Identityserver4: Problem on upgrade to v4.0.0 with Vue.js + oidc-client app

Created on 24 Jun 2020 · 15Comments · Source: IdentityServer/IdentityServer4

Problem

After upgrading to IdentityServer4 to v4.0.0 the oidc-client library now returns an undefined user object.
Since I haven't changed the client app, I wonder if this rings any bell.

Details

I have upgraded IdentityServer4 and the QuickstartUI in the auth server app.
After the upgrade my API scope got disabled (I believe due to the addition of the enabled column) so I renabled it and it looks to me like the server app is working fine.

With the unchanged client app (vue.js 2.6.11 + oidc-client 1.10.1) the login call back page's
const currentUser = await AuthSvc.signinRedirectCallback();
now returns a null user.
The signinRedirectCallback() does not error out on its own but then my app needs the user object to determine what to do and throws as it is now undefined.

I tried moving from implicit grant type to autorization_code grant type (as in the current docs at https://identityserver4.readthedocs.io/en/latest/quickstarts/4_javascript_client.html) but still I get an undefined user.

Relevant AuthenticationService

import { UserManager } from "oidc-client";

class AuthenticationService extends UserManager {
  constructor() {
    super({
      authority: process.env.VUE_APP_AUTHORITY,
      redirect_uri: process.env.VUE_APP_LOGIN_URI,
      client_id: "myVueApp",
      response_type: "code",
      scope: "openid profile email phone roles myApi",
      post_logout_redirect_uri: process.env.VUE_APP_LOGOUT_URI
    });
  }

  async login() {
    await this.signinRedirect();
    return this.getUser();
  }

  async logout() {
    return this.signoutRedirect();
  }
}

const authenticationService = new AuthenticationService();
export { authenticationService as default };

Adding response_mode: "query" doesn't change the behavior.

question wontfix

Source

EPinci

All 15 comments

Do you have any IS logs for more info?

leastprivilege on 25 Jun 2020

I found out the following:

As mentioned before, during the EF migration, the column "Enabled" gets added to the "ApiScopes" defaulting to "false" effectively disabling al ApiScopes --> I renabled them
Also, the rename of the table "IdentityClaims" to "IdentityResourceClaims" results in the table being wiped --> I repopulated it

This is the debug log of IS:

[11:24:34 INF] Starting IdentityServer4 version 4.0.0+1acafade44176bf817412aa4309d5dff6587a741
[11:24:34 INF] Using the default authentication scheme idsrv for IdentityServer
[11:24:34 DBG] Using idsrv as default ASP.NET Core scheme for authentication
[11:24:34 DBG] Using idsrv as default ASP.NET Core scheme for sign-in
[11:24:34 DBG] Using idsrv as default ASP.NET Core scheme for sign-out
[11:24:34 DBG] Using idsrv as default ASP.NET Core scheme for challenge
[11:24:34 DBG] Using idsrv as default ASP.NET Core scheme for forbid
[11:24:47 INF] Removing 0 grants
[11:24:47 INF] Removing 0 device flow codes
[11:24:52 DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:8080
[11:24:52 DBG] Origin http://localhost:8080 is allowed: True
[11:24:52 DBG] CorsPolicyService allowed origin: http://localhost:8080
[11:24:52 DBG] Login Url: /Account/Login
[11:24:52 DBG] Login Return Url Parameter: ReturnUrl
[11:24:52 DBG] Logout Url: /Account/Logout
[11:24:52 DBG] ConsentUrl Url: /consent
[11:24:52 DBG] Consent Return Url Parameter: returnUrl
[11:24:52 DBG] Error Url: /home/error
[11:24:52 DBG] Error Id Parameter: errorId
[11:24:52 DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
[11:24:53 DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
[11:24:53 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
[11:24:53 DBG] Start discovery request
[11:24:53 DBG] Found ["openid", "profile", "email", "phone", "roles", "myApi"] as all scopes, and ["myApi"] as API resources
[11:24:53 DBG] Request path /connect/authorize matched to endpoint type Authorize
[11:24:53 DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeEndpoint
[11:24:53 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeEndpoint for /connect/authorize
[11:24:54 DBG] Start authorize request
[11:24:54 DBG] No user present in authorize request
[11:24:54 DBG] Start authorize request protocol validation
[11:24:54 DBG] myVue found in database: True
[11:24:54 DBG] client configuration validation for client myVue succeeded.
[11:24:54 DBG] Checking for PKCE parameters
[11:24:54 DBG] Found ["openid", "profile", "email", "phone", "roles"] identity scopes in database
[11:24:54 DBG] Found [] API resources in database
[11:24:54 DBG] Found ["myApi"] scopes in database
[11:24:55 DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[11:24:55 DBG] ValidatedAuthorizeRequest
{"ClientId": "myVue", "ClientName": "MY Vue", "RedirectUri": "http://localhost:8080/logincallback/#", "AllowedRedirectUris": ["http://localhost:8080/logincallback/#", "http://localhost:5000/logincallback/#"], "SubjectId": "anonymous", "ResponseType": "code", "ResponseMode": "query", "GrantType": "authorization_code", "RequestedScopes": "openid profile email phone roles myApi", "State": "3257bc91f4a74930b87edd6b48f09785", "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": "", "Raw": {"client_id": "myVue", "redirect_uri": "http://localhost:8080/logincallback/#", "response_type": "code", "scope": "openid profile email phone roles myApi", "state": "3257bc91f4a74930b87edd6b48f09785", "code_challenge": "wWxtW5ifmhMrBUpH9meIHbsSAZl1ntScbvlsAYM7ChM", "code_challenge_method": "S256", "response_mode": "query"}, "$type": "AuthorizeRequestValidationLog"}
[11:24:55 INF] Showing login: User is not authenticated
[11:24:55 DBG] Start authorize request protocol validation
[11:24:55 DBG] myVue found in database: True
[11:24:55 DBG] client configuration validation for client myVue succeeded.
[11:24:55 DBG] Checking for PKCE parameters
[11:24:55 DBG] Found ["openid", "profile", "email", "phone", "roles"] identity scopes in database
[11:24:55 DBG] Found [] API resources in database
[11:24:55 DBG] Found ["myApi"] scopes in database
[11:24:55 DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[11:24:55 DBG] myVue found in database: True
[11:24:55 DBG] client configuration validation for client myVue succeeded.
[11:25:03 INF] Removing 0 grants
[11:25:03 INF] Removing 0 device flow codes
[11:25:18 INF] Removing 0 grants
[11:25:18 INF] Removing 0 device flow codes
[11:25:19 DBG] CORS request made for path: /Account/Login from origin: null but was ignored because path was not for an allowed IdentityServer CORS endpoint
[11:25:19 DBG] Start authorize request protocol validation
[11:25:19 DBG] myVue found in database: True
[11:25:19 DBG] client configuration validation for client myVue succeeded.
[11:25:19 DBG] Checking for PKCE parameters
[11:25:19 DBG] Found ["openid", "profile", "email", "phone", "roles"] identity scopes in database
[11:25:19 DBG] Found [] API resources in database
[11:25:19 DBG] Found ["myApi"] scopes in database
[11:25:19 DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[11:25:20 DBG] Augmenting SignInContext
[11:25:20 DBG] Adding idp claim with value: local
[11:25:20 DBG] Adding amr claim with value: pwd
[11:25:20 DBG] Adding auth_time claim with value: 1593077120
[11:25:20 DBG] Request path /connect/authorize/callback matched to endpoint type Authorize
[11:25:20 DBG] Endpoint enabled: Authorize, successfully created handler: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint
[11:25:20 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.AuthorizeCallbackEndpoint for /connect/authorize/callback
[11:25:20 DBG] Start authorize callback request
[11:25:20 DBG] User in authorize request: Edoardo
[11:25:20 DBG] Start authorize request protocol validation
[11:25:20 DBG] myVue found in database: True
[11:25:20 DBG] client configuration validation for client myVue succeeded.
[11:25:20 DBG] Checking for PKCE parameters
[11:25:20 DBG] Found ["openid", "profile", "email", "phone", "roles"] identity scopes in database
[11:25:20 DBG] Found [] API resources in database
[11:25:20 DBG] Found ["myApi"] scopes in database
[11:25:20 DBG] Calling into custom validator: IdentityServer4.Validation.DefaultCustomAuthorizeRequestValidator
[11:25:20 DBG] ValidatedAuthorizeRequest
{"ClientId": "myVue", "ClientName": "MY Vue", "RedirectUri": "http://localhost:8080/logincallback/#", "AllowedRedirectUris": ["http://localhost:8080/logincallback/#", "http://localhost:5000/logincallback/#"], "SubjectId": "Edoardo", "ResponseType": "code", "ResponseMode": "query", "GrantType": "authorization_code", "RequestedScopes": "openid profile email phone roles myApi", "State": "3257bc91f4a74930b87edd6b48f09785", "UiLocales": null, "Nonce": null, "AuthenticationContextReferenceClasses": null, "DisplayMode": null, "PromptMode": "", "MaxAge": null, "LoginHint": null, "SessionId": "CD4D94F0FA594834F4AD28FEF7524819", "Raw": {"client_id": "myVue", "redirect_uri": "http://localhost:8080/logincallback/#", "response_type": "code", "scope": "openid profile email phone roles myApi", "state": "3257bc91f4a74930b87edd6b48f09785", "code_challenge": "wWxtW5ifmhMrBUpH9meIHbsSAZl1ntScbvlsAYM7ChM", "code_challenge_method": "S256", "response_mode": "query"}, "$type": "AuthorizeRequestValidationLog"}
[11:25:20 DBG] Client is configured to not require consent, no consent is required
[11:25:20 DBG] Creating Authorization Code Flow response.
[11:25:21 DBG] acsjOkPYkEaMaFD4ZF8mgoxsrmiHu7/uLYvNaX4C/VE= not found in database
[11:25:21 DBG] Authorize endpoint response
{"SubjectId": "Edoardo", "ClientId": "myVue", "RedirectUri": "http://localhost:8080/logincallback/#", "State": "3257bc91f4a74930b87edd6b48f09785", "Scope": "openid profile email phone roles myApi", "Error": null, "ErrorDescription": null, "$type": "AuthorizeResponseLog"}
[11:25:21 DBG] Augmenting SignInContext
[11:25:22 DBG] CORS request made for path: /.well-known/openid-configuration from origin: http://localhost:8080
[11:25:22 DBG] Origin http://localhost:8080 is allowed: True
[11:25:22 DBG] CorsPolicyService allowed origin: http://localhost:8080
[11:25:22 DBG] Request path /.well-known/openid-configuration matched to endpoint type Discovery
[11:25:22 DBG] Endpoint enabled: Discovery, successfully created handler: IdentityServer4.Endpoints.DiscoveryEndpoint
[11:25:22 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.DiscoveryEndpoint for /.well-known/openid-configuration
[11:25:22 DBG] Start discovery request
[11:25:22 DBG] Found ["openid", "profile", "email", "phone", "roles", "myApi"] as all scopes, and ["myApi"] as API resources
[11:25:22 DBG] CORS request made for path: /connect/token from origin: http://localhost:8080
[11:25:22 DBG] Origin http://localhost:8080 is allowed: True
[11:25:22 DBG] CorsPolicyService allowed origin: http://localhost:8080
[11:25:22 DBG] Request path /connect/token matched to endpoint type Token
[11:25:22 DBG] Endpoint enabled: Token, successfully created handler: IdentityServer4.Endpoints.TokenEndpoint
[11:25:22 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.TokenEndpoint for /connect/token
[11:25:22 DBG] Start token request.
[11:25:22 DBG] Start client validation
[11:25:22 DBG] Start parsing Basic Authentication secret
[11:25:22 DBG] Start parsing for secret in post body
[11:25:22 DBG] client id without secret found
[11:25:22 DBG] Parser found secret: PostBodySecretParser
[11:25:22 DBG] Secret id found: myVue
[11:25:22 DBG] myVue found in database: True
[11:25:22 DBG] client configuration validation for client myVue succeeded.
[11:25:22 DBG] Public Client - skipping secret validation success
[11:25:22 DBG] Client validation success
[11:25:22 DBG] Start token request validation
[11:25:22 DBG] Start validation of authorization code token request
[11:25:22 DBG] acsjOkPYkEaMaFD4ZF8mgoxsrmiHu7/uLYvNaX4C/VE= found in database: True
[11:25:22 DBG] removing acsjOkPYkEaMaFD4ZF8mgoxsrmiHu7/uLYvNaX4C/VE= persisted grant from database
[11:25:22 DBG] Client required a proof key for code exchange. Starting PKCE validation
[11:25:22 DBG] Validation of authorization code token request success
[11:25:22 INF] Token request validation success, {"ClientId": "myVue", "ClientName": "MY Vue", "GrantType": "authorization_code", "Scopes": null, "AuthorizationCode": "17685940B383C5C5D38F0A8D6A8D3D298F5EC2CB2456B333F2D6A7005A34D69E", "RefreshToken": null, "UserName": null, "AuthenticationContextReferenceClasses": null, "Tenant": null, "IdP": null, "Raw": {"client_id": "myVue", "code": "17685940B383C5C5D38F0A8D6A8D3D298F5EC2CB2456B333F2D6A7005A34D69E", "redirect_uri": "http://localhost:8080/logincallback/#", "code_verifier": "6ff14950a2d74b35853d745fdb37558fd873e3caba8a4967a9c8e166fb36fedaf684e48899dd4259b0f34d999204bd86", "grant_type": "authorization_code"}, "$type": "TokenRequestValidationLog"}
[11:25:23 DBG] myVue found in database: True
[11:25:23 DBG] client configuration validation for client myVue succeeded.
[11:25:23 DBG] Found ["openid", "profile", "email", "phone", "roles"] identity scopes in database
[11:25:23 DBG] Found [] API resources in database
[11:25:23 DBG] Found ["myApi"] scopes in database
[11:25:23 DBG] Getting claims for access token for client: myVue
[11:25:23 DBG] Getting claims for access token for subject: Edoardo
[11:25:23 DBG] Get profile called for subject Edoardo from client MY Vue with claim types [] via ClaimsProviderAccessToken
[11:25:23 DBG] Issued claims: []
[11:25:23 DBG] myVue found in database: True
[11:25:23 DBG] client configuration validation for client myVue succeeded.
[11:25:23 DBG] Found ["openid", "profile", "email", "phone", "roles"] identity scopes in database
[11:25:23 DBG] Found [] API resources in database
[11:25:23 DBG] Found ["myApi"] scopes in database
[11:25:23 DBG] Getting claims for identity token for subject: Edoardo and client: myVue
[11:25:23 DBG] In addition to an id_token, an access_token was requested. No claims other than sub are included in the id_token. To obtain more user claims, either use the user info endpoint or set AlwaysIncludeUserClaimsInIdToken on the client configuration.
[11:25:23 DBG] Token request success.
[11:25:23 DBG] CORS request made for path: /connect/userinfo from origin: http://localhost:8080
[11:25:23 DBG] Origin http://localhost:8080 is allowed: True
[11:25:24 DBG] CorsPolicyService allowed origin: http://localhost:8080
[11:25:24 DBG] Request path /connect/userinfo matched to endpoint type Userinfo
[11:25:24 DBG] Endpoint enabled: Userinfo, successfully created handler: IdentityServer4.Endpoints.UserInfoEndpoint
[11:25:24 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.UserInfoEndpoint for /connect/userinfo
[11:25:24 DBG] Start userinfo request
[11:25:24 DBG] Bearer token found in header
[11:25:24 DBG] myVue found in database: True
[11:25:24 DBG] client configuration validation for client myVue succeeded.
[11:25:25 DBG] myVue found in database: True
[11:25:25 DBG] client configuration validation for client myVue succeeded.
[11:25:25 DBG] Calling into custom token validator: IdentityServer4.Validation.DefaultCustomTokenValidator
[11:25:25 DBG] Token validation success
{"ClientId": null, "ClientName": null, "ValidateLifetime": true, "AccessTokenType": "Jwt", "ExpectedScope": "openid", "TokenHandle": null, "JwtId": null, "Claims": {"nbf": 1593077123, "exp": 1593080723, "iss": "http://localhost:48000", "client_id": "myVue", "sub": "Edoardo", "auth_time": 1593077120, "idp": "local", "sid": "CD4D94F0FA594834F4AD28FEF7524819", "iat": 1593077123, "scope": ["openid", "profile", "email", "phone", "roles", "myApi"], "amr": "pwd"}, "$type": "TokenValidationLog"}
[11:25:25 DBG] Creating userinfo response
[11:25:25 DBG] Scopes in access token: openid profile email phone roles myApi
[11:25:25 DBG] Found ["openid", "profile", "email", "phone", "roles"] identity scopes in database
[11:25:25 DBG] Requested claim types: sub updated_at locale zoneinfo birthdate gender website picture preferred_username nickname middle_name given_name family_name name profile email_verified email phone_number phone_number_verified role
[11:25:25 DBG] Get profile called for subject Edoardo from client MY Vue with claim types ["sub", "updated_at", "locale", "zoneinfo", "birthdate", "gender", "website", "picture", "preferred_username", "nickname", "middle_name", "given_name", "family_name", "name", "profile", "email_verified", "email", "phone_number", "phone_number_verified", "role"] via UserInfoEndpoint
[11:25:25 DBG] Issued claims: ["sub", "role", "role", "role", "role", "role", "name", "email"]
[11:25:25 INF] Profile service returned the following claim types: sub role role role role role name email
[11:25:25 DBG] End userinfo request
[11:25:25 DBG] Request path /connect/checksession matched to endpoint type Checksession
[11:25:25 DBG] Endpoint enabled: Checksession, successfully created handler: IdentityServer4.Endpoints.CheckSessionEndpoint
[11:25:25 INF] Invoking IdentityServer endpoint: IdentityServer4.Endpoints.CheckSessionEndpoint for /connect/checksession
[11:25:25 DBG] Rendering check session result

EPinci on 25 Jun 2020

👍1

I got the same issue with DB migration

sowa111111 on 25 Jun 2020

the same issue with Api Secrets table, migration script generate Drop Table + CreateTable construction rather than just RenameTable

sowa111111 on 25 Jun 2020

@brockallen

leastprivilege on 25 Jun 2020

There's nothing I can do -- that's how EF migrations work.

And given that's how it works, I never use EF migrations to really migrate my schema and data to a updated version. I only ever use EF migrations to create new/empty DB schemas. If there's a change that needs deltas and/or data migrations, I usually do that manually somehow. We even document that this is not something we can do for you:

https://identityserver4.readthedocs.io/en/latest/reference/ef.html#database-creation-and-schema-changes-across-different-versions-of-identityserver

brockallen on 25 Jun 2020

👍1

Understood about EF.
Any idea on the original problem: what is causing the oidc-client to return an undefined user object?

EPinci on 25 Jun 2020

Not sure... I'm wondering if it's something about how the shape of the result from the user info endpoint? @leastprivilege did we change anything here? Or... diff JSON formatter?

brockallen on 25 Jun 2020

For those of you looking for a script to migrate your data: https://twitter.com/scottbrady91/status/1276173018952278021. And here's the repo directly (looks like it's still a work in progress):

https://github.com/RockSolidKnowledge/IdentityServer4.Migration.Scripts/tree/CreateScripts

brockallen on 25 Jun 2020

There's nothing I can do -- that's how EF migrations work.

And given that's how it works, I never use EF migrations to really migrate my schema and data to a updated version. I only ever use EF migrations to create new/empty DB schemas. If there's a change that needs deltas and/or data migrations, I usually do that manually somehow. We even document that this is not something we can do for you:

https://identityserver4.readthedocs.io/en/latest/reference/ef.html#database-creation-and-schema-changes-across-different-versions-of-identityserver

Thanks for info

sowa111111 on 25 Jun 2020

Also, thinking about this... can you switch back to implicit and then show your id_token to us here? Also, enable logging in oidc-client-js to see if it shows anything out of the ordinary.

brockallen on 25 Jun 2020

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.
Questions are community supported only and the authors/maintainers may or may not have time to reply. If you or your company would like commercial support, please see here for more information.