Open Closed

Azure AD per tenant setup #2468


User avatar
0
shobhit created
  • ABP Framework version: v4.2.2
  • UI type: Angular
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): yes /
  • Exception message and stack trace:NA
  • Steps to reproduce the issue:"NA

Hi Team, i have done changes in Identity server and Host service to consider Azure AD authorization provider. I need 2 answers:

  1. Now host and every tenant both get "Azure AD" authorization button but we would like to have Azure AD auth button based on host/tenant configuration and consider respective configuration values only.
  2. By default ABP don't provide UI for external provider except google, microsoft and twitter. how i can add UI for these providers i.e. extend the current ui.

18 Answer(s)
  • User Avatar
    0
    shobhit created

    Hello team. any update for me. i have tried to look from my side.

        .AddTwitter(TwitterDefaults.AuthenticationScheme, options => options.RetrieveUserDetails = true)
        .WithDynamicOptions<TwitterOptions, TwitterHandler>(
            TwitterDefaults.AuthenticationScheme,
            options =>
            {
                options.WithProperty(x => x.ConsumerKey);
                options.WithProperty(x => x.ConsumerSecret, isSecret: true);
            }
        )
        .AddOpenIdConnect("AzureOpenId", "Azure AD OpenId", options =>
        {
            options.Authority = "https://login.microsoftonline.com/" + configuration["AzureAd:TenantId"] + "/v2.0/";
            options.ClientId = configuration["AzureAd:ClientId"];
            options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
            options.CallbackPath = configuration["AzureAd:CallbackPath"];
            options.ClientSecret = configuration["AzureAd:ClientSecret"];
            options.RequireHttpsMetadata = false;
            options.SaveTokens = true;
            options.GetClaimsFromUserInfoEndpoint = true;
            options.Scope.Add("email");
        
            options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
        });
    

    As per my understand ".WithDynamicOptions<TwitterOptions, TwitterHandler>(" do a lot of magic. Now question is like "TwitterOptions, TwitterHandler" what will be option and handler for AzureAd and O365.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    You can use WithDynamicOptions for AzuerOpenId.

  • User Avatar
    0
    shobhit created

    Hello Maliming, I have done following changes:

    1. identitySeverModule --> ConfigureServices() method done follwoing changes:
     .AddOpenIdConnect("AzureOpenId", "Azure AD OpenId", options =>
                    {
                        options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
                        options.RequireHttpsMetadata = false;
                        options.SaveTokens = true;
                        options.GetClaimsFromUserInfoEndpoint = true;
                        options.Scope.Add("email");
                        options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
                        options.CallbackPath = configuration["AzureAd:CallbackPath"];
                        //options.Authority = "https://login.microsoftonline.com/" + configuration["AzureAd:TenantId"] + "/v2.0/";
                        //options.ClientId = configuration["AzureAd:ClientId"];
                        //options.ClientSecret = configuration["AzureAd:ClientSecret"];
                    })
                    .WithDynamicOptions<OpenIdConnectOptions, OpenIdConnectHandler>(
                    "AzureOpenId",
                    options => {
                        options.WithProperty(x => x.Authority);
                        options.WithProperty(x => x.ClientId);
                        options.WithProperty(x => x.ClientSecret, isSecret: true);
                    }
                    )
    
    1. Values in ABPsetting looks like
    [{"name":"Google","enabled":true,"properties":[{"name":"ClientId","value":"XXXX"}],"secretProperties":[{"name":"ClientSecret","value":"XXXX"}]},{"name":"Microsoft","enabled":true,"properties":[{"name":"ClientId","value":"XXXX"}],"secretProperties":[{"name":"ClientSecret","value":"XXXX"}]},{"name":"Twitter","enabled":false,"properties":[{"name":"ConsumerKey","value":null}],"secretProperties":[{"name":"ConsumerSecret","value":null}]},{"name":"AzureOpenId","enabled":true,"properties":[{"name":"ClientId","value":"YYYY"},{"name":"Authority","value":"YYYY"}],"secretProperties":[{"name":"ClientSecret","value":"YYYY"}]}]
    
    1. i could see Azure AD button
    2. On button click it is breaking:

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Is these value right?

  • User Avatar
    0
    shobhit created

    :). No values are not correct. but in code i have used the right code.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Can you share a sample project that includes the AddOpenIdConnect client secret with me?

    liming.ma@volosoft.com

  • User Avatar
    0
    shobhit created

    sure will do. I don't have sample project but will share the actual keys

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    ok, I will check it asap.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    
    .AddOpenIdConnect("AzureOpenId", "Azure AD", options =>
    {
        options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
        options.RequireHttpsMetadata = false;
        options.SaveTokens = true;
        options.GetClaimsFromUserInfoEndpoint = true;
        options.Scope.Add("email");
        options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
        options.CallbackPath = "/callback";
    })
    
    .WithDynamicOptions<OpenIdConnectOptions, OpenIdConnectHandler>(
        "AzureOpenId",
        options =>
        {
            options.WithProperty(x => x.Authority);
            options.WithProperty(x => x.ClientId);
            options.WithProperty(x => x.ClientSecret, isSecret: true);
        }
    );
    
    context.Services.Replace(ServiceDescriptor
    .Scoped<AccountExternalProviderOptionsManager<OpenIdConnectOptions>,
        OpenIdAccountExternalProviderOptionsManager>());
    
    
    using System.Threading.Tasks;
    using Microsoft.AspNetCore.Authentication.OpenIdConnect;
    using Microsoft.AspNetCore.DataProtection;
    using Microsoft.Extensions.Options;
    using Volo.Abp.Account.ExternalProviders;
    using Volo.Abp.Account.Public.Web.ExternalProviders;
    using Volo.Abp.MultiTenancy;
    using Volo.Abp.Security.Encryption;
    
    namespace MyCompanyName.MyProjectName.Web.OpenId;
    
    public class OpenIdAccountExternalProviderOptionsManager : AccountExternalProviderOptionsManager<OpenIdConnectOptions>
    {
        private readonly OpenIdConnectPostConfigureOptions _openIdConnectPostConfigureOptions;
    
        public OpenIdAccountExternalProviderOptionsManager(
            IOptionsFactory<OpenIdConnectOptions> factory,
            IAccountExternalProviderAppService accountExternalProviderAppService,
            IStringEncryptionService stringEncryptionService,
            ITenantConfigurationProvider tenantConfigurationProvider,
            IDataProtectionProvider dataProtection) :
            base(factory, accountExternalProviderAppService, stringEncryptionService, tenantConfigurationProvider)
        {
            _openIdConnectPostConfigureOptions = new OpenIdConnectPostConfigureOptions(dataProtection);
        }
    
        protected async override Task OverrideOptionsAsync(string name, OpenIdConnectOptions options)
        {
            await base.OverrideOptionsAsync(name, options);
            _openIdConnectPostConfigureOptions.PostConfigure(name, options);
        }
    }
    
    
  • User Avatar
    0
    shobhit created

    Thanks Maliming. Appriciate. Working as exptected. will do full testing.

    Please help me on below points also:

    1. By default ABP don't provide UI for external provider except google, microsoft and twitter. how i can add UI for these providers i.e. extend the current ui.
    2. How to configure O365 external provider.
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Use WithDynamicOptions will automatically add UI. Settings => Account => External provider

    How to configure O365 external provider.

    You can search it in Google. I don't know O365.

  • User Avatar
    0
    shobhit created

    Thanks. Got it. Appriciate all help

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    : )

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    I will fix this problem in the next version.

  • User Avatar
    0
    shobhit created

    Thanks Maliming.

    Now i am facing another issue:

    1. i have logged in as tenant
    2. i could see all external providers are enabled with default host setting

    1. i uncheck all of them and hit save (without adding any data). Success message displayed and ABPSetting table has new record having following data: [{"name":"AzureOpenId","enabled":true,"properties":[{"name":"Authority","value":null},{"name":"ClientId","value":null}],"secretProperties":[{"name":"ClientSecret","value":null}]},{"name":"Google","enabled":true,"properties":[{"name":"ClientId","value":""}],"secretProperties":[{"name":"ClientSecret","value":""}]},{"name":"Microsoft","enabled":true,"properties":[{"name":"ClientId","value":""}],"secretProperties":[{"name":"ClientSecret","value":""}]}]

    2. i refresh page and recheck the data. again all external providers are checked

    1. Now i have make changes in ABPSetting value like (manually set "enabled" as false)

    [{"name":"AzureOpenId","enabled":false,"properties":[{"name":"Authority","value":null},{"name":"ClientId","value":null}],"secretProperties":[{"name":"ClientSecret","value":null}]},{"name":"Google","enabled":false,"properties":[{"name":"ClientId","value":""}],"secretProperties":[{"name":"ClientSecret","value":""}]},{"name":"Microsoft","enabled":false,"properties":[{"name":"ClientId","value":""}],"secretProperties":[{"name":"ClientSecret","value":""}]}]

    1. still user can see all provider options

  • User Avatar
    0
    shobhit created

    2 bugs:

    1. Expernal provider setting update is not working as expected
    2. Expternal provider display is not working as expected
  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    I will check this. Thanks

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    Now i have make changes in ABPSetting value like (manually set "enabled" as false)

    The application use cache, You can't change settings manually, Please change it via the app, or clear the cache after changing DB.

Made with ❤️ on ABP v9.1.0-preview. Updated on November 11, 2024, 11:11