Open Closed

I want to know about the session management in abp commercial. #5597


User avatar
0
portx-dev created

Is there any document about authorization or session management in abp commercial? If abp commercial application extends authorization function from asp.net core, I want to know the document about it.

my goal

  • understand how session is managed in abp commercial.
  • how to access backend api with session infos.

background

  • Now, I'm setting up OWASP ZAP client to test abp application.
  • I want OWASP ZAP client to login abp application itself before penetration test.
  • I have to set OWASP ZAP configuration, relating to authorization(ex. authentication method, session management)

Thanks for your support.


ABP Framework version: Commercial 7.2

UI type: Angular

DB provider: EF Core


4 Answer(s)
  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    Hi,

    abp.io uses claims-based authentication and authorization. please read more here https://learn.microsoft.com/en-us/aspnet/core/security/authentication/?view=aspnetcore-7.0#authentication-concepts you can find the code which works with asp.net core https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/AuthorizationInterceptor.cs https://github.com/abpframework/abp/blob/dev/modules/account/src/Volo.Abp.Account.Web/Pages/Account/Login.cshtml.cs

    Just FYI, ABP itself doesn't directly provide a "Session Management" module as a standalone feature, it's likely that it leverages the session management capabilities provided by the underlying ASP.NET Core framework.

    Please check similar ticket for reference https://support.abp.io/QA/Questions/2234/How-to-maintain-session-information-in-ABP-framework

  • User Avatar
    0
    portx-dev created

    Thanks.

    I have read the content you provided.

    Now, I have question about deep implementation in abp application.

    When I login in id application, there is no session info(image1). And after authentication redirecting to main application, there is session info(ex. access_token, id_token, ...) in local storage(image2).

    My question is, how is the session info passed from id application to main application? Is there any global state?, or the services communicate with in back channel?

  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    The id application generates the authorization code and then it is redirected to the client application. Where the code is used to generate access token and refresh token and other claims.

    You can read more about authorization code flow here : https://documentation.openiddict.com/guides/choosing-the-right-flow.html#authorization-code-flow-recommended-for-new-applications

    on angular: https://www.npmjs.com/package/angular-oauth2-oidc

    https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-flow-strategy.ts https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-code-flow-strategy.ts#L35

    The session details will be available on the client application after the user login. Please refer the attached screenshot where you can find the token details, after user login in my localhost. FYI, You can read more about the abp claims in: https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory For getting the current user details on backend: https://docs.abp.io/en/abp/latest/CurrentUser The current user claims details: https://docs.abp.io/en/abp/latest/CurrentUser#icurrentprincipalaccessor

  • User Avatar
    0
    Anjali_Musmade created
    Support Team Support Team Member

    The id application generates the authorization code and then it is redirected to the client application. Where the code is used to generate access token and refresh token and other claims.

    You can read more about authorization code flow here :
    https://documentation.openiddict.com/guides/choosing-the-right-flow.html#authorization-code-flow-recommended-for-new-applications

    on angular:
    https://www.npmjs.com/package/angular-oauth2-oidc

    https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-flow-strategy.ts https://github.com/abpframework/abp/blob/dev/npm/ng-packs/packages/oauth/src/lib/strategies/auth-code-flow-strategy.ts#L35

    The session details will be available on the client application after the user login. Please refer the attached screenshot where you can find the token details, after user login in my localhost. FYI,
    You can read more about the abp claims in: https://docs.abp.io/en/abp/latest/Authorization#claims-principal-factory For getting the current user details on backend: https://docs.abp.io/en/abp/latest/CurrentUser The current user claims details: https://docs.abp.io/en/abp/latest/CurrentUser#icurrentprincipalaccessor

    Hi,

    We have update our answer with more information please do check again.

Made with ❤️ on ABP v9.1.0-preview. Updated on December 13, 2024, 06:09