CODEWITHSUNDEEP
authenticationentity-framework-coreasp.net-core-mvcopenid-connectopeniddict
anatol
anatol

Reputation: 1760

OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'The specified authorization code is no longer valid.'

I'm having this error while login, what may be wrong?

Need to note, I've applied few minor updates to some packages on the both sides - server and client (and before that all worked fine):

  1. "Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.2" --> 6.0.3
  2. "Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="6.0.2" --> 6.0.3
  3. "Microsoft.AspNetCore.Mvc.NewtonsoftJson" Version="6.0.1" --> 6.0.3
  4. "Npgsql.EntityFrameworkCore.PostgreSQL" Version="6.0.2" --> 6.0.3
  5. And so on for EF Core, Microsoft.Extensions, etc

Stack trace:

System.Exception: An error was encountered while handling the remote login. ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'The specified authorization code is no longer valid.', error_uri: 'https://documentation.openiddict.com/errors/ID2016'. at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.RedeemAuthorizationCodeAsync(OpenIdConnectMessage tokenEndpointRequest) at Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler.HandleRemoteAuthenticateAsync()

--- End of inner exception stack trace ---

at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync() at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddleware.Invoke(HttpContext context)

Auth Server logs:

info: Microsoft.Hosting.Lifetime[14]
      Now listening on: https://localhost:5003
info: Microsoft.Hosting.Lifetime[14]
      Now listening on: http://localhost:5004
info: Microsoft.Hosting.Lifetime[0]
      Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
      Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
      Content root path: C:\AuthServer
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The request address matched a server endpoint: Configuration.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The configuration request was successfully extracted: {}.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The configuration request was successfully validated.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The response was successfully returned as a JSON document: {
        "issuer": "http://localhost:5004/",
        "authorization_endpoint": "http://localhost:5004/connect/authorize",
        "token_endpoint": "http://localhost:5004/connect/token",
        "introspection_endpoint": "http://localhost:5004/introspect",
        "end_session_endpoint": "http://localhost:5004/connect/logout",
        "userinfo_endpoint": "http://localhost:5004/connect/userinfo",
        "jwks_uri": "http://localhost:5004/.well-known/jwks",
        "grant_types_supported": [
          "client_credentials",
          "authorization_code",
          "refresh_token"
        ],
        "response_types_supported": [
          "code"
        ],
        "response_modes_supported": [
          "form_post",
          "fragment",
          "query"
        ],
        "scopes_supported": [
          "openid",
          "offline_access",
          "api",
          "profile"
        ],
        "claims_supported": [
          "aud",
          "exp",
          "iat",
          "iss",
          "sub"
        ],
        "id_token_signing_alg_values_supported": [
          "RS256"
        ],
        "code_challenge_methods_supported": [
          "S256"
        ],
        "subject_types_supported": [
          "public"
        ],
        "token_endpoint_auth_methods_supported": [
          "client_secret_basic",
          "client_secret_post"
        ],
        "introspection_endpoint_auth_methods_supported": [
          "client_secret_basic",
          "client_secret_post"
        ],
        "claims_parameter_supported": false,
        "request_parameter_supported": false,
        "request_uri_parameter_supported": false
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The request address matched a server endpoint: Cryptography.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The cryptography request was successfully extracted: {}.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The cryptography request was successfully validated.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The response was successfully returned as a JSON document: {
        "keys": [
          {
            "kid": "S_BMQOKNGJHJPWXBJUIHMDYJ4KBGJVSP13T2OAZJ",
            "use": "sig",
            "kty": "RSA",
            "alg": "RS256",
            "e": "AQAB",
            "n": "s_bmqoKNgJhJpWxbjUIhmDyj4KBgjvSP13t2OAZJv8FLVNHgkFMk8XpDetuR4EWnCOH-CfA4_QG_B-75a3ivA6eIQlHj9B1-ALe8ixxhGc_0BhaeHnRmR02P9XZPl3KfmK6zyjFUwQ84b4VHLMpAQt9lGSCmC0RWckk3ABVWKTfqNenHZyRywVfQx
MlJOrCkjVhbkXylN1NZogNsHzR1R86wCxF-6ZQAizItXnSXS0vqbeUDKK5ypvCGTixttBupes7Gl6FCc43XOjLI1yyNi4Oclla8vpAcRFT7qIlNXiAe87Cx1P2SUiCXqa28IuK5kE6GJXJ7oCuXUNT-ObJTEQ"
          }
        ]
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The request address matched a server endpoint: Authorization.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The authorization request was successfully extracted: {
        "client_id": "dotnet",
        "redirect_uri": "http://localhost:5883/signin-oidc",
        "response_type": "code",
        "scope": "openid profile api offline_access",
        "code_challenge": "Z7awdswUZx0ETP0dpUffZ1YBvEkbHq36oyqinMHNXhM",
        "code_challenge_method": "S256",
        "response_mode": "form_post",
        "nonce": "637849932918438810.NjI1NmFkOWMtYTljYi00NDEzLWJiMDktNmY2ZTUxM2QzMzIwZGFkYjNiNDUtMDliYi00ZDVlLTk3OGUtODQ5NzlhMWRkZmJh",
        "state": "CfDJ8HK7TnNlqEtJvZnagmcXTEBxqCNdO9qAvzNhBZSsvnUV4ngLvlZ0Ft0LF2hpjjQRCB4mbP0K2_Se4z9YK_UMKuICGCwZZK3VbWxDSVemxpWMP63dNPhscDFCFFpQUbRh4bAsP5vhZMnR7K4Hg2FlUXroqwsfQTDo9KFepmZg3qlqJ8cODBDPf
v_CaY2f4QCFw-eLtGKrH1SIs4KvAcvss7OvQmqt-40OA9eU3fFG94kH50df6s48omgNb72V5hAQs6UWdBnj6DHRwnrt51a_M3NwEiOyj5dXAH6VE5Ebxd8PxHhvCkUf-9_tYTKTmbJfXiyEoNVEPLkrjtyPBTxiPxu92jm0bgqfchMSWrqAnRrQ7PzQPfxBFTJpTUMyQkHY
-w",
        "x-client-SKU": "ID_NETSTANDARD2_0",
        "x-client-ver": "6.10.0.0"
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The authorization request was successfully validated.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The request address matched a server endpoint: Authorization.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The authorization request was successfully extracted: {
        "client_id": "FMS-dotnet",
        "redirect_uri": "http://localhost:58893/signin-oidc",
        "response_type": "code",
        "scope": "openid profile api offline_access",
        "code_challenge": "Z7awdswUZx0ETP0dpUffZ1YBvEkbHq36oyqinMHNXhM",
        "code_challenge_method": "S256",
        "response_mode": "form_post",
        "nonce": "637849932918438810.NjI1NmFkOWMtYTljYi00NDEzLWJiMDktNmY2ZTUxM2QzMzIwZGFkYjNiNDUtMDliYi00ZDVlLTk3OGUtODQ5NzlhMWRkZmJh",
        "state": "CfDJ8HK7TnNlqEtJvZnagmcXTEBxqCNdO9qAvzNhBZSsvnUV4ngLvlZ0Ft0LF2hpjjQRCB4mbP0K2_Se4z9YK_UMKuICGCwZZK3VbWxDSVemxpWMP63dNPhscDFCFFpQUbRh4bAsP5vhZMnR7K4Hg2FlUXroqwsfQTDo9KFepmZg3qlqJ8cODBDPf
v_CaY2f4QCFw-eLtGKrH1SIs4KvAcvss7OvQmqt-40OA9eU3fFG94kH50df6s48omgNb72V5hAQs6UWdBnj6DHRwnrt51a_M3NwEiOyj5dXAH6VE5Ebxd8PxHhvCkUf-9_tYTKTmbJfXiyEoNVEPLkrjtyPBTxiPxu92jm0bgqfchMSWrqAnRrQ7PzQPfxBFTJpTUMyQkHY
-w",
        "x-client-SKU": "ID_NETSTANDARD2_0",
        "x-client-ver": "6.10.0.0"
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The authorization request was successfully validated.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The authorization response was successfully returned to 'http://localhost:58893/signin-oidc' using the form post response mode: {
        "code": "[redacted]",
        "state": "CfDJ8HK7TnNlqEtJvZnagmcXTEBxqCNdO9qAvzNhBZSsvnUV4ngLvlZ0Ft0LF2hpjjQRCB4mbP0K2_Se4z9YK_UMKuICGCwZZK3VbWxDSVemxpWMP63dNPhscDFCFFpQUbRh4bAsP5vhZMnR7K4Hg2FlUXroqwsfQTDo9KFepmZg3qlqJ8cODBDPf
v_CaY2f4QCFw-eLtGKrH1SIs4KvAcvss7OvQmqt-40OA9eU3fFG94kH50df6s48omgNb72V5hAQs6UWdBnj6DHRwnrt51a_M3NwEiOyj5dXAH6VE5Ebxd8PxHhvCkUf-9_tYTKTmbJfXiyEoNVEPLkrjtyPBTxiPxu92jm0bgqfchMSWrqAnRrQ7PzQPfxBFTJpTUMyQkHY
-w"
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The request address matched a server endpoint: Token.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The token request was successfully extracted: {
        "client_id": "dotnet",
        "client_secret": "[redacted]",
        "code": "[redacted]",
        "grant_type": "authorization_code",
        "redirect_uri": "http://localhost:5883/signin-oidc",
        "code_verifier": "ZSc9m368w1L5nAa45BKzC3u_KWfpjL_AuObTZY0l5H8"
      }.
info: OpenIddict.Server.OpenIddictServerDispatcher[0]
      The response was successfully returned as a JSON document: {
        "error": "invalid_grant",
        "error_description": "The specified authorization code is no longer valid.",
        "error_uri": "https://documentation.openiddict.com/errors/ID2016"
      }.

Request

POST /signin-oidc HTTP/1.1
Host: localhost:5883
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: ru-RU,ru;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 445
Origin: http://localhost:5004
Connection: keep-alive
Referer: http://localhost:5004/
Cookie: .AspNetCore.OpenIdConnect.Nonce.CfDJ8HK7TnNlqEtJvZnagmcXTEC3cHpDF4OwF62WoM3Pu_IhY0BaWGPNZG8QuvCluke05nuuveAqWgrnJXltpWh950e27BF-d8kxhmEpC4cTUqKFK5ObjhVAFevKu-jHky98HWvZS6O6TV3rQM6fr0TYOh4-kNRHsODtgIRGAxuXkLvXPCA1q6bX9ryXy5huIsIUk705dWQK3f00yEMv0jpjv4aGqItksQp76OVuP3w3nasA4IJSQrYzrXKgSmi67MSABH_Ljjig1Vnxvv-TTqKmKgo=N; .AspNetCore.Correlation.Hfb7_cXI-2YLxhGXNJH44sYzNI4IpwrWy04YE5DiIDo=N; .AspNetCore.Antiforgery.PQveA42vVM8=CfDJ8HK7TnNlqEtJvZnagmcXTEAStwwI3n3s4RhrKnI85QiBaolcDshCOd8naHsLjFea04KmjAFofLehorYD3uRtBUK0wZ8ZGI3WtWZN5zKdrr5qSn2v87WWWVKQeqeE5jLANuyeIs9Dxhhy1dt0HUrb7_U; .AspNetCore.Identity.Application=CfDJ8HK7TnNlqEtJvZnagmcXTEBDcO_BcayxBKlUevk270H1lDcXKUZoVF2EqKpcWVPeYuEgGtqs_bYyL2aMpA4l5aY8JZ2nHNT4K8mXZKXrN0imVFq9LcUQ7W8n9qqZzOemR6aWeIohk4gzsM6JAnrIBBSjXjrpVPC7O3vPOyf3xZeJ8ZPuo_ksrzJpZwJN_H5YXEryz2XlROryVpy7xSi9va780_pX5A-J6G_NF8lG_dM-3iiyDkdhpN3wSIephQB5aFDma4XdUNcLdpJGxfp_LPyiy2oxJoevp9M4fEpm7E1FwQwlTr4CUkHieD22fhLSwRqzmu7d9w0g0cPxas-1t4bNC8NCugSIj0OrYnUUS8aEZXM9wJfjYIDUpW_b5k4BIvShZ6uL2Q2PezaUVngvxOwPRgCECtCDOYSmMnOtZCuF_Y55pM1nkLspRvOBXXnnnfoWTm9_lcbPAvh6AxecJ0teBLrLOkUiYPS3bkYUmrAAjlvJ4eXYHk4jhPj7l1R90lz0DqaA2mNavKFfQNFLwjAa48AdEhfl5BI-eDhapE9PDSq51Q3LYYY1xCUxEpnNiShUHLXUXqobiEKMK5vKrihSpsDe8dZCkhvBWcKihkC9w4N_cl-LCrfQi1tJQrxICsTBUE4Eo3SYCngjnm0eiLMjuEfpQOedNJRXjsw3VzlQZtIgKW1cxzTcvGfWQQTBG8nwwd4KLwonpOJOm48X6ser5rNFHGxxKt2jW0NoUR7mcL846_aHr6TE-mAkXgkvbW8Oe3DsyYwCp_MOjlwc0t6Q-zGZN58xVoR0899oc9wFHi6xouXY4LC733naAuRffohdGuCkwrZb3Gd4UKbyNxwug3GOeaj4rBod2ipKdOHtkGlp5o8jKKKS0ExWJNPBJJlau0GYJMgQ7afx9aKoMu30D68ddaQ77T3Rzbv0c3YrwokinU1CLmRJMyHmH6WLGfN3XccqEXRUgZMgl9rK95j1WC3k7-LdL2iuW382NMxmtcoR1z-zVTFTUhso2KvKS1-vM9jNeddAOc5yJ5dVFqZN-aFo5nAG4TVLvDSaCkrE8WZVaMmK67jB6r_9rsQVe5ViCcuxmBMc8F-wMY_csl-MtJpXApvjD-wCCr72clHN4aH_g7vt1AeiMNLLrVAYvMJgw5fUa7OnoEU9G4aDcAKjZ5wM90ITudtbBCxjz5WD54Hr3kF2kPOt9aXlfgCpuFeAEMsRV2vRgAtHacZQcBbijEuAefI1dK4ZNLq0fwGjZwaz6XIJqXsFfuSSrBmZy6f4GmExM2zPrH4FoiD6Os96KKgvxjfbcX4ftCIV-qd29o96WkdtigLEgxJeyU8SvM80-XMNRLhhQIQky3GR7GHjahQj_uQTNsH932SVPU64WMgBFLUs7ZEUPP6wjfpV6TnfVyaLS89YTWKYJ_QLdyLCOh8Udgz6_1ETiQP8w5CT5hJ-HPYP3tpWyL1p0ZJnyzLpkCcWH7DoP_t0Oz6_7figSdsqSQ4oIIDeAo-YyRE8zh5-Yv3_jYNZDRvGsy9SNxHvk_aIfEae9HNhprHCHPz12zQhbn8Mu2avi9QIvpQqJKuKdnozlae4BK6_g0bqx2cJWwlvo-zyxqnt7-FiBXzDos9f8gjoFyn3Hju3NH38OAZqZa4-2rXy2_RxWpHEnPfuvodDoCWF80LZ-UmvjlHUfYJ5Yus5oEaTrZer8KdKigXJvNrcU6q-hHV38hY6COInYDKV9XpKW3-1oEAEasQPIZ657OBZcgbMlgBXeaHFoxku4zhXTG0FFLKSCh-jg8uaXZuAyjdzjCPjSp8quc7i6NPSPjM-Kbz2efl5nlFIRXM-yUXu0Yesdiz4AlGLkI_Ef9RrXSWVRm3MkjAz5Q7YYWZIri_50bwnDoy4MA1KULoXwaQZ6G8GQ8THvdqHTdxxGOBHzpdpjI4smE39y9LU-76Q1UXAey6fvN9Cvm9TYWO74Pqkq0hYtFwMmjpb-8fZhvp7kSDB67HSXex7CdVEwBYdn2AMkJrsUVXmPNBqPO8IZF1lpZxW7a87dAkQIAYyIUNUaB7-SsAWjkX8KUvwQpB6A0wr4My7jU4--lORylnPtbKhkXtcjXK1wkMhgO2O_6C30X_j3mHrYpWwh7HnGG_90b_meo0VYqA6DoYuwNvnhkIlWzR-qTKYDVi-SsZEQdhNUovlxN7T7x2lIuDFuglehiKwX7ew3RVDce0UQl_B9YEVFwOeKvfBhyZxe60QEaAJdnQYoWgWaoZ4R8I7etpazjaXso-hmFOKmCmM3j4PDUzrYwNNMPRyg75DSsrex8JhORMYA9hngl48I2t33dsu_vfuzU2B-kMIHDHfzDdYQ15qEP2jjZVMqXnQRJycALHLca_jx1ZS8C659Aeu05b6t90E8OyvkNmGynt1wdw59ssdJtaHxTP7ZBGBcqYiFX0yCnkbSMeJc9D40cm-sIwNuhLz6EtN4I2x1VdMNbjPi89y6yrZLqBbGVBdUSR-UwDAFE2rCpyNbSC9r0cBst6deNtQfDEZL3VJ2EydaP5xvH8EynlSw93psFj4Y6t7AFVaRpogDr_zswrsMKWoll7rXhiueukC5j9jNzjQNZCRRLE6e3FcsPtUx4Eun4vAnKIZN4vmrqX95A5jeiOTdyjfPN1HBC88zvLBxnyrgjypmN51rVSshj-EEs4HCzXb9cKoHu2GD-bPl0E1_9dRtTIO2JIDMDoC2QUJ5-3-Sq8agPTl-vbV0v6mKDGclLeT45D3gdeFZVfOKCG9jxr4teGLzWr7Zzc76z-7TvPRoRdg40wlXGwEqBs5Q42RmJd_SjcXOWiTnbDTGGyIKz8X-qzHUCyw-wx47-qOt9VRdVlwFTkjQe1jgk27RBi_QC_QkIjC1z3KDPkAWD4hYEAGKieNtmv9_wfTfloUuA12bsIPti0XvVdhp9n3P42ZfDh9E1RKBBk-zQ2z4YnzoWJlFSQEyZ44nWHCmou6ycjHt9Fg8lsasDEaJPAPfn1X8VWd7Ve5vYz5AZQN7P0IRpU1Kj67QLT75L0uhfAid2egt74t19KafvJsXcclyeHp1zlGNm_yrj2nEZ4R6E8bbQ8DGoqlTa44Bw7a7p9SPYkggOKASVQlbj5yJNJB96OhFmE4RmvQRC0ShZna66IpBi_OS_ch-L7sroIEoZVko6Lfg_wv3B7A9Ay30Qpy3lg_sHMR9tAy8dWkKu9mZBzC78yMI3TaYtC7MtfPlTodLh--BLReHVi1XeEima4sJMzUmM5ZV0Na5zXAzjYEugu4sJckXBIQA80vrxrm6ePaopHe-OeAtC4I6AMqiLi27SQTx_5g3LiFMr50YkaG3EVrHl5IHMCfHlBjQWRbeZzkPkDa1V1BW7tN6DhPndM0s4DvzYgdmbG1JZkRn20-U2MbQxyrI25E3Lc5kZgxspGEKnu-fSwtUBvOV80PX3qSwFg-0A5w5At8IoLpyb1FF5kQn78iLQPVIr5bLmmZaTPwu9n1bc018nzzVyH8-KYaslVj8gd_lpitlDzCJSCO2Y_Tgq0Y0HGZE0JjfO10jp4SVgyxKuhAGJynWfIBuMCgk5rVpSCjHPfvn-ZTJxCbGL66WD4jZAiydvsdyUK0ssXumlEKNxR9mmNyVoe7TKdBdHDaryVjZYDaW6PUcYxxC3-0vjdv3bfH2G5hCjkdQkNDEQfsBKjAvBqOMLPLFMIT40E90opiGXuybx4d362AJytYi7NLoJdeOCNwkx5yfoAxXYr1yTmkFausY7Su2aD6pZXt1b8vUG_0s2JaqMHaWH6-68h2u-MmX_PNsc8NgbhBih-gyFr96oKAXlC3t5aIr8AvHV2OeyNTCIfkOsWdcUXbJb2rGbTRdytfpPqbMXERiuY8YHVO4ltQhFLVNxb3AzGbx2LFp2y5QRIsBJzGDcGIzfx0moTYV8KQUJmWB-gowFA6vm-rGTHcVhsmoCxDApzrSA; Identity.External=CfDJ8HK7TnNlqEtJvZnagmcXTECsSZDKEJmljUVD--xDPxD8Dn1rWkiTflCXSd91IlKyfcx0_JBBBRSRJuwxEBbcu6IxBycqtPPcJGeHrxlZAou71JKsru5sAagb1N-KrbnkMKkrMH83oRnaPv-NBywT2ONAfoC4WepLH7-AgdTT_8VU2ifNPxbwcA5lovRywrMj3WjcWINW0KwJE7nU1nB4Nw2tWdlnJ47_G5tfZBi1tchSFQu0OtkUdZLramYY7RTsDvNanSqAAgh3HpU0w2-eWJMzs6xjEipJK_azdHkqmOmRqHA3aYaWL6uGkUGBEQtAn7ohuwNpIb1DDSNJ8zAvIIjBGpW9BvJLDa_GKP0qe6Nm-aXEtIxElhW-l0ucWXkBNS80ZXMLDaPF4wjtLbXA5VymGYB5z5aQwmq4pNQe53PkXslQY8YgUW1Y6QbfAW2HazZY3snjhAHybh9JMPwTfV8
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site

Form data

{
    "code": "YPWe2LyqczH3B-5hySGyyvi0Ezfrc4BeIAbHABrFtH4",
    "state": "CfDJ8HK7TnNlqEtJvZnagmcXTEChyH5IIo-LXPg5s1jbtbDLg2WuabxHdPfenYYSF_1auYU3eaGZtIHqSS0tNbPHTj0OQHUvslE6ZsMts0b4RIqOk-e7vdMkP6d-tszHRW6g7ZCFfhsYVK7qCDGjKBFAmSDjJAlGHxHHr265TYiZcRY3jyhbLWBKWwmNCLXjXVlgdlIQyQlCWtY-yd9zoCEgiigdJ-suh0WJJHMqJmu20rLf3Es75aIf9EWh6Ki-0aTd6VJVamkmv6DrcPgOyOdyiplVKNVkqj8rj-qmK8RoRH0i80Qd7g03llVnoWzujKDXfUAXunGjKPAIqwSZm5MULtR1wzzxu_8fAPmKRmEnH3Su7RPWIEhBauSCLihPLA6GtQ"
}

Upvotes: 1

Views: 4828

Answers (2)

Jeremy Cook
Jeremy Cook

Reputation: 22133

After upgrading from .NET 5 to 6, EF Core 5 to 6, and OpenIddict.EntityFrameworkCore 3.0.3 to 3.1.1 I started getting the OpenIdConnectProtocolException: Message contains error: 'invalid_grant', error_description: 'The specified authorization code is no longer valid.' errors.

I fixed the issue by using pgAdmin 4's Schema Diff tool to compare the old and new schemas. It generated a script like the one at the end of this answer. After applying it the error went away and authentication started working again.

a-a-k on GitHub fixed the problem by enabling Npgsql's legacy timestamp:

public AuthDbContext(DbContextOptions<AuthDbContext> options)
    : base(options)
{
    AppContext.SetSwitch("Npgsql.EnableLegacyTimestampBehavior", true);
}

The problem seems to be with the change to timestamp with time zone. Based on a-a-k's solution you can read that the newer version of Npgsql EF Core assumes time zone information is available by default. That difference in schema wouldn't throw an exception from the DbContext, but it would cause these auth failures that made it seem like the code had expired when really the time zone was just shifted.

WARNING: I recommend you use Schema Diff to generate your own migration script, and not just copy this verbatim. This is here to give you an idea of what may have changed and things you can look into.

-- This script was generated by the Schema Diff utility in pgAdmin 4. 
BEGIN;

-- Added as recommended at https://www.npgsql.org/efcore/release-notes/6.0.html#migrating-columns-from-timestamp-to-timestamptz
SET TimeZone='UTC';

DROP FUNCTION IF EXISTS public.delete_cascade(p_schema character varying, p_table character varying, p_key character varying, p_recursion character varying[]);

ALTER TABLE public."OpenIddictAuthorizations"
    ALTER COLUMN "CreationDate" TYPE timestamp with time zone ;
ALTER TABLE IF EXISTS public."OpenIddictAuthorizations" DROP CONSTRAINT IF EXISTS "FK_OpenIddictAuthorizations_OpenIddictApplications_Application~";

ALTER TABLE IF EXISTS public."OpenIddictAuthorizations"
    ADD CONSTRAINT "FK_OpenIddictAuthorizations_OpenIddictApplications_Application~" FOREIGN KEY ("ApplicationId")
    REFERENCES public."OpenIddictApplications" ("Id") MATCH SIMPLE
    ON UPDATE NO ACTION
    ON DELETE NO ACTION;

ALTER TABLE public."OpenIddictTokens"
    ALTER COLUMN "CreationDate" TYPE timestamp with time zone ;

ALTER TABLE public."OpenIddictTokens"
    ALTER COLUMN "ExpirationDate" TYPE timestamp with time zone ;

ALTER TABLE public."OpenIddictTokens"
    ALTER COLUMN "RedemptionDate" TYPE timestamp with time zone ;
ALTER TABLE IF EXISTS public."OpenIddictTokens" DROP CONSTRAINT IF EXISTS "FK_OpenIddictTokens_OpenIddictApplications_ApplicationId";

ALTER TABLE IF EXISTS public."OpenIddictTokens" DROP CONSTRAINT IF EXISTS "FK_OpenIddictTokens_OpenIddictAuthorizations_AuthorizationId";

ALTER TABLE IF EXISTS public."OpenIddictTokens"
    ADD CONSTRAINT "FK_OpenIddictTokens_OpenIddictApplications_ApplicationId" FOREIGN KEY ("ApplicationId")
    REFERENCES public."OpenIddictApplications" ("Id") MATCH SIMPLE
    ON UPDATE NO ACTION
    ON DELETE NO ACTION;

ALTER TABLE IF EXISTS public."OpenIddictTokens"
    ADD CONSTRAINT "FK_OpenIddictTokens_OpenIddictAuthorizations_AuthorizationId" FOREIGN KEY ("AuthorizationId")
    REFERENCES public."OpenIddictAuthorizations" ("Id") MATCH SIMPLE
    ON UPDATE NO ACTION
    ON DELETE NO ACTION;

END;

Upvotes: 3

anatol
anatol

Reputation: 1760

Thanks to Jeremy's great find, I finally realized what is the cause of the problem. So, it could be fixed in one line to ctor of OpenIddict DbContext:
AppContext.SetSwitch("Npgsql.EnableLegacyTimestampBehavior", true);

https://www.npgsql.org/efcore/release-notes/6.0.html#opting-out-of-the-new-timestamp-mapping-logic

Upvotes: 0

Related Questions