Hi ismcagdas,
This issue is only related to three files. I have shared the files with you at https://drive.google.com/file/d/1vwPQA0HiYl-zEP5o94HlRorx36AjkbJQ/view?usp=sharing
\webapi\src\umsplus.Application.Shared\AppConsts.cs: public static TimeSpan AccessTokenExpiration = TimeSpan.FromMinutes(15); public static TimeSpan RefreshTokenExpiration = TimeSpan.FromDays(7);
Hi @m.aliozkaya, A call would be good. I'm available from10 AM to 5 PM AEST. But I will make me available after hours up to 10 PM if that suits you.
Hi ismcagdas,
refreshToken: { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "admin", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]", "AspNet.Identity.SecurityStamp": "7HNZKYBQ65VMM5PMYEH3XS2P6754ZH5H", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Admin", "http://www.aspnetboilerplate.com/identity/claims/tenantId": "1", "WMSProUId": "2", "_g1362": "259fc6c0-d904-4c1d-9b9e-6de3bd439d89", "sub": "2", "jti": "d87e21c9-9dd4-4b00-be77-fde6da1df4df", "iat": 1732748386, "token_validity_key": "4c760f75-f2b5-44dd-9da5-8cdc7ea91cc2", "user_identifier": "2@1", "token_type": "1", "nbf": 1732748386, "exp": 1764284386, "iss": "umsplus", "aud": "umsplus" }
After RefreshToken, new accessToken: { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "admin", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]", "AspNet.Identity.SecurityStamp": "LFBR6FGRUIQKJUYYGP6EBXZQPCYWK4ZP", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Admin", "http://www.aspnetboilerplate.com/identity/claims/tenantId": "1", "WMSProUId": "2", "_g1362": "4c6d908b-fc68-43fe-bf73-7bb72a2c7dcd", "sub": "2", "jti": "f4949ced-8889-4cb2-8bb0-fc012a4cec3c", "iat": 1732749456, "token_validity_key": "c234f015-766c-4d8c-b8e1-961d2f2837ad", "user_identifier": "2@1", "token_type": "0", "refresh_token_validity_key": "dadcf875-58fd-4ffe-ad97-52b55b3f787e", "nbf": 1732749456, "exp": 1732749576, "iss": "umsplus", "aud": "umsplus" }
newRefreshToken: { "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": "2", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name": "admin", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress": "[email protected]", "AspNet.Identity.SecurityStamp": "LFBR6FGRUIQKJUYYGP6EBXZQPCYWK4ZP", "http://schemas.microsoft.com/ws/2008/06/identity/claims/role": "Admin", "http://www.aspnetboilerplate.com/identity/claims/tenantId": "1", "WMSProUId": "2", "_g1362": "4c6d908b-fc68-43fe-bf73-7bb72a2c7dcd", "sub": "2", "jti": "13c1a619-5187-4f73-970a-a4ce46d91251", "iat": 1732749456, "token_validity_key": "dadcf875-58fd-4ffe-ad97-52b55b3f787e", "user_identifier": "2@1", "token_type": "1", "nbf": 1732749456, "exp": 1732749696, "iss": "umsplus", "aud": "umsplus" }
Please download the video file.
Hi İsmail,
I have asked my colleagues to do the same test on the original Zero 13.3 code (both in debug and production build). My colleagues can reproduce it too. Could you please share a video of your test? Is there any difference between our test methods?
Hi m.aliozkaya,
Client uses _tokenService to getRefreshToken(). In src\assets\abp-web-resources\abp.js, abp.auth.getRefreshToken = function () { return abp.utils.getCookieValue(abp.auth.refreshTokenCookieName); } Please note that our app has http-only cookies enforced. This means the following methods in src\account\auth\zero-refresh-token.service.ts will fail. this._tokenService.getRefreshToken() this._tokenService.setToken(tokenResult.accessToken, tokenExpireDate); this._tokenService.setRefreshToken(tokenResult.refreshToken);
We tried adding a periodic checkAndRefreshToken() in zero-refresh-token.service.ts without success due to the http-only cookies enforcement.
We also tried to set the new tokens on server side when client calls the API RefreshToken(string refreshToken) in TokenAuthController.
var cookieOptions = new CookieOptions
{
Secure = true,
HttpOnly = true,
SameSite = SameSiteMode.None,
};
Response.Cookies.Append("Abp.AuthToken", accessToken, cookieOptions);
Response.Cookies.Append("Abp.AuthRefreshToken", newRrefreshToken.token, cookieOptions);
In theory, server can get the existing refresh token by using Request.Cookies["Abp.AuthRefreshToken'] if the client and server on the same domain with the same CookieOptions. However, we didn't get the refresh token in this way. It's always been null. What's the correct way to do this on server?
Hi,
ASP.NET Zero API: v13.3.0 | Angular client: v13.3.0
We want to shorten AccessTokenExipration to 15 minutes and RefreshTokenExpiration to 7 days.
The API Task<RefreshTokenResult> RefreshToken(string refreshToken) works fine in Swagger UI. However, there are following issues with the Angular client.
When the access token expires, if customer tries to open any page that is not on the main tree, it gives an internal error, instead of re-routing to the login page.
For example:
Go to Departments page and wait 15 minutes
Go to Custom fields page and get Internal error
Go to Controllers page and get Internal error
Go to Alarms page and now it redirects you to the login page
More importantly, RefreshToken is not called or not working in the client.
Has the RefreshToken() been fully implemented in the client? If not, please advise the method for the implementation.
We are aware that there is "this._tokenAuthService.refreshToken(token)" in tryAuthWithRefreshToken() in "src\account\auth\zero-refresh-token.service.ts". this._refreshTokenService.tryAuthWithRefreshToken() is called by canActivateInternal in "src\app\shared\common\auth\auth-route-guard.ts". But we need further assistance.
Hi İsmail, I have shared the original Zero 13.3 project with [email protected]
Hi İsmail,
Here is the video recorded from the original default Zero app V13.3.0. It doesn’t meet the following requirement: If the Operator successfully logs in with the remember browser option ticked, then they should not be prompted to enter 2FA again until they go to another browser.
Please investigate the issue.
The direct approach in UserAppService works. All the porting of the code was straightforward. I only needed to write a line of code to replace "await _securityStampHandler.RemoveSecurityStampCacheItem(tenantId, userId);"