项目间如何公用auth service #10474

8 Answer(s)

• 

  0

  AI-Bot created yesterday

  Support Team ABP Agent

  • You don’t “reuse Project B’s auth service” by referencing code. In ABP, the correct approach is: Project B runs as a dedicated AuthServer (OpenIddict/OIDC), and Project A becomes an OIDC client that redirects users to Project B to sign-in and receives tokens.

  1) Make Project B the Auth Server (central)

  1. Ensure Project B has an *.AuthServer (or equivalent host) running and reachable, e.g.
     • https://auth.mycompany.com
  2. Make sure Project B issues tokens for the scopes/audiences that Project A will need (at minimum: openid, profile, email, roles, plus your API scope if A will call B’s APIs).

  2) Register Project A as a client in Project B (OpenIddict Application)

  Project A must exist as an OpenIddict application in Project B (client_id/client_secret + redirect URIs).

  Practical ABP way:

  • Use ABP OpenIddict “Application Management” to create an application for Project A (client).
  • Configure:
    • ClientId: e.g. ProjectA_Blazor
    • RedirectUri: https://project-a-host/signin-oidc
    • PostLogoutRedirectUri: https://project-a-host/signout-callback-oidc
    • Grant type: authorization_code (with PKCE recommended)
    • Scopes: openid profile email roles (+ API scopes you need)

  3) Configure Project A (Blazor Web App) to use Project B as Authority

  In Project A appsettings.json:

  "AuthServer": {
    "Authority": "https://auth.mycompany.com",
    "RequireHttpsMetadata": "true",
    "ClientId": "ProjectA_Blazor",
    "ClientSecret": "YOUR_CLIENT_SECRET"
  }
  

  Then in Project A authentication configuration (Program.cs / Module), set OpenId Connect to point to Project B (Authority = AuthServer:Authority) and ensure the redirect URI path matches /signin-oidc.

  4) (Optional) If Project A must call Project B’s HttpApi

  • Use the access token issued by Project B and call Project B’s API with Bearer {access_token}.
  • If Project A is also ABP and you want typed/dynamic proxies, use ABP’s HttpApi.Client approach (create/consume an API client package or add HttpApi.Client project reference pattern).

  ---

  Sources

  • https://abp.io/docs/latest/suite/solution-structure
  • https://abp.io/docs/latest/modules/openiddict#application-management
  • https://abp.io/support/questions/4849

  ---

  This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  现在我有2个项目A,B 项目A: BLAZOR WEB APP / tired,ms sql 项目B: BLAZOR WEB APP / tired,ms sql

  A和B都有一个authserver项目

  这种情况下你可以创建一个独立的authserver项目, 然后使用它作为共用,并移除AB中的authserver

  Openiddict支持这种情况. 只需要修改application的重定向url或者添加新的客户端就可以

  Save Cancel
• 

  0

  mc86 created yesterday

  authserver使用独立的数据库?用户信息和权限如何处理呢?

  Save Cancel
• 

  0

  maliming created yesterday

  Support Team Fullstack Developer

  authserver 要使用和 API 相同的数据库

  blazor是纯UI项目.

  Save Cancel
• 

  0

  mc86 created 19 hours ago

  项目A和项目B是独立的数据库,如何使用共用的auth server,?

  Save Cancel
• 

  0

  maliming created 18 hours ago

  Support Team Fullstack Developer

  auth server需要认证用户, 也就是它有account模块, 它就是单独的身份服务器

  AB有API项目吗?

  Save Cancel
• 

  0

  mc86 created 17 hours ago

  AB 有API项目,之前都是完整的项目,现在考虑使用共同的auth server, 考虑让B的auth server 作为公共的然后让A使用. 除了在B的auth server找中添加application B .还需要做什么呢?B的auth server 添加A的权限定义?

  Save Cancel
• 

  0

  maliming created 17 hours ago

  Support Team Fullstack Developer

  最基本的要求是AB中的API和authserver最好使用相同的数据库, 这点可以实现吗?

  Save Cancel