Thank for you suggestion. So in option 1 do I need to configure post logout url which goes to OpenIddictApplications tables PostLogoutRedirectUris column? And do you talking about this where I need to configure redirect uri?https://github.com/abpframework/abp/blob/8.3.4/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Logout.cshtml.cs So instead of setting my appplication logged-out path to post redirect logout uri I set auth servers /Account/Logout to same redirect path?
So we need to take auth code to our repo. We have tried to avoid that to ease versio upgrades. But maybe we this is only temporal solution and after we update to 9 there is already that fix and we can remove our custom code. What is minimum amount of code/module we need to take and override? Do we need to override only login and registration pages and is it possible to only override them and not take whole auth server code base?
So is this going to be fixed when? And is change coming only to 9 version or also to 8 version? And how big security risk do you think this is? Because for my perspective it is quite big.
When tenant has only one third party auth provider set to use and local login is not in use user is forwarded to thrid party login page automatically as you know. If that user click logout, user is redirected to logged-out page in our application after user is logged out. In that page I added button which user can click and return to application. What if user wants to change Tenant to other. Like our user suppport. They use impersonator so they can go any tenant. Now if they go to any tenant which have local login disabled and azure login is used for example they cannot change tenant anymore in login page because auth server is remembering tenant and redirecting to microsoft login page before user can change tenant.
In local environment with ng serve both applications are in same domain, localhost. In that scenario it was enough to clear __tenant cookie from cookie. But now it is not working in our Azure environemnt where application is in application-test.ab.app and auth server is auth.application-test.ab.app. When I'm in application I see this cookie.
Currently I am trying this to forget tenant when user is logging out:
cookieService.delete('__tenant', '/');
sessionStateService.setTenant(undefined);
I use ngx-cookie-service to delete cookie. I also tried to set tenant to undefined.
I know that I cannot delete cookie from another domain. So do you have any solution to forget selected tenant. I only need to do this for tenants which are not using local login.
Yes but still user can select first his own tenant where he/she has permission to login. Then after that login user change to other tenant and goes to wrong tenant where he was not authorized.
If user change tenant to other before login then he cannot even login to third party auth provider and there is no problem.
Yep that is what it should that user can change before login but after user has logged in third party(Microsoft) user should to be able to change tenant. Are you going to change this when? Because this is quite big security risk.
May I add that I get those errors only when running proejct locally with ng serve. When I publish my project to server there is no errors in console.
But if you change tenant before login it uses that users external login settings where user has no permissions. But in my descripted scenario user selects own tenant where he/she hasn't yet registered and login using that tenants external login settings. After external login where user has been verified by its own tenant settings user can change to other tenant and register himself to that tenant without any verification that user has rights to that tenant. Other tenant names can be guess quite easily because in our company we have many reference customers in our website where user can find company names.
If user select his own tenant but not have yet registered into it. After user has logged in for example in microsoft login page user is returned to register page. In register page user can change his username and email but also can change tenant. If user knows any other tenant which have self registration in use user can change to that tenant and then click register button. This way it is possible to go into wrong tenant. User can for example go to host tenant by clearing tenant in dialog.
Is this real problem and can you reproduce it?
Auth server is separated.
Angular version is 18.2.13 as suggested in 8.3 upgrade guide. I got error in browser console but everything seems to be working. Original error:
Cannot find the fi-FI locale file. You can check how can add new culture at https://abp.io/docs/latest/framework/ui/angular/localization#adding-a-new-culture
original related code:
import { registerLocaleData } from '@angular/common';
import { registerLocale } from '@volo/abp.ng.language-management/locale';
registerLocaleData(localeFi);
provideAbpCore(
withOptions({
environment,
registerLocaleFn: registerLocale(),
}),
)
After I read this guide https://abp.io/docs/latest/framework/ui/angular/localization#adding-a-new-culture I added this code.
import { differentLocales } from '@abp/ng.core';
export function registerLocale(locale: string) {
return import(
/* webpackChunkName: "_locale-[request]"*/
/* webpackInclude: /[/\\](/docs/latest/framework/ui/angular/en%7Cfi).js/ */
/* webpackExclude: /[/\\]global|extra/ */
`@angular/common/locales/${differentLocales[locale] || locale}.js`
);
}
and I also tried to add localization through angular.json polyfills array like this.
"polyfills": [
"src/polyfills.ts",
"@angular/localize/init",
"@angular/common/locales/fi"
],
Exception what I get in browser console is this:
TypeError: Failed to resolve module specifier '@angular/common/locales/fi.js'
at registerLocale (app.module.ts:74:60)
74 line is @angular/common/locales/${differentLocales[locale] || locale}.js
I also tried this compination.
import { registerLocale } from '@abp/ng.core/locale';
provideAbpCore(
withOptions({
environment,
registerLocaleFn: registerLocale({
cultureNameLocaleFileMap: {
'fi-FI': 'fi',
},
errorHandlerFn: error => {
console.error('Error registering locale:', error);
},
}),
}),
),
but no luck.
So how those localizations should be loaded?
ps. this makes no sence in abp support form. Which one is yes, MVC or Angular?
