Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Remember This Browser fails with Invalid Token #11272


User avatar
0
rickfrankel created

Prerequisites

Please answer the following questions before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.

  • What is your product version? 11.2.1

  • What is your product type (Angular or MVC)? Angular

  • What is product framework type (.net framework or .net core)?

.Net Core

If issue related with ABP Framework

  • What is ABP Framework version?

7.3

In TokenAuthController in the method TwoFactorAuthenticateAsync there is some code to create a new access token.

return CreateAccessToken(new[] { new Claim(UserIdentifierClaimType, user.ToUserIdentifier().ToString()) }, TimeSpan.FromDays(365) );

This is the token that is then stored in local storage on the client browser for the remember this browser feature.

When this token is passed back in as part of the remember this browser feature it is eventually passed into TwoFactorClientRememberedAsync which attempts to validate the token using var (principal, _) = await validator.ValidateToken(authenticateModel.TwoFactorRememberClientToken, validationParameters);

This fails in this code.

    public async Task<(ClaimsPrincipal, SecurityToken)> ValidateToken(string securityToken,
        TokenValidationParameters validationParameters)
    {
        var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out var validatedToken);

        if (!HasTokenType(principal, TokenType.AccessToken))
        {
            throw new SecurityTokenException("invalid token type");
        }

        return await ValidateTokenInternal(principal, validatedToken);
    
    
    The token generated from the above CreateAccessToken method does not have an accesstoken tokentype on it and thus throws the new securitytokenexception.
    
   
   
   I suspect the issue is because every other call to the CreateAccessToken method passes in await CreateJwtClaims() as it's first parameter and not a new [].
   
   Thanks

13 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @rickfrankel,

    Is your project a new 11.2.1 project or did you upgrade form an older version ? As far as I remember, this problem is fixed via https://github.com/aspnetboilerplate/aspnetboilerplate/pull/6414/files if this is not a new case.

  • User Avatar
    0
    rickfrankel created

    This is an upgraded project. However I already reviewed that PR and that code is in Abp.ZeroCore which I'm already running v 7.3.0 on.

    I also looked over that code and don't believe that it is relevant to the issue I'm seeing. I also compared my upgraded code to a freshly downloaded project and can't see any differences that could be causing the issue in the TokenAuthController or within XXXAsyncJwtSecurityTokenHandler.

    Unless there is somewhere else I should be looking.

  • User Avatar
    0
    rickfrankel created

    Hi @ismcagdas,

    I also can't see where any of that code in the Abp.ZeroCore library is called either. Even when searching the aspnet-zero-core repo either.

    I may be missing something here

  • User Avatar
    0
    rickfrankel created

    Hi @ismcagdas,

    Any update on this one?

    Thanks Rick

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @rickfrankel,

    Thanks, we will check this and get back to you.

  • User Avatar
    0
    rickfrankel created

    Hi @ismcagdas,

    Any updates on this one please?

    Thanks Rick

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @rickfrankel

    Sorry for my late reply. It seems like our team couldn't reproduce this. Have you figure out a solution ? If not, I will check it and get back to you in a short time. Please let me know.

  • User Avatar
    0
    rickfrankel created

    I'll run a freshly downloaded version of my project and confirm the issue exists. Will revert tomorrow.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi Rick,

    Please follow https://github.com/aspnetzero/aspnet-zero-core/issues/4598, I have included this issue into 11.4 version which we are planning to release tomorrow.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi again @rickfrankel

    Could you share steps to reproduce this problem ? I also couldn't reproduce it probably because I'm not following your steps.

  • User Avatar
    0
    rickfrankel created

    Hi All,

    Here are the steps I just followed.

    1. Downloaded a fresh version of our project at 11.3 version (from the ASPNet zero).
    2. Ran yarn and npm create-bundles and then yarn start
    3. Ensured my local blank DB used for this kind of testing was up to date and ran the web host.
    4. Logged in as host and enabled the 2FA as follows.

    1. Refreshed the screen and went to My Settings -> 2 Factor and enabled Google
    2. Scanned the QR code on my phone and logged out of the app
    3. Logged in again and selected Google Authenticator from the dropdown screen.
    4. Entered my code and ticked Remember this browser.
    5. Confirmed I was logged in.
    6. Logged out again.
    7. Clicked login again
    8. And was presented with the Google Authenicator option in the send security code screen.
    9. Clicked submit and back to entering a code.

    Given on step 8 I selected remember this browser I shouldn't have had to select the authenticator type and enter the code again.

    As I pasted in the first message in this thread the above function is what is failing.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    This problem is fixed and will be released with 11.4 version.

  • User Avatar
    1
    rickfrankel created

    Thanks @ismcagdas,

    i manually merged your changes into my version and confirmed all working well.

    Thanks