605 i.e. 5 minutes. Set IdentityTokenLifetime to 60*5 i.e. 5 minutes. User remains active but forcefully gets logout after 5 minutes. There is no call to refresh token api from client application when doing such test. So, does application refreshes token automatically based on above settings or there is something additional we need to do to refresh token?
Try setting AccessTokenLifetime (or also IdentityTokenLifetime if you need) to 15*60 (token values are in seconds).
If you are using hybrid/authorization code flow and using refresh token; also set AbsoluteRefreshTokenLifetime to 15*60.
We have updated AbsoluteRefreshTokenLifetime, AccessTokenLifetime, IdentityTokenLifetime for 60*5 seconds for testing. But the application logs out forcefully even if the user is active. This is one of the important task we are looking to implement ASAP. We will appreciate your quick response.
The response of api is Status Code: 403 Forbidden
Can not find the given email address:Ish @s.com
It will throw an
UserFriendlyException
exception when the GetUserByEmail method cannot find user, and its status code will be 403, which is by design.protected virtual async Task<IdentityUser> GetUserByEmail(string email) { var user = await UserManager.FindByEmailAsync(email); if (user == null) { throw new UserFriendlyException(L["Volo.Account:InvalidEmailAddress", email]); } return user; }
https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.AspNetCore/Volo/Abp/AspNetCore/ExceptionHandling/DefaultHttpExceptionStatusCodeFinder.cs#L72
hi,
Actually this is not the issue. We have enabled the Forgot Password flow into front-end and ABP uses SMTP for sending email notifications.
For our project, we are using AWS SES service for sending email notification to users. All the example we have seen for forgot password are using SMTP methods. Will you please guide us how to utilize forgot password feature with AWS SES method?
This is one important ask our product owner is looking and we would like to finish this feature ASAP. We will appreciate your quick response
Thanks for your inputs.
I have incorporated all changes you have suggested as given urls
https://github.com/abpframework/abp-samples/blob/master/IdentityServerReferenceToken/aspnet-core/src/IDSReferenceToken.HttpApi.Host/IDSReferenceTokenHttpApiHostModule.cs#L131-L137
https://github.com/abpframework/abp-samples/blob/da789bb0737b9629e4171c2214f89479f3865f10/IdentityServerReferenceToken/aspnet-core/src/IDSReferenceToken.Domain/IdentityServer/IdentityServerDataSeedContributor.cs#L268
https://github.com/abpframework/abp-samples/blob/master/IdentityServerReferenceToken/aspnet-core/src/IDSReferenceToken.Domain/IdentityServer/IdentityServerDataSeedContributor.cs#L83-L88
Still we cannot access api’s from postman using revoked token.
Please let me know if we can have quick remote call to discuss and resolve the issue.
ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Separated (Angular): yes
We have custom login page and using AWS SES for sending emails. Steps performed
Code added in Login components <a href="/account/forgot-password" class="forgot_pass_cl"> {{ 'AbpAccount::ForgotPassword' | abpLocalization }}</a>
When we click on Forgot Password? Its redirected to url http://localhost:4200/account/forgot-password
We are entering aws certified email on submit its calling api https://localhost:44359/api/account/send-password-reset-code The response of api is Status Code: 403 Forbidden JSON Response {"error":{"code":null,"message":"Can not find the given email address:Ish***** **@****s.com","details":null,"data":{},"validationErrors":null}}
Downloaded latest package Volo.Abp.Identity.AspNetCore package in Lit***.HttpApi project
Define this package in the LitHttpApiModule class in the LitName.HttpApi project
Added entry in Lit***.HttpApi.Host project appsettings.json "App": { "ClientUrl": "http://localhost:4200", }
ConfigureUrls options.Applications["Angular"].RootUrl = configuration["App:ClientUrl"]; options.Applications["Angular"].Urls[AccountUrlNames.PasswordReset] = "account/reset-password"; options.Applications["Angular"].Urls[AccountUrlNames.EmailConfirmation] = "account/email-confirmation";
Added ConfigureUrls To ConfigureServices() method in Lit***HttpApiHostModule class
Getting 403 Forbidden error, please advise.
ABP Framework version: 4.1.3 UI type: Angular Tiered (MVC) or Identity Server Seperated (Angular): yes Exception message and stack trace: Steps to reproduce the issue:
Creating a new ticket as the previous ticket is closed - https://support.abp.io/QA/Questions/536/How-to-Restrict-users-multiple-login-session
Steps performed as per recommendation -
What could be the reason for this behaviour even token is revoked and still we can access api’s?
We tried the suggested approach but still facing difficulties. Is it possible for you to share a working example of custom page which includes all the components? We can refer it and use it for our use case.