- ABP Framework version: v7.4.5
- UI Type: Angular
- Database System: EF Core (SQL Serve)
- Tiered (for MVC) or Auth Server Separated (for Angular): yes/
- Implemting SSO I have implemented Okta SSO and obtained the ID Token from Okta. I have also installed the following packages:
@okta/okta-angular (v6.4.0) @okta/okta-auth-js (v7.10.1)
Authentication is working as expected, as confirmed by the following check:
this.oktaAuth.isAuthenticated().then(async (authStatus) => {
if (authStatus) {
// Authenticated successfully
}
});
Additionally, I can successfully invoke APIs using this authentication setup but not check authorization with different role:
context.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = "MultipleAuthSchemes";
options.DefaultChallengeScheme = "MultipleAuthSchemes";
})
.AddPolicyScheme("MultipleAuthSchemes", JwtBearerDefaults.AuthenticationScheme, options =>
{
options.ForwardDefaultSelector = context =>
{
string? authorization = context.Request.Headers["Authorization"];
if (!string.IsNullOrEmpty(authorization) && authorization.StartsWith("Bearer "))
{
var token = authorization.Substring("Bearer ".Length).Trim();
return token.Contains("okta") ? "okta_jwt_schema" : JwtBearerDefaults.AuthenticationScheme;
}
return JwtBearerDefaults.AuthenticationScheme;
};
})
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options =>
{
options.Authority = configuration["AuthServer:Authority"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]);
options.Audience = "Project42";
})
.AddJwtBearer("okta_jwt_schema", options =>
{
options.Authority = configuration["Okta:Authority"];
options.RequireHttpsMetadata = Convert.ToBoolean(configuration["Okta:RequireHttpsMetadata"]);
options.Audience = "api://default";
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
ValidIssuer = "https://dev-96317405.okta.com/oauth2/default",
ValidAudience = "api://default",
ValidateLifetime = true
};
});
Now, I have route guards set up as follows:
{
path: '',
pathMatch: 'full',
component: DashboardComponent,
canActivate: [AuthGuard, PermissionGuard, RoleGuard],
}
I believe these guards require the ABP token instead of the Okta token. How can I properly pass authentication to AuthGuard and PermissionGuard while ensuring authorization in the system using Okta?
Can I do something like if authenticated then logged in with the user by matching the email but I don't know the password I have this method this.authService .login({ username, password, rememberMe })
if I can login into the system without password or similar method in backend then I believe i can login the user with proper abp login and can just authenticate with okta.
44 Answer(s)
-
0
also I have found. CurrentUser is null
-
0
Hello, our relevant team member will respond to you as soon as possible.
-
0
sure, please respond at earliest. I need to windup, thanks.
-
0
Unfortunately, our team member is out of working time at the moment. He will probably respond tomorrow during the day. Thank you for your patience.
-
0
Sure.
-
0
hi
Can you check the current principal(HttpContext.User) after authentication using
okta_jwt_schema?What are the claims(type:value)?
The
CurrentUser's values come from claims.AddJwtBearer("okta_jwt_schema", options => { options.Authority = configuration["Okta:Authority"]; options.RequireHttpsMetadata = Convert.ToBoolean(configuration["Okta:RequireHttpsMetadata"]); options.Audience = "api://default"; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, ValidIssuer = "https://dev-96317405.okta.com/oauth2/default", ValidAudience = "api://default", ValidateLifetime = true }; }); -
0
please see the screenshot
CurrentUser fields are different. what I need to do?
-
0
also needs to address this issue, I have route guards set up as follows:
{ path: '', pathMatch: 'full', component: DashboardComponent, canActivate: [AuthGuard, PermissionGuard, RoleGuard], }
I believe these guards require the ABP token instead of the Okta token. How can I properly pass authentication to AuthGuard and PermissionGuard while ensuring authorization in the system using Okta?
-
0
hi
ABP will not recognize these claims.
They come from another system, so they can't work with the abp authentication/permission system.
eg: you have a user(
id: 123) in your local database. but withokta_jwt_schemaclaims, abp doesn't know the current user.
-
0
hi
Can I do something like if authenticated then logged in with the user by matching the email but I don't know the password I have this method this.authService .login({ username, password, rememberMe })
if I can login into the system without password or similar method in backend then I believe i can login the user with proper abp login and can just authenticate with okta.
IF NOT then what changes I need to make to compatible claim with ABP?
-
0
hi
AddJwtBearermethod can map yourokta_jwt_schemato compatible with abp..AddAbpJwtBearer(options => { options.MapInboundClaims = false; options.Events.OnTokenValidated = async tokenValidatedContext => { var yourClaims = tokenValidatedContext.Principal?.Claims; // Mpa your okta claims to abp claims if (tokenValidatedContext.Principal?.Identity is ClaimsIdentity claimIdentity) { claimIdentity.AddClaim(AbpClaimTypes.UserId, ""); claimIdentity.AddClaim(AbpClaimTypes.UserName, ""); claimIdentity.AddClaim(AbpClaimTypes.SurName, ""); claimIdentity.AddClaim(AbpClaimTypes.Email, ""); claimIdentity.AddClaim(AbpClaimTypes.Role, ""); } }; }); -
0
which library i need to install for AddAbpJwtBearer method?
I have this namespace using Volo.Abp.AspNetCore.Authentication.JwtBearer; present in my class but still not giving error.
-
0
Hi
You can replace it to
AddJwtBearer -
0
Hi
I'm able to fetch but User Id is still null
here is the code of addjwttoken currently I'm adding claims hard coded but I will make it dynamic. I'm also setting user id but still getting null
-
0
Hi also I have seen AuthGuard and PermissionGuard are not allowing me access dashboard with my Okta Authentication
-
0
hi
Please share full claims list of
HttpContext.User
-
0
Hi here is the full claim list
-
0
Can you try to debug the
FindUserIdmethod?https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Security/System/Security/Principal/AbpClaimsIdentityExtensions.cs#L11-L47 https://github.com/abpframework/abp/blob/dev/framework/src/Volo.Abp.Security/Volo/Abp/Users/CurrentUser.cs#L16
-
0
Hi I'm able to fetch the UserId, there are two sub in my claims, I just make it one sub claim.
Now still my frontend application is not loading as expected many components are not loading.
I believe this is the issue
I have seen AuthGuard and PermissionGuard are not allowing me access dashboard with my Okta Authentication
-
0
What are JSON results of
https://yourwebsite/api/abp/application-configuration?includeLocalizationResources=falsein your angular app? -
0
Hi it's a big response, I cannot share here due to characters limit.
can you share you email so i can send you.
-
0
hi
liming.ma@volosoft.com
-
0
Hi I have shared the response with you.
-
0
hi
The current user has values. But the only
grantedPolicieshave four permissionsI will ask our angular team.
-
0
Hi
also I have seen this because this token is of okta open id
