Is there any document about authorization or session management in abp commercial? If abp commercial application extends authorization function from asp.net core, I want to know the document about it.
my goal
- understand how session is managed in abp commercial.
- how to access backend api with session infos.
background
- Now, I'm setting up OWASP ZAP client to test abp application.
- I want OWASP ZAP client to login abp application itself before penetration test.
- I have to set OWASP ZAP configuration, relating to authorization(ex. authentication method, session management)
Thanks for your support.
ABP Framework version: Commercial 7.2
UI type: Angular
DB provider: EF Core
4 Answer(s)
-
0
Hi,
abp.io uses claims-based authentication and authorization. please read more here https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-7.0#authentication-concepts you can find the code which works with asp.net core https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/AuthorizationInterceptor.cs https://github.com/abpframework/abp/blob/dev/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Login.cshtml.cs
Just FYI, ABP itself doesn't directly provide a "Session Management" module as a standalone feature, it's likely that it leverages the session management capabilities provided by the underlying ASP.NET Core framework.
Please check similar ticket for reference https://support.abp.io/QA/Questions/2234/How-to-maintain-session-information-in-ABP-framework
-
0
Thanks.
I have read the content you provided.
Now, I have question about deep implementation in abp application.
When I login in id application, there is no session info(image1). And after authentication redirecting to main application, there is session info(ex. access_token, id_token, ...) in local storage(image2).
My question is, how is the session info passed from id application to main application? Is there any global state?, or the services communicate with in back channel?
-
0
The id application generates the authorization code and then it is redirected to the client application. Where the code is used to generate access token and refresh token and other claims.
You can read more about authorization code flow here : https://documentation.openiddict.com/guides/choosing-the-right-flow.html#authorization-code-flow-recommended-for-new-applications
on angular: https://www.npmjs.com/package/angular-oauth2-oidc
https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-flow-strategy.ts https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-code-flow-strategy.ts#L35
The session details will be available on the client application after the user login. Please refer the attached screenshot where you can find the token details, after user login in my localhost. FYI, You can read more about the abp claims in: https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory For getting the current user details on backend: https://docs.abp.io/en/abp/latest/CurrentUser The current user claims details: https://docs.abp.io/en/abp/latest/CurrentUser#icurrentprincipalaccessor
-
0
The id application generates the authorization code and then it is redirected to the client application. Where the code is used to generate access token and refresh token and other claims.
You can read more about authorization code flow here :
https://documentation.openiddict.com/guides/choosing-the-right-flow.html#authorization-code-flow-recommended-for-new-applicationson angular:
https://www.npmjs.com/package/angular-oauth2-oidchttps://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-flow-strategy.ts https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-code-flow-strategy.ts#L35
The session details will be available on the client application after the user login. Please refer the attached screenshot where you can find the token details, after user login in my localhost. FYI,
You can read more about the abp claims in: https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory For getting the current user details on backend: https://docs.abp.io/en/abp/latest/CurrentUser The current user claims details: https://docs.abp.io/en/abp/latest/CurrentUser#icurrentprincipalaccessorHi,
We have update our answer with more information please do check again.