Very Strange Issue in Authentication - Cause Roles to come back wrong

I am experiencing a very strange issue in Servicestack Authentication on the latest version 6.3.1.

I am using Postgres caching, AutoQuery, Cors, Profiling, DB Validation, AdminUsersFeature and SharpPagesFeatures and am not using distinct roles in AuthRepository

I created in incognito web session to stop any caching from happening. When I log into Servicestack at https://localhost:5001/ui/ I get to a page that shows I have the roles of Admin and SuperUser

image1547×224 14.9 KB

When I however look at the database AppUser for my login, I only have the Admin Role in the database.

I then went to https://localhost:5001/auth to get my session id and looked it up the the cache_entry database. The results that came back is shown below.

image732×1080 81.9 KB

I then went to your new logging and profiling page to see what is happening. This is what it shows me.

image1920×1080 205 KB

Neither in the CacheEntry table or in the AppUser table used for authentication do I have the SuperUser role. When I take the exact same source code and deploy it to our development server, it shows correctly. I have cleared all nuget packages and restored them and cleaned my project and recompiled as well.

One thing that is not working in both localhost and on our dev servers is that on https://localhost:5001/admin-ui/users user records are there but is not showing. When I look at the logging and profile the user records does come back.

image1920×1080 112 KB

You may have JWT cookies cached previously for https://localhost:5001 or something, can’t tell without a stand-alone repro.

I cleared all cookies in the browser and have cleared CacheEntry table completely. Let me try on a different browser…Both localhost and dev server use same database with same cache.

Won’t be able to identify any auth integration issues from here, need a stand-alone repro. If you provide the JS Console errors for the Admin Users UI we may be able to identify and fix that.

BTW Admin is the super user account and will return all App roles as fully populated Role claims is required by some clients (e.g. Blazor).

This is the only info I get back in the console. You will see I want to the request that brings the admin users back as well and scrolled right on the data that comes back for andy.fensham@scadsoftware.com and you will see it only says Admin in the roles field.

image1920×1080 139 KB

Yeah the API json response looks ok, can’t the issue from here then. Did Admin Users previously worked for you?

Not sure what you mean here. I am doing the same on my localhost and dev server and getting different results.

Yes, been using it no prob.

Yeah the JSON API response is fine, if it’s not a JS error I wont be able to identify it without a repro I can run locally.

Only thing I can recommend trying is clearing NuGet packages cache to download the latest package versions on MyGet as installing pre-release packages at different times can result incompatible dll’s, which clearing + redownloading from MyGet will resolve.

Cleared all nuget packages. I also used the Users at https://localhost:5001/admin-ui/users to create a new user and selected it as role Admin. It created the user successfully, but did not add the Admin role. So roles are empty []. Even with that, logging in to Servicestack admin ui, it shows that the new user has the Admin and SysAdmin roles

Let me try and create a repo. I deleted the json log I sent you above as I see there are client email addresses in it.

The Admin User role is required to access the Admin UI, are you testing this from the same URL?

Yes, logged in from https://localhost:5001/auth. Let me try and reproduce and do a repo for you.

I don’t think giving you a stripped down repo that does not point to same db etc. will work. If you give me your github username I can give you access to the repo which has the dev server db details etc in. You can then try and debug / see if you get the same locally. I can just change the passwords when you are done, or I can take a zip of my whole project with all the packages etc and share it with you on onedrive. Would have to PM the password to onedrive to you though. You can then also access the records in the db e.g. cacheentry through the AutoQuery API

No I never want access to any confidential information. Try creating the stand-alone repro, you can usually identify the issue in the process.

When testing different user behavior on the same URL make sure you’re using different browsers so you’re not getting credentials/cookies conflicts.

I cleared all cookies before doing the tests. I use the same plugins in another project and basically the same source code for both projects as it comes from mixin’s. Only user passwords differ in CreateUser. Quickly testing on this project and will then do a repo. Thanks for always being so responsive and quick to help. I love servicestack and your great service

Ok, so I tested on a totally different database, different login details (password). My App User database only has Admin, Guest and SysAdmin Roles, nothing else. When logging in using this new project, this is what I get.

image1920×1080 120 KB

Looking at my cache entry table it has :

image1920×1080 392 KB

Logging in using https://localhost:5001/ui/ gives the same results.

What’s the issue here?

So my https://localhost:5001/login show I have the roles Admin, Client, Partner. These roles however does not even exist in my AppUser table at all, and user in this new database and Servicetack project also only has Admin Role