Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot authorize user when create or set up a tenant with Bearer token #2743

Closed
domonkosgabor opened this issue Nov 27, 2018 · 6 comments
Closed

Cannot authorize user when create or set up a tenant with Bearer token #2743

domonkosgabor opened this issue Nov 27, 2018 · 6 comments
Labels
investigating OpenId

Comments

@domonkosgabor
Copy link
Contributor

I set up the Authorization server with the client credentials flow for my ASP.Net Core class library.
I added my app as an application with the Administrator client credential role (just for testing, to make sure).
Then I could get the Bearer token using the Token Endpoint.
The next step would be to create a tenant by calling the api/tenants/create endpoint.
You can find the following line in the Create method of the ApiController class in OrchardCore.Tenants.Controllers:
if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageTenants)) { return Unauthorized(); }

It's just a simple check to make sure that the currently logged in user has the ManageTenants permission, before doing anything.
The issue that I can't go through this authentication process, I always get the Unauthorized() result.
I found out that the the following line is missing from the Startup.cs of this module:
services.AddScoped<IPermissionProvider, Permissions>();

But adding this file to the flow and allow this permission didn't help me at all.

I tried to do the same with Postman. With Postman, I called the Authorize endpoint (connect/authorize) and got the token without any issue.

But I still cannot create or set up a tenant. I know this was possible before and it could be a new issue, but I have no further idea what could be the problem.
@domonkosgabor domonkosgabor changed the title Cannot authorize user when creating or set up a tenant with Bearer token Cannot authorize user when create or set up a tenant with Bearer token Nov 27, 2018
@kevinchalet
Copy link
Member

I believe this was a manifestation of #2727, which was just fixed. Do you mind giving it another try?

@domonkosgabor
Copy link
Contributor Author

Hi @PinpointTownes . I gave it a try without any success.
I set the Authorization Server and the application by the following way: #2756
Maybe this issue could be related to this one?
The if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageTenants)) { return Unauthorized(); }
call always returns with Unauthorized, but the role, that I set up earlier in the referenced issue has this permission.

@kevinchalet
Copy link
Member

What's the exact version you're referencing? Did you link the permission to the role after the access token was issued?

@domonkosgabor
Copy link
Contributor Author

  1. I have updated the DefaultUserClaimsPrincipalFactory.cs based on this PR: Modified DefaultUserClaimsPrincipalFactory to include role claims #2750 and clean my solution. Should I change anything else?
  2. Added a new role and linked every permission to that (for testing).
  3. Creating the Authorization server and the client in this way: Cannot add a new client application to OpenID because of an exception #2756
  4. Call the /connect/token to get the Bearer token, that works fine.
  5. Call the /api/tenants/create endpoint and the Authorizer cannot authorize my call.

If I know well, I do not need to create a user and enable any other endpoints, these steps should be necessary. Correct me if I'm wrong.

@domonkosgabor
Copy link
Contributor Author

Maybe this issue is related to mine: aspnet/Identity#1997
So, when I get the ticket here using the AccessController, the ticket contains the following claims:

ticket.Principal.Claims.ToList()
Count = 4
    [0]: {oc:entyp: application}
    [1]: {sub: whatever}
    [2]: {name: whatever}
    [3]: {role: App Management Client Library}

Then let's sign in the user with this ticket:
return SignIn(ticket.Principal, ticket.Properties, ticket.AuthenticationScheme);

Now let's authorize the user:

if (!await _authorizationService.AuthorizeAsync(User, Permissions.ManageTenants))
{
    return Unauthorized();
}

Let's the whats inside the User:

User.Identities.First()
{System.Security.Claims.ClaimsIdentity}
    Actor: null
    AuthenticationType: null
    BootstrapContext: null
    Claims: {System.Security.Claims.ClaimsIdentity.<CombinedClaimsIterator>d__44}
    CustomSerializationData: null
    ExternalClaims: Count = 0
    IsAuthenticated: false
    Label: null
    Name: null
    NameClaimType: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    RoleClaimType: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
    _actor: null
    _authenticationType: null
    _bootstrapContext: null
    _externalClaims: Count = 0
    _instanceClaims: Count = 0
    _label: null
    _nameClaimType: "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    _roleClaimType: "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"
    _userSerializationData: null

Let's see the Claims:

User.Claims.ToList()
Count = 0

So for some reason the user has no claims at all after signing in. Weird.

@domonkosgabor
Copy link
Contributor Author

Fixed in this PR: #2872

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
investigating OpenId
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sebastienros @Piedone @kevinchalet @domonkosgabor