Open Closed

Securing core abp apis using a custom scope #7107


User avatar
0
mogau.mokgabudi created
  • ABP Framework version: v8.0.3
  • UI Type: Angular
  • Database System: EF Core (Oracle) / MongoDB
  • Tiered (for MVC) or Auth Server Separated (for Angular): yes
  • Exception message and full stack trace: None
  • Steps to reproduce the issue: None

Hi guys, my team and I are planning to expose a few apis to external clients, and in doing so we want to limit certain apis using an OpenIddict scope. We've managed to successfully do this with our custom apis but having an issue the core abp apis.

These are some of them, we'd like to limit these apis using a scope. So only the application authorized can access these endpoints even if the authenticated user has the required roles /api/audit-logging/* /api/setting-management/* /api/file-management/*

Please assist

Regards, Mogau


4 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can try something like this: https://stackoverflow.com/questions/71769968/asp-net-core-web-api-use-roles-and-requiredscope-concurrent

    [Dependency(ReplaceServices = true)]
    [ExposeServices(typeof(AuditLogsController))]
    [Authorize("auditlogging")]
    public class MyAuditController : AuditLogsController
    {
        public MyAuditController(IAuditLogsAppService auditLogsAppService) : base(auditLogsAppService)
        {
        }
    }
    
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Here is a simpler way:

    You can check scope in middleware:

    app.Use(async (context, next) =>
    {
        if (context.Request.Path.ToString().Contains("/api/audit-logging"))
        {
            // check users's ciaml here.
        }
        await next();
    });
    
  • User Avatar
    0
    mogau.mokgabudi created

    Thanks liangshiwei, I'll try the controller override method.

    We're already using a policy for the other services and this allows us to check for the primary scope but also grant access if a child scope is permitted.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    You can add your own IAuthorizationRequirement to check the scope and child scope.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 12, 2024, 07:15