Starts in:
2 DAYS
1 HR
40 MIN
3 SEC
Starts in:
2 D
1 H
40 M
3 S
Open Closed

How do I generate the Auth url that will allow a non ABP related website authenticate with ABP OpenIddict? #5493


User avatar
0
okains created

Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

  • ABP Framework version: v7.3.1
  • UI type: Blazor
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

I would like to use SSO with a single tier Blazor Server ABP solution. I have a separate site that I would like to have sign in using OpenIddict, then callback with a JWT to an endpoint on that site. So similar to how the Public websites work in ABP, but not necessarily using .NET.

I can see that the Public website in my dev environment calls the following URL to auth then redirect:

https://localhost:44396/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient_id%3DABP73Public_Web_Public%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%3A7136%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520ABP73Public%26response_mode%3Dform_post%26nonce%3D638261167785072016.ZDg1NjgyZWUtZTAwNi00OGI4LTk0OTktNTZiNzVhOWIxOGFhMzk3YWM5N2UtODAwZC00YTc5LWI1MDMtNTA3OGNlNDk0MTEw%26state%3DCfDJ8MMdCuDzYEhJvMFQjtHhQGyHQ7Qq5BRX2jGkRv3Pti2RLsO3Zc0hq9QnyTqRr02P1_4NXt931DyfZ7gzkMJRP7UBUQNETvBJcwNqV3g2YbD2aOWRwEnF-gzhcrwrubi6mhAbGxqd6ZcTgmD9ndYyqCU2tW_ekfuuYY1cxmxMeeDF9CauhfMREVk0tCHTPcovRb8foC_mvAqRIvB-FSNjf-MLqwbtHeOltgqXecSXXH9K9gHrkWIe-dP2lQaq3pbrBqvU6BPCC8hd4Czj034Css0dT7AedrLKTmcde7Y47OdO%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0

This is generated by the ChallengeAccountController in the Public website. How can I best handle this outside of a .NET environment? Are there any other considerations that I am missing here?

Note: I did change the redirect_uri in this example to https://jwt.ms , and configured things ( I think ) correctly but on the redirect I didn't get a JWT. I am expecting this to work similar to how Azure B2C works, if you are familiar with that workflow. If I am missing something please let me know.

Thanks,

Karim


7 Answer(s)
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can add an OpenIdConnect and Cookies authentication schemes to your separate site

    Then everything will work as Public website

    context.Services.AddAuthentication(options =>
    {
        options.DefaultScheme = "Cookies";
        options.DefaultChallengeScheme = "oidc";
    })
    .AddCookie("Cookies", options =>
    {
        options.ExpireTimeSpan = TimeSpan.FromDays(365);
        options.CheckTokenExpiration();
    })
    .AddAbpOpenIdConnect("oidc", options =>
    {
        options.Authority = configuration["AuthServer:Authority"];
        options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); ;
        options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
    
        options.ClientId = configuration["AuthServer:ClientId"];
        options.ClientSecret = configuration["AuthServer:ClientSecret"];
    
        options.UsePkce = true;
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
    
        options.Scope.Add("roles");
        options.Scope.Add("email");
        options.Scope.Add("phone");
        options.Scope.Add("MyProjectName");
    });
    
  • User Avatar
    0
    okains created

    Hi,

    The question is based around handling this outside of a .NET environment.

    How can I best handle this outside of a .NET environment?

    So for example, I have a simple single page site, www.mysite.com with a LOGIN button on the homepage. I need to be able to generate the fully formed URL to the Auth server (ABP OpenIddict) that contains the redirectUri to then call back to www.mysite.com/callback so that I can access a JWT.

    So I need a way to generate this URL ( as noted in the original question ):

    https://localhost:44396/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient_id%3DABP73Public_Web_Public%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%3A7136%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520ABP73Public%26response_mode%3Dform_post%26nonce%3D638261167785072016.ZDg1NjgyZWUtZTAwNi00OGI4LTk0OTktNTZiNzVhOWIxOGFhMzk3YWM5N2UtODAwZC00YTc5LWI1MDMtNTA3OGNlNDk0MTEw%26state%3DCfDJ8MMdCuDzYEhJvMFQjtHhQGyHQ7Qq5BRX2jGkRv3Pti2RLsO3Zc0hq9QnyTqRr02P1_4NXt931DyfZ7gzkMJRP7UBUQNETvBJcwNqV3g2YbD2aOWRwEnF-gzhcrwrubi6mhAbGxqd6ZcTgmD9ndYyqCU2tW_ekfuuYY1cxmxMeeDF9CauhfMREVk0tCHTPcovRb8foC_mvAqRIvB-FSNjf-MLqwbtHeOltgqXecSXXH9K9gHrkWIe-dP2lQaq3pbrBqvU6BPCC8hd4Czj034Css0dT7AedrLKTmcde7Y47OdO%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0

    Thanks,

    Karim

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    outside of a .NET environment?

    What kind of application?

    HTML + Javascript? PHP? Java?

    Using the oauth2 class library would be best instead of processing it manually. This process is more complicated.

  • User Avatar
    0
    okains created

    HTML + Javascript for now, but I want to be able to have any 3rd party site / app that we have authenticate using ABP auth.

    So if you could explain how best to generate that URL and if there are any particular considerations I need to be aware of given the ABP implementation that would be great.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can use the javascript library like https://github.com/IdentityModel/oidc-client-js/wiki

    So if you could explain how best to generate that URL and if there are any particular considerations I need to be aware of given the ABP implementation that would be great.

    Abp uses standard oauth flow. https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow

  • User Avatar
    0
    okains created

    hi

    You can add an OpenIdConnect and Cookies authentication schemes to your separate site

    Then everything will work as Public website

    context.Services.AddAuthentication(options => 
    { 
        options.DefaultScheme = "Cookies"; 
        options.DefaultChallengeScheme = "oidc"; 
    }) 
    .AddCookie("Cookies", options => 
    { 
        options.ExpireTimeSpan = TimeSpan.FromDays(365); 
        options.CheckTokenExpiration(); 
    }) 
    .AddAbpOpenIdConnect("oidc", options => 
    { 
        options.Authority = configuration["AuthServer:Authority"]; 
        options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); ; 
        options.ResponseType = OpenIdConnectResponseType.CodeIdToken; 
     
        options.ClientId = configuration["AuthServer:ClientId"]; 
        options.ClientSecret = configuration["AuthServer:ClientSecret"]; 
     
        options.UsePkce = true; 
        options.SaveTokens = true; 
        options.GetClaimsFromUserInfoEndpoint = true; 
     
        options.Scope.Add("roles"); 
        options.Scope.Add("email"); 
        options.Scope.Add("phone"); 
        options.Scope.Add("MyProjectName"); 
    }); 
    

    OK then, to keep things clear, let's go back to this scenario with a separate .NET application. What code to I need to call / use in order to generate the correct URL as mentioned in the initial question?

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    You can call the Challenge to initial the oidc flow.

    [HttpGet]
    public virtual async Task<ActionResult> Challenge(string returnUrl = "")
    {
        return Challenge(new AuthenticationProperties { RedirectUri = returnUrl }, "oidc");
    }
    

    https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.controllerbase.challenge?view=aspnetcore-7.0

Made with ❤️ on ABP v9.1.0-preview. Updated on November 20, 2024, 13:06