Check the docs before asking a question: https://docs.abp.io/en/commercial/latest/ DONE Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index DONE The exact solution to your question may have been answered before, please use the search on the homepage. : No result for these issues.
- ABP Framework version: v5.3.1
- UI type: Blazor
- DB provider: EF Core
- Tiered (MVC) or Identity Server Separated (Angular): yes
- Exception message and stack trace: None
- Steps to reproduce the issue:" (Explained below...)
Hello,
I might have split this "Bug report / feature request" in more than one post, but it's all related to the same...
**The main goal I would like to achieve here would be to "pre-register" some corporate users (using Azure AD) to log in in my application, but without allowing anyone else being able to self register ! And I would also like to use third party authentication in a safe way and right now, it is not because it's too easy to bypass it. ** BUG * I saw that a new "import" button as appeared recently... but it's not working ! A message says "No external login provider available * while this is not true. * My external login provider i**s setup and perfectly working **!!! I would have tried this new feature it but I can't. So, maybe it would do a part of the job when fixed. Actually, when you create a new user, even using the pro modules, there is no way to add an external user manually (let's say using Azure AD but also any other third party external provider). We cannot specify that the user is or will be an external user. Also, you absolutely need to enter a password, that will not be used anyway.
I feel like the default GUI are missing some things... and the overall identification process should be reviewed/improved because it is unsecured and missing some features that should be already there.
Despite the presence of the column IsExternal in table AbpUsers, it seems that nothing is using this column... but it could and should be used...
Here is what I would like to see and/or consider like a bug and/or an important missing feature, especially in a so called PRO module.
- Be able to create an external user, meaning also a "password less user", meant to be an external user ONLY.
- **BUG **! An external user can easily bypass the third party authentication, just by asking for a password reset and login back as a "internal user". (Note, disabling the internal user login feature is not something that we can do, we need and are using both kind of user login).
- To solve this bug:
- An external user should never be allowed to login with a password.
- The password reset feature should be considering the IsExternal column value and if set to true, refuse to the user a password reset attempt.
- To solve this bug:
- Improvements needed.
- Put the "Is External" check box on the standard new/edit user form.
- When the checkbox is checked, ignore the password field and the fact that this field value is required.
- Add tabs to the new/edit form, with titles being the name of enabled external providers...
- The tab should provide a field to enter the user unique id for this provider (ObjectId for AD), (the AbpUserLogins.ProviderKey column in DB)
- Add the "IsExternal" column in the grid (user list)
- Disable the action SetPassword for External user.
- **BUG **! An external user can easily bypass the third party authentication, just by asking for a password reset and login back as a "internal user". (Note, disabling the internal user login feature is not something that we can do, we need and are using both kind of user login).
P.S. I know that I can download the source code and do all of this myself, but I think that all of this should be "as default", especially for a pro module.
- Self registration should be improve for external user...
- A new two step self registration should be added for external user.
- First, someone should create the user as an external user.
- Second, the user identifies itself against the third party identity and then, complete its self registration ABP...
- This mean that the actual attempt to create a new user should be skipped (when already existing) and the part where the objectid is saved in AbpUserLogins table should be kept to "finalize" the user registration.
- A new two step self registration should be added for external user.
- Microsoft authentication should be improved...(google and twitter too...)
- Endpoints management should be improved. Actually hard coded (easy code change, I know...), these should be parameters as ClientId and ClientSecret are.
- Some optional parameters could be sent with the "oauth request", like "&promp=xxx (xxx being various possible value)" or login_hint=yyyy, etc. These could be nice to add as optional parameters concept and used to append these automatically to the URL.
Thanks
4 Answer(s)
-
0
Hi,
I saw that a new "import" button as appeared recently... but it's not working ! A message says "No external login provider available * while this is not true. * My external login provider i**s setup and perfectly working **!!! I
Import
work with ABP external login provider, you can see the document: https://docs.abp.io/en/commercial/latest/modules/identity/import-external-usersYou can create your own external login provider, for example:
public class MyExternalLoginProvider : ExternalLoginProviderBase, ITransientDependency { public const string Name = "MyExternalLoginProvider "; public MyExternalLoginProvider (....) { .... } public override Task<bool> TryAuthenticateAsync(string userName, string plainPassword) { .... } public override Task<bool> IsEnabledAsync() { return Task.FromResult(true); } protected override Task<ExternalLoginUserInfo> GetUserInfoAsync(string userName) { ...... } } Configure<AbpIdentityOptions>(options => { options.ExternalLoginProviders.Add<MyExternalLoginProvider>(MyExternalLoginProvider.Name); });
Actually, when you create a new user, even using the pro modules, there is no way to add an external user manually
I believe the above has answered this.
-
0
**BUG **! An external user can easily bypass the third party authentication, just by asking for a password reset and login back as a "internal user". (Note, disabling the internal user login feature is not something that we can do, we need and are using both kind of user login). To solve this bug ..... Improvements needed. .....
I'm not sure this is a bug, even using Twitter, if I use Google social external login. I also can change the password and send an email to reset the password.
-
0
However, I will talk with ABP team, thanks for your feedback.
-
0
**BUG **! An external user can easily bypass the third party authentication, just by asking for a password reset and login back as a "internal user". (Note, disabling the internal user login feature is not something that we can do, we need and are using both kind of user login). To solve this bug ..... Improvements needed. .....
I'm not sure this is a bug, even using Twitter, if I use Google social external login. I also can change the password and send an email to reset the password.
Thanks liangshiwe, I will change my point of view and stop calling this a bug... But let's say it depends of the software you authenticate too and what is the purpose of the "alternate identity provider". In the Twitter situation, they want to give you the choice. In our situation, we want to force them to use the External Provider we choose as being the corporate one. So, ok, let's say is not a bug and we will have to alter the default behavior ourselves.
And I already seen some other platform asking to link "external" and "internal account" when I tried to authenticate using a third party (Facebook, Google, etc.) and had to decide if I want to switch my account. I also seen some other platform sending you to the "Microsoft forget password page" when you have used Microsoft account to login/register.
But, you're right and I agree, usually, must platform do not care about the way you log in. They maintain both the "Internal" and "external" login option and you can use both of them like you want.
But at least, let's consider this as a future development... a parameter that we could set that will prevent the external users to use the "classical login" and prevent password change. Until then, we will customize this for our needs. Thanks.