how to disable JWT authentication dynamically based on oAuth checkbox of tenant #8828

sghorakavi@cpat.com created 26 days ago

ABP Framework version: 9.0.3
UI Type: MVC / Blazor WASM / Blazor Server
Database System: EF Core (SQL Server)
Tiered (for MVC) or Auth Server Separated (for Angular): yes
Exception message and full stack trace:
Steps to reproduce the issue: We want to enforce oAuth login if selected for tenant

enisn created 25 days ago

Support Team .NET Developer

Hi,

It depends on your solution structure. If you're using non-tiered MVC, it uses cookie-based authentication by default whenever you create a new project.

But others, including blazor wasm, angular or any type of tiered applications use OpenId Connect authentication by default.
And it uses Authentication Code Flow.
See: https://abp.io/docs/latest/solution-templates/layered-web-application/authentication#authentication-flows

Do you want to change authentication flow? Can you please describe what you need to change dynamically?

sghorakavi@cpat.com created 25 days ago

Hi Enisn, Thank you for your response. We are multi-tiered MVC, multitenant application.
I want to authenticate users of one tenant with Azure AD only and users of another tenant with Google authentication only.
The user may be part of ABP database but if the user is not part of Azure AD or Google, the ABP based application should not allow that user to login.
How do I implement this feature?

berkansasmaz created 22 days ago

Support Team .NET Developer

Hi,

You can customize the Login page for this. I am leaving some sample code below just to give you an idea:

[Dependency(ReplaceServices = true)]
[ExposeServices(typeof(LoginModel))]
[DisableAuditing]
public class MyLoginModel : LoginModel
{

    public TappLoginModel(
        IAuthenticationSchemeProvider schemeProvider,
        IOptions<AbpAccountOptions> accountOptions,
        IAbpRecaptchaValidatorFactory recaptchaValidatorFactory,
        IAccountExternalProviderAppService accountExternalProviderAppService,
        ICurrentPrincipalAccessor currentPrincipalAccessor,
        IOptions<IdentityOptions> identityOptions,
        IOptionsSnapshot<reCAPTCHAOptions> reCaptchaOptions) : base(
        schemeProvider,
        accountOptions,
        recaptchaValidatorFactory,
        accountExternalProviderAppService,
        currentPrincipalAccessor,
        identityOptions,
        reCaptchaOptions)
    {

    }

    public override Task<IActionResult> OnGetAsync()
    {
        var tenantName = _currentTenant.Name; // Get the current tenant
        var allowedProvider = _configuration["ExternalAuthProviders:" + tenantName];

        if (string.IsNullOrEmpty(allowedProvider))
        {
            // Fallback or error handling for tenants without specific providers
            return await base.OnGetAsync();
        }
        
        // Redirect to the specific provider's login
        var redirectUrl = Url.Page("./Login", "ExternalLoginCallback", new { ReturnUrl, ReturnUrlHash });
        var properties = SignInManager.ConfigureExternalAuthenticationProperties(allowedProvider, redirectUrl);
        properties.Items["scheme"] = allowedProvider;

        return Challenge(properties, allowedProvider);
    }
}

You can think of the above code as psuedo code. We replaced the Login model and override OnGet and redirected it to the provider we want according to the tenant information. However, this code does not remove the relevant providers from the UI, for this you need to override Login.cshtml. How to do it is explained in the document here.

Since this is a code that is completely related to your business, we cannot write all the code, but I tried to explain how you can do it as much as I can to give you an idea. If you have a specific question while implementing, do not hesitate to ask.