getaccesstoken err when granttype is client_credentials

[mrh520]

version 7.4.4 upgrade 8.1.3
RequestPath = connect/token

{
"Depth": 0,
"ClassName": "Volo.Abp.Domain.Entities.EntityNotFoundException",
"Message": "There is no such an entity. Entity type: Volo.Abp.Identity.IdentityUser, id: de8acc86-0046-4ea5-a3d6-3a11c865bfc1",
"Source": "Volo.Abp.Identity.Domain",
"StackTraceString": " at Volo.Abp.Identity.IdentityUserManager.GetByIdAsync(Guid id)\n at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)\n at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue1.ProceedAsync()\n at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)\n at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func3 proceed)\n at Volo.Abp.Identity.IdentityDynamicClaimsPrincipalContributorCache.<>c__DisplayClass23_0.<<GetAsync>b__0>d.MoveNext()\n--- End of stack trace from previous location ---\n at Volo.Abp.Caching.DistributedCache2.GetOrAddAsync(TCacheKey key, Func1 factory, Func1 optionsFactory, Nullable1 hideErrors, Boolean considerUow, CancellationToken token)\n at Volo.Abp.Identity.IdentityDynamicClaimsPrincipalContributorCache.GetAsync(Guid userId, Nullable1 tenantId)\n at Volo.Abp.Identity.IdentityDynamicClaimsPrincipalContributor.ContributeAsync(AbpClaimsPrincipalContributorContext context)",
"RemoteStackTraceString": null,
"RemoteStackIndex": 0,
"HResult": -2146233088,
"HelpURL": null
}

[maliming]

hi

Can you share the code to reproduce?

There should be no userId in client_credentials flow.

[mrh520]

Thanks for reply.

I just rewrote this method

public class AppTokenController : TokenController
{
protected override async Task HandleClientCredentialsAsync(OpenIddictRequest request)
{
// Note: the client credentials are automatically validated by OpenIddict:
// if client_id or client_secret are invalid, this action won't be invoked.
var application = await ApplicationManager.FindByClientIdAsync(request.ClientId);
if (application == null)
{
throw new InvalidOperationException(L["TheApplicationDetailsCannotBeFound"]);
}

    // Create a new ClaimsIdentity containing the claims that
    // will be used to create an id_token, a token or a code.
    var identity = new ClaimsIdentity(
        TokenValidationParameters.DefaultAuthenticationType,
        OpenIddictConstants.Claims.PreferredUsername,
        OpenIddictConstants.Claims.Role);

    // The Subject and PreferredUsername will be removed by <see cref="RemoveClaimsFromClientCredentialsGrantType"/>.
    // Use the client_id as the subject identifier.
    identity.AddClaim(OpenIddictConstants.Claims.Subject, await ApplicationManager.GetClientIdAsync(application));
    identity.AddClaim(OpenIddictConstants.Claims.PreferredUsername, await ApplicationManager.GetDisplayNameAsync(application));
    identity.AddClaim(OpenIddictApplicationConstants.Claims.CustomerId, await ApplicationManager.GetCustomerIdAsync(application) ?? "");

    // Note: In the original OAuth 2.0 specification, the client credentials grant
    // doesn't return an identity token, which is an OpenID Connect concept.
    //
    // As a non-standardized extension, OpenIddict allows returning an id_token
    // to convey information about the client application when the "openid" scope
    // is granted (i.e specified when calling principal.SetScopes()). When the "openid"
    // scope is not explicitly set, no identity token is returned to the client application.

    // Set the list of scopes granted to the client application in access_token.
    var principal = new ClaimsPrincipal(identity);

    principal.SetScopes(request.GetScopes());
    principal.SetResources(await GetResourcesAsync(request.GetScopes()));

    await OpenIddictClaimsPrincipalManager.HandleAsync(request, principal);

    return SignIn(principal, OpenIddictServerAspNetCoreDefaults.AuthenticationScheme);
}

}

[maliming]

Make sure there is no userId claim in your principal.

[mrh520]

I did not find userId in the rewrite method debugging

[maliming]

Please share the full error stack or a simple test project.

[mrh520]

thinks.
this error cannot be replicated locally ,no error log was recorded for local debugging.
Can you determine whether to search user information according to granttype

[maliming]

There is no user concept in the client_credentials flow.

[mrh520]

claim type sub mapTo userId ？

[mrh520]

Make sure there is no userId claim in your principal.

[maliming]

This seems to be a problem. I will find a way to fix this.

[mrh520]

will this issue be resolved in the future?

[maliming]

See #20045

[mrh520]

thank you