Prerequisites
Please answer the following questions before submitting an issue. YOU MAY DELETE THE PREREQUISITES SECTION.
What is your product version? 11.2.1
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)?
.Net Core
If issue related with ABP Framework
- What is ABP Framework version?
7.3
In TokenAuthController in the method TwoFactorAuthenticateAsync there is some code to create a new access token.
return CreateAccessToken(new[] { new Claim(UserIdentifierClaimType, user.ToUserIdentifier().ToString()) }, TimeSpan.FromDays(365) );
This is the token that is then stored in local storage on the client browser for the remember this browser feature.
When this token is passed back in as part of the remember this browser feature it is eventually passed into TwoFactorClientRememberedAsync which attempts to validate the token using var (principal, _) = await validator.ValidateToken(authenticateModel.TwoFactorRememberClientToken, validationParameters);
This fails in this code.
public async Task<(ClaimsPrincipal, SecurityToken)> ValidateToken(string securityToken,
TokenValidationParameters validationParameters)
{
var principal = _tokenHandler.ValidateToken(securityToken, validationParameters, out var validatedToken);
if (!HasTokenType(principal, TokenType.AccessToken))
{
throw new SecurityTokenException("invalid token type");
}
return await ValidateTokenInternal(principal, validatedToken);
The token generated from the above CreateAccessToken method does not have an accesstoken tokentype on it and thus throws the new securitytokenexception.
I suspect the issue is because every other call to the CreateAccessToken method passes in await CreateJwtClaims() as it's first parameter and not a new [].
Thanks
13 Answer(s)
-
0
Hi @rickfrankel,
Is your project a new 11.2.1 project or did you upgrade form an older version ? As far as I remember, this problem is fixed via https://github.com/aspnetboilerplate/aspnetboilerplate/pull/6414/files if this is not a new case.
-
0
This is an upgraded project. However I already reviewed that PR and that code is in Abp.ZeroCore which I'm already running v 7.3.0 on.
I also looked over that code and don't believe that it is relevant to the issue I'm seeing. I also compared my upgraded code to a freshly downloaded project and can't see any differences that could be causing the issue in the TokenAuthController or within XXXAsyncJwtSecurityTokenHandler.
Unless there is somewhere else I should be looking.
-
0
Hi @ismcagdas,
I also can't see where any of that code in the Abp.ZeroCore library is called either. Even when searching the aspnet-zero-core repo either.
I may be missing something here
-
0
Hi @ismcagdas,
Any update on this one?
Thanks Rick
-
0
Hi @rickfrankel,
Thanks, we will check this and get back to you.
-
0
Hi @ismcagdas,
Any updates on this one please?
Thanks Rick
-
0
Hi @rickfrankel
Sorry for my late reply. It seems like our team couldn't reproduce this. Have you figure out a solution ? If not, I will check it and get back to you in a short time. Please let me know.
-
0
I'll run a freshly downloaded version of my project and confirm the issue exists. Will revert tomorrow.
-
0
Hi Rick,
Please follow https://github.com/aspnetzero/aspnet-zero-core/issues/4598, I have included this issue into 11.4 version which we are planning to release tomorrow.
-
0
Hi again @rickfrankel
Could you share steps to reproduce this problem ? I also couldn't reproduce it probably because I'm not following your steps.
-
0
Hi All,
Here are the steps I just followed.
- Downloaded a fresh version of our project at 11.3 version (from the ASPNet zero).
- Ran yarn and npm create-bundles and then yarn start
- Ensured my local blank DB used for this kind of testing was up to date and ran the web host.
- Logged in as host and enabled the 2FA as follows.
- Refreshed the screen and went to My Settings -> 2 Factor and enabled Google
- Scanned the QR code on my phone and logged out of the app
- Logged in again and selected Google Authenticator from the dropdown screen.
- Entered my code and ticked Remember this browser.
- Confirmed I was logged in.
- Logged out again.
- Clicked login again
- And was presented with the Google Authenicator option in the send security code screen.
- Clicked submit and back to entering a code.
Given on step 8 I selected remember this browser I shouldn't have had to select the authenticator type and enter the code again.
As I pasted in the first message in this thread the above function is what is failing.
-
0
Hi,
This problem is fixed and will be released with 11.4 version.
-
1
Thanks @ismcagdas,
i manually merged your changes into my version and confirmed all working well.
Thanks