Open Closed

Oauth Password Grant Type in Use #1897


User avatar
0
vishalnikam created
  • ABP Framework version: v4.3.1
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

When we login into to ABP application token is generated with "Password" grant type. can we use other grant type for login as password grant type, which is discouraged by Oauth2.0 security best practices. ? where can we change this and will new token work with user permissions ?


5 Answer(s)
  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    Yes it is discouraged unless you trust the js client and you know what you are doing.

    Default flow is Authorization Code with PKCE and you can change the flow from envrionment.ts file. You can check the Authorization in Angular UI docs for more and how to do it.

  • User Avatar
    0
    vishalnikam created

    Hi,

    I generated token with "client_credentials" grant type through postman and called services with token. token validation is working on service side but Auth permissions set in ABP persmission module not working and throws unauthorize expcetion. whereas "Password" grant type token working as expected. could you sugget on this ?

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    When you use password_grant, you use the user for authenticating to system and user has declared permissions for it (from roles or user permissions).

    When you use client_credentials, you use secure and non-user an other system (back-end application forexample) for authenticating to system. So, we need to grant permissions to the non-user system since it can not have roles that has permissions.

    If you are using postman to test and you need to grant a specific permission for your system; an easy way is to generate a guid and add it into dabase PermissionGrants table:

    Where ProviderName is C (for ClientCredential) and ProviderKey is the name of your system (Client) saved in your IdentityServer Clients table

  • User Avatar
    0
    vishalnikam created

    Hi,

    Can i use client_credentials grant in Angular ? how to set this in angular and will my application work wth it as is with User/Roles and permissions ? or i have to use password grant type only ?

  • User Avatar
    0
    gterdem created
    Senior .NET Developer

    No, you can not use client_credentials in angular, it is server to server (backend to backend) flow.

    Suggested authentication flow for SPA is Authorization Code with PKCE; you click to login and get redirected to authentication (identityserver) domain to login, then you login in that domain.

    Other way is Resource Owner Password Credentials; where you host the login page in your SPA application and let users enter username/password to your frontend application instead of redirecting to identityserver.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 05, 2024, 12:19