Open Closed

Azure OpenIdConnect – User validation against database #9955

User avatar
0
FelixKirschner created

Hello, we are using Azure OpenIdConnect for authentication, which works fine so far. The problem: if a user does not exist in a specific table in our database, their authentication state should be invalid. How can we achieve that the authentication flow, after a successful Azure OpenIdConnect login, additionally checks the database and rejects the user if not found? Is maybe the AbpClaimsPrincipalContributor a way to interupt it and check if the user is found?

Thank you for your help!

Go to accepted answer
2 Answer(s)
  • User Avatar
    0
    AI-Bot created
    Support Team ABP Agent

    To enforce that only users existing in a specific database table are considered authenticated after Azure OpenIdConnect login, you should implement a custom authentication event handler rather than using AbpClaimsPrincipalContributor. The contributor is designed for adding claims, not for interrupting or rejecting authentication.

    For your scenario, you should hook into the OpenIdConnect authentication events (such as OnTokenValidated or OnUserInformationReceived) in your HttpApi.Host or Web project. In these events, you can check your database for the user and reject the authentication if the user is not found.

    Example (in your module's ConfigureServices):

    context.Services.AddAuthentication()
    .AddOpenIdConnect("AzureOpenId", "Azure AD OpenId", options =>
    {
        // ... your existing config ...
        options.Events = new OpenIdConnectEvents
        {
            OnTokenValidated = async context =>
            {
                var serviceProvider = context.HttpContext.RequestServices;
                var dbContext = serviceProvider.GetRequiredService<YourDbContext>();
                var userId = context.Principal.FindFirst(ClaimTypes.NameIdentifier)?.Value;

                // Check if user exists in your custom table
                var userExists = await dbContext.YourCustomUsersTable.AnyAsync(u => u.AzureAdId == userId);
                if (!userExists)
                {
                    context.Fail("User not allowed.");
                }
            }
        };
    });

    This will reject the authentication if the user is not found in your table, and the user will not be considered authenticated in your ABP application.

    Sources:

    • https://abp.io/docs/latest/framework/fundamentals/authorization
    • https://abp.io/community/articles/4603b9cf

    This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

  • User Avatar
    0
    maliming created
    Support Team Fullstack Developer

    hi

    Checking it in OpenIdConnectEvents methods is a good approach.

    Thanks.

Assignee
User avatar maliming
Question details
Labels
None yet
Boost Your Development
ABP Live Training
Packages
See Trainings
Mastering ABP Framework Book
The Official Guide
Mastering
ABP Framework
Learn More
Mastering ABP Framework Book
Made with ❤️ on ABP v10.1.0-preview. Updated on October 02, 2025, 08:00