ayan.poddar/eShopOnContainers
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add unauthorized client frequent error

Miguel Veloso 2020-03-23 15:45:06 +00:00
parent 3aec7aef3e
commit c7c6c1143b
4 changed files with 57 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Frecuent-errors.md

@ -1,7 +1,8 @@
These are the most frequent errors encountered when running eShopOnContainers for the first time.
These are the most frequent errors encountered when running eShopOnContainers.
> **CONTENT**
- [Unauthorized_client when trying to log in from the MVC, the SPA application, or the Swagger UI API pages](#unauthorizedclient-when-trying-to-log-in-from-the-mvc-the-spa-application-or-the-swagger-ui-api-pages)
- [When trying to log in from the MVC app I get an error](#when-trying-to-log-in-from-the-mvc-app-i-get-an-error)
- [Deploying in Windows with Docker for Windows](#deploying-in-windows-with-docker-for-windows)
- [Deploying in a Mac with Docker for Mac](#deploying-in-a-mac-with-docker-for-mac)
@ -11,6 +12,10 @@ These are the most frequent errors encountered when running eShopOnContainers fo
- [When I run 'docker-compose up' I get an error like ERROR: Service 'xxxxx' failed to build: COPY failed: stat ...: no such file or directory](#when-i-run-docker-compose-up-i-get-an-error-like-error-service-xxxxx-failed-to-build-copy-failed-stat--no-such-file-or-directory)
- [When I try to run the solution in 'Docker for Windows' (on the Linux VM) I get the error: 'Did you mean to run dotnet SDK commands?'](#when-i-try-to-run-the-solution-in-docker-for-windows-on-the-linux-vm-i-get-the-error-did-you-mean-to-run-dotnet-sdk-commands)
## Unauthorized_client when trying to log in from the MVC, the SPA application, or the Swagger UI API pages
See details and the solution in the [unauthorized_client error on login](unauthorized_client-error-on-login.md) wiki page.
## When trying to log in from the MVC app I get an error
There are usually two errors related to this:
@ -52,7 +57,7 @@ You should receive json response. If not, ensure that Identity.API and Docker ar
It looks like the SQL container tried to start but then it exited?
If I do a "docker ps -a", the STATUS column for the SQL container does NOT show a status of "Up" but shows the STATUS as "Exited".
Workaround: Usually this is due to not enough memory assigned to the Docker Host Linux VM.
IMPORTANT: Note that sometimes after installing a "Docker for Windows" update it might have reset the assigned memory value and it might be 2GB again (see Docker issue https://github.com/docker/for-win/issues/1169), which is not enough for the SQL container. Set, at least, 4GB of memory to the Docker Host in "Docker for Windows" settings.
IMPORTANT: Note that sometimes after installing a "Docker for Windows" update it might have reset the assigned memory value and it might be 2GB again (see Docker issue <https://github.com/docker/for-win/issues/1169>), which is not enough for the SQL container. Set, at least, 6GB of memory to the Docker Host in "Docker for Windows" settings.
For further information see the [Windows setup](Windows-setup) and [Mac setup](Mac-setup) pages.

BIN
images/unauthorized_client-error-on-Login/ClientRedirectUris-table.png Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 67 KiB

BIN
images/unauthorized_client-error-on-Login/identity-server-authorize-request.png Normal file

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

50
unauthorized_client-error-on-Login.md Normal file

@ -0,0 +1,50 @@
> **CONTENT**
- [Causes](#causes)
- [Details](#details)
- [Solutions](#solutions)
## Causes
This error occurs because the connecting app isn't registered in the IdentityServer database as an authorized client.
The authorized client registration occurs when the Identity DB is seeded, and in eShopOnContainers this happens when the DB is first created. So this only happens when first installed or when restarting the Identity service if the DB has been deleted.
When registering the clients, eShopOnContainers reads the values from the following configuration variables, from either the `appsettings.json` file, the `docker-compose.override.yml` file or the equivalent environment variables:
```yaml
- SpaClient
- MvcClient
- LocationApiClient
- MarketingApiClient
- BasketApiClient
- OrderingApiClient
- MobileShoppingAggClient
- WebShoppingAggClient
- WebhooksApiClient
- WebhooksWebClient
```
### Details
IdentityServer uses the `RedirectUri` to decide if the connecting client is authorized
When a user that's not been authorized tries to use the [client] app, they are redirected to the IdentityServer's `/connect/authorize` endpoint, and the request includes a redirection uri that's used to complete the login process, as shown in the following image:
![](images/unauthorized_client-error-on-Login/identity-server-authorize-request.png)
The authorized clients are registered in the `Clients` table and the related redirect URIs in the `ClientRedirectUris` table as shown in the following image:
![](images/unauthorized_client-error-on-Login/ClientRedirectUris-table.png)
It's important to keep in mind that if the application is registered as `http://host.docker.internal:5004` but started as `http://localhost:5104` it's considered to be a different one, so it'll get the `unauthorized_client` message.
## Solutions
So the possible solution are:
1. Make sure you are starting the app from the correct address.
2. Update the `ClientRedirectUris` table to the correct values.
3. Drop the `IdentityDb` database and restart the `Identity` service, after updating the `docker-compose.override.yml` file, or the `configmap.yaml` in Kubernetes, so that all the clients are registered correctly.