Activities of "Repunjay_TASC"

Hi liangshiwei,

As per you suggestion i have added above code in project , however, it's not working as expected. After click on login page directly redirected to IDP , please find attached screen shot.

It causes my existing login function to fail if the user is not a third-party user. When the user clicks the login button, they are automatically redirected to the IDP login page, which results in a failure scenario

Login should handle both the scenario.

1. Existing ABP.IO login page.
2. when a client clicks on our application logo (which is already configured within their application), they should be redirected directly to the IdP's login page instead of the ABP.IO login page. After authentication with the IdP, the user should be redirected to our dashboard.

how to remove account module and install the account pro module ? Can you pls provide steps

Thanks for update; I have created new abp.io template project and this Account option not visible for me what configuration required to visible this options.

• ABP Framework version: 8.0
• UI Type: Angular
• Database System: EF Core (PostgreSQL)
• Auth Server Separated (for Angular): yes
• Exception message and full stack trace:
• Steps to reproduce the issue:

Objective: To bypass the ABP.IO login page and redirect users directly to the IdP’s login page, and after successful authentication, redirect them to application’s dashboard.

Description :- I have integrated OpenIdConnect with a third-party Identity Provider (IdP) in a new ABP.IO template project, and it is working as expected. However, we have a requirement where, when a client clicks on our application logo (which is already configured within their application), they should be redirected directly to the IdP's login page instead of the ABP.IO login page. After authentication with the IdP, the user should be redirected to our dashboard.

I need assistance how to handle routing and above scenario in abp.io template.

<br> I don't want to show below screen for OpenIdConnect login user.

Hi Basically we have old abp.io template .NET core microservices. And i use below code in gateway as well as Identity server as well

while access below end points facing issue

error System.InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://localhost:44350/.well-known/openid-configuration'. Will retry at '8/21/2024 8:41:25 AM +00:00'. Exception: 'System.TypeLoadException: Could not load type 'Microsoft.IdentityModel.Json.JsonConvert' from assembly 'Microsoft.IdentityModel.Tokens, Version=7.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.Microsoft.IdentityModel.Protocols.IConfigurationRetriever<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration>.GetConfigurationAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel)'. ---> System.TypeLoadException: Could not load type 'Microsoft.IdentityModel.Json.JsonConvert' from assembly 'Microsoft.IdentityModel.Tokens, Version=7.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35'. at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.Microsoft.IdentityModel.Protocols.IConfigurationRetriever<Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfiguration>.GetConfigurationAsync(String address, IDocumentRetriever retriever, CancellationToken cancel) at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) --- End of inner exception stack trace --- at Microsoft.IdentityModel.Protocols.ConfigurationManager1.GetConfigurationAsync(CancellationToken cancel) at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerHandler.HandleAuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationHandler1.AuthenticateAsync() at Microsoft.AspNetCore.Authentication.AuthenticationService.AuthenticateAsync(HttpContext context, String scheme) at Microsoft.AspNetCore.Authorization.Policy.PolicyEvaluator.AuthenticateAsync(AuthorizationPolicy policy, HttpContext context) at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context) at Volo.Abp.AspNetCore.MultiTenancy.MultiTenancyMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context) at SCV.Litmus.Shared.DecryptHttpHeadersMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\Projects\core-platform-2\SCV.Litmus\aspnet-core\shared\SCV.Litmus.Shared\Middleware\DecryptHttpHeadersMiddleware.cs:line 51 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at SCV.Litmus.Shared.DecryptHttpRequestMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in D:\Projects\core-platform-2\SCV.Litmus\aspnet-core\shared\SCV.Litmus.Shared\Middleware\DecryptHttpRequestMiddleware.cs:line 103 at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at SCV.Litmus.LitmusHttpApiHostModule.<>c.<<OnApplicationInitialization>b__12_0>d.MoveNext() in D:\Projects\core-platform-2\SCV.Litmus\aspnet-core\gateways\SCV.Litmus.HttpApi.Host\LitmusHttpApiHostModule.cs:line 683 --- End of stack trace from previous location --- at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context) at Microsoft.AspNetCore.RequestLocalization.AbpRequestLocalizationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.<>c__DisplayClass6_1.<<UseMiddlewareInterface>b__1>d.MoveNext() --- End of stack trace from previous location --- at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

How to fix this error

It's High priority task, However, can you please setup call, we can connect resolve this error.

The users authenticated through an external SSO are not our application users; the only similarity is the email address. After the user is authenticated via SSO, authorization is managed within our application.

oh, you need to configure an external OIDC provider in the authserver project

https://abp.io/docs/latest/modules/account-pro#social-external-logins

https://abp.io/support/questions/5427/HOW-TO-AUTHENTICATE-EXERNAL-SSO-TOKEN-WITH-ADMIN-APIS this support ticket also taking same right ?

However, If you have any references or step-by-step guidance on how to integrate OIDC SSO, could you please provide project link or details?

To integrate SSO Integration, you basically only need to share cookies between subdomains

I am still confuse because as per below abp.io support ticket i have follow instruction. https://abp.io/support/questions/5427/HOW-TO-AUTHENTICATE-EXERNAL-SSO-TOKEN-WITH-ADMIN-APIS

You mentioned that the code I provided might not be necessary for handling SSO integration using cookies across subdomains. However, the step-by-step details are not clearly outlined. Could you provide a more detailed explanation or clarification? https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-8.0

My requirement :- The users authenticated through an external SSO are not our application users; the only similarity is the email address. After the user is authenticated via SSO, authorization is managed within our application.

Hi,

you don't need to add OAuth2 to the gateway.

But, Our identity server URL is configured in the API Gateway. Whenever I access any identity server API, I first redirect through the API Gateway, which then internally calls the identity server API.

However, If you have any references or step-by-step guidance on how to integrate OIDC SSO, could you please provide project link or details?

Thanks for response.

Above code i have mention is it correct way to implement for SSO. However, I'll add cookies code between subdomains.

• ABP Framework version: 7.4.2
• UI Type: Angular
• Database System: EF Core (PostgreSQL)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace:
• Steps to reproduce the issue:
• How to integrate SSO Integration Using OAuth2/OpenID Connect ?
• If above mentioned integrations possible with my current application, Could you please provide documentation/guides/steps to do the same.

However, I have added very high level analysis code please go thought it and let me know correct or not ?

Step 1: Add NuGet Packages Ensure you have the following packages installed in our Gateway web project :

<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="5.0.0" />

<PackageReference Include="Microsoft.IdentityModel.Protocols.OpenIdConnect" Version="6.8.0" />

Step 2: Configure appsettings.json

Add the OpenIdConnect settings to gateway appsettings.json:

{ 
  "Authentication": { 
    "OpenId": { 
      "Authority": "https://{yourOktaDomain}/oauth2/default", 
      "ClientId": "{yourClientId}", 
      "ClientSecret": "{yourClientSecret}", 
      "ResponseType": "code", 
      "SaveTokens": true, 
      "GetClaimsFromUserInfoEndpoint": true, 
      "Scope": "openid profile email" 
    } 
  } 
} 


3. Update the `ConfigureServices` and `Configure` methods to set up authentication:  


//The code you provided configures authorization policies in your application,
specifically setting a default authorization policy that requires users to be authenticated
using either the primary JWT Bearer scheme or the OIDC JWT Bearer scheme.

 private static void ConfigureAuthentication(ServiceConfigurationContext context, IConfiguration configuration)
        {

            context.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
                {
                    options.Authority = configuration["AuthServer:Authority"];
                    options.RequireHttpsMetadata = false;
                    options.Audience = configuration["AuthServer:ApiResource"];
                })
                .AddJwtBearer("OIDC", options =>
                {
                    options.Audience = configuration["AuthServer:ApiResource"];
                    options.RequireHttpsMetadata = false;
                    options.Authority = configuration["AuthServer:Authority"];
                });
            Log.Information($"ApiResource: {configuration["AuthServer:ApiResource"]}");

            // Authorization
            context.Services.AddAuthorization(options =>
            {
                var defaultAuthorizationPolicyBuilder = new AuthorizationPolicyBuilder(
                    JwtBearerDefaults.AuthenticationScheme,
                    "OIDC");
                defaultAuthorizationPolicyBuilder =
                    defaultAuthorizationPolicyBuilder.RequireAuthenticatedUser();
                options.DefaultPolicy = defaultAuthorizationPolicyBuilder.Build();
            });
        }
       


public void ConfigureServices(IServiceCollection services) 
    { 
	need to discuss commented code
        //services.AddAuthentication(options => 
       // { 
          //  options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme; 
          //  options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme; 
        //}) 
       // .AddCookie() 
        .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options => 
        { 
            options.Authority = Configuration["Authentication:OpenId:Authority"]; 
            options.ClientId = Configuration["Authentication:OpenId:ClientId"]; 
            options.ClientSecret = Configuration["Authentication:OpenId:ClientSecret"]; 
            options.ResponseType = Configuration["Authentication:OpenId:ResponseType"]; 
            options.SaveTokens = Configuration["Authentication:OpenId:SaveTokens"]; 
            options.GetClaimsFromUserInfoEndpoint = Configuration["Authentication:OpenId:GetClaimsFromUserInfoEndpoint"]; 
            options.Scope.Add("openid"); 
            options.Scope.Add("profile"); 
            options.Scope.Add("email"); 
        }); 
    }
	
public override void OnApplicationInitialization(ApplicationInitializationContext context)
{
	 app.UseAuthentication(); 
         app.UseAuthorization(); 
}

modules\Identity-core\src\Identity.HttpApi\Controllers\OIDC\OIDCController.cs

Note :-  AuthenticationSchemes we can use Controllers or Method level as well
namespace Identity.Controllers.OIDC
{    
    [Route("api/OIDC")]
    [Authorize(AuthenticationSchemes = "OIDC")]
    public class OIDCController : AbpController, OIDCAppService
    {
    }
	
    [Authorize("OIDC")]
    public Task CreateAsync(CreateAuthorDto input)
    {
    }
	
      all IDP  end points. 
}