Activities of "Frontis2"

  • ABP Framework version: v7.1.1
  • UI type: MVC
  • DB provider: EF Core

Currently am trying to add an external login, using Azure Active Directory. The purpose of this external login, is to be used by administrators only.

As described in the community blog post, I did the following... Note the CustomOpenIdConnectEvents class...

private void ConfigureExternalProviders(ServiceConfigurationContext context, IConfiguration configuration)
    {
        context.Services.AddAuthentication()
          //Omitted other third party configurations
          .AddOpenIdConnect("AzureOpenId", "Sign in with Microsoft", options =>
          {
              options.Authority = $"https://login.microsoftonline.com/{configuration["AzureAd:TenantId"]}/v2.0/";
              options.ClientId = configuration["AzureAd:ClientId"];
              options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
              options.CallbackPath = configuration["AzureAd:CallbackPath"];
              options.ClientSecret = configuration["AzureAd:ClientSecret"];
              options.RequireHttpsMetadata = false;
              options.SaveTokens = true;
              options.GetClaimsFromUserInfoEndpoint = true;
              options.Scope.Add("email");
              options.ClaimActions.MapJsonKey(ClaimTypes.NameIdentifier, "sub");
              options.ClaimActions.MapJsonKey(ClaimTypes.Email, "email");
              options.SignInScheme = IdentityConstants.ExternalScheme;

              options.EventsType = typeof(CustomOpenIdConnectEvents);
          });
    }

And here is the CustomOpenIdConnectEvents class:

    {
        [UnitOfWork]
        public override async Task TokenValidated(TokenValidatedContext context)
        {
            await base.TokenValidated(context);

            var userManager = context.HttpContext.RequestServices.GetRequiredService<IdentityUserManager>();
            

            var userEmail = context.Principal.FindFirstValue(ClaimTypes.Email);

            var currentUser = await userManager.FindByEmailAsync(userEmail);

            if (currentUser != null)
            {
                var adminRoleName = "admin"; // Replace with your admin role name
                var isInRole = await userManager.IsInRoleAsync(currentUser, adminRoleName);

                if (!isInRole)
                {
                    await userManager.AddToRoleAsync(currentUser, adminRoleName);
                    var identity = context.Principal.Identity as ClaimsIdentity;
                    identity?.AddClaim(new Claim(identity.RoleClaimType, adminRoleName));
                }
            }
        }
    }

The code itself is working. However with the following issues:

  • The user must log out and log back in, before he is admin
    • I think this is because the user account only exists after he hits "register".
  • Am not quite sure if finding the user based on the mail-address is save. However, finding by claim does not work. var currentUser = await userManager.GetUserAsync(context.Principal);

Concrete: How can I make sure users are automatically administrator? Preferably the registration form should be skipped.

  • ABP Framework version: v6.0.1
  • UI type: MVC
  • DB provider: EF Core
  • Identity provider: OpenIddict
  • Tiered (MVC) or Identity Server Separated (Angular): yes
  • Exception message and stack trace:
  • Steps to reproduce the issue:"

We're running a project, where a client is calling our ABP api. All happy flows are working as aspected.

Client details:

  • Nuxt framework (Vue) with Axios
  • Request and response example at the end of the message...

For any given reason tokens might expire. In this case, our client should get a HTTP status 401. This is not the case, it is getting a http status 302 found, whish is redirecting to a error page (= 401).

As you can see in the request, the client is sending a X-Requested-With attribute. This is a recommended solution, but not working. Reference 1 (axios Github) Reference 2 (ABP support)

For cookie authentication, there is a workaround. Reference 1 (ABP Github)

private void ConfigureRedirectStrategy(ServiceConfigurationContext context)
{
    // Without this, api calls without "X-Requested-With: XMLHttpRequest"
    // are redirected to identity server login page.
    // We want to return 401:Unauthorized instead of redirecting
    context.Services.ConfigureApplicationCookie(options =&gt;
    options.Events.OnRedirectToAccessDenied = context =&gt;
    {
    context.Response.Headers["Location"] = context.RedirectUri;
    context.Response.StatusCode = 401;
    return System.Threading.Tasks.Task.CompletedTask;
    });
}

As said, this will not work since the client is using Axios for requests.

Concrete question(s): Do you have any ideas how to solve thie issue (status 302 has to be a status 401)? MVC should work properly, so i guess we still have to use the "X-Requested-With: XMLHttpRequest attribute". But why is it not working?

Thanks in advance,

Request

Host: {url}
Connection: keep-alive
sec-ch-ua: "Brave";v="111", "Not(A:Brand";v="8", "Chromium";v="111"
Accept: application/json, text/plain, */*
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
Authorization: Bearer ...
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36
sec-ch-ua-platform: "Windows"
Sec-GPC: 1
Origin: {url}
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: {url}
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,nl;q=0.8

Response

Content-Length: 0
Date: Tue, 04 Apr 2023 09:50:10 GMT
Server: Kestrel
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: {url}
Access-Control-Expose-Headers: _AbpErrorFormat
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Location: /Error?httpStatusCode=401
Pragma: no-cache
Set-Cookie: ARRAffinity=...
Set-Cookie: ARRAffinitySameSite=...
Vary: Origin
WWW-Authenticate: Bearer error="invalid_token", error_description="The signing key associated to the specified token was not found.", error_uri="https://documentation.openiddict.com/errors/ID2090"
Request-Context: appId=...
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN```

@gterdem

Thanks for your response.

As a digital agency, we run multiple ABP projects, for multiple customers. And those customers (abp-projects), have multiple clients connecting to them. So multiple clients, that connect to our ABP api's.

We did not make all clients, and therefore it is hard to test them. Is there anything that we should report to the developers of the clients? Other than "please test everything".

Are there significant changes that occur, after the migration, that our customers need to report to their clients? Think about endpoint changes. Is there any difference in how tokens are handled?

As far as we know, all clients follow the openid / oauth2 specs. We did not implement custom code on the ABP side.

If this question is hard to answer, I also do like to know. Anything you know of, is desirable to hear.

Is my question to complicated? I know it is a bit abstract. However, knowing any pitfalls would help us a lot. If there is no known pitfall, I do like to know either.

  • ABP Framework version: v6.0.1
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Steps to reproduce the issue:"

After reading the migration guide... https://docs.abp.io/en/abp/latest/Migration-Guides/OpenIddict-Step-by-Step

Context We have multiple customers. Some of our customers have multiple clients (Administration => Identity Server => Clients) connecting to them. Therefor it is hard for us to test if the clients keep working. We don't have much influence on it.

So my question is.. Are there significant changes that occur, after the migration, that our customers need to report to their clients? Think about endpoint changes. Is there any difference in how tokens are handled?

As far as we know, all clients follow the openid / oauth2 specs. We did not implement custom code on the ABP side.

Another (small) functional question: Can created ABP users use their own password after the migration?

Thanks in advance,

For us it was a combination of

- 1. Development certificate

    private void ConfigureOpenIddict()
    {
        Configure<AbpOpenIddictAspNetCoreOptions>(builder => {
            builder.AddDevelopmentEncryptionAndSigningCertificate = false;
        });
    }
    {
        ...
        ConfigureOpenIddict();
        ...
    }

Why not adding this code (maybe with env.IsDevelopment()) to the starter template? This might help a lot of people?

- 2. Setting Loading User Profile to true in IIS

Tnhx for the support!

  • ABP Framework version: v6.0.0-rc.1
  • UI type: MVC
  • DB provider: EF Core
  • Tiered (MVC) or Identity Server Separated (Angular): no
  • Exception message and stack trace:
Application '/LM/W3SVC/2/ROOT' with physical root 'D:\Domains\abp_beheer\httpdocs\' has exited from Program.Main with exit code = '1'. First 30KB characters of captured stdout and stderr logs:
[14:14:52 INF] Starting web host.
[14:14:53 FTL] Host terminated unexpectedly!
Volo.Abp.AbpInitializationException: An error occurred during ConfigureServicesAsync phase of the module Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule, Volo.Abp.OpenIddict.AspNetCore, Version=6.0.0.0, Culture=neutral, PublicKeyToken=null. See the inner exception for details.
 ---> Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
   at Internal.Cryptography.Pal.StorePal.FromSystemStore(String storeName, StoreLocation storeLocation, OpenFlags openFlags)
   at System.Security.Cryptography.X509Certificates.X509Store.Open(OpenFlags flags)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate(X500DistinguishedName subject)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerBuilder.AddDevelopmentEncryptionCertificate()
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.<>c__DisplayClass1_0.<AddOpenIddictServer>b__0(OpenIddictServerBuilder builder)
   at Microsoft.Extensions.DependencyInjection.OpenIddictServerExtensions.AddServer(OpenIddictBuilder builder, Action`1 configuration)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.AddOpenIddictServer(IServiceCollection services)
   at Volo.Abp.OpenIddict.AbpOpenIddictAspNetCoreModule.ConfigureServices(ServiceConfigurationContext context)
   at Volo.Abp.Modularity.AbpModule.ConfigureServicesAsync(ServiceConfigurationContext context)
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   --- End of inner exception stack trace ---
   at Volo.Abp.AbpApplicationBase.ConfigureServicesAsync()
   at Volo.Abp.AbpApplicationFactory.CreateAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.ServiceCollectionApplicationExtensions.AddApplicationAsync[TStartupModule](IServiceCollection services, Action`1 optionsAction)
   at Microsoft.Extensions.DependencyInjection.WebApplicationBuilderExtensions.AddApplicationAsync[TStartupModule](WebApplicationBuilder builder, Action`1 optionsAction)
   at ABP_Beheer.Web.Program.Main(String[] args) in D:\BUILD02_Agent3\_work\730\s\src\ABP_Beheer.Web\Program.cs:line 36

  • Steps to reproduce the issue:"
  • dotnet tool install Volo.Abp.Cli -g --version 6.0.0-rc.1
  • abp new BookStore --preview
  • Run migrator & Open application & login with admin user
  • Now release to a windows server 2022 server (install IIS+dotnet 6 webhosting bundle)
  • Configure ABP there with Local IIS
    • ApplicationPoolIdentity
  • Add a ssl certificate in the Personal folder via "Manage computer certificates"
  • After that, configure the SSL certificate, so that the IIS APPOOL has access to it (manage computer certificates> Personal > Certificates > right click certificate > All tasks > Manage private keys > Add iis appool user here)
    • See https://github.com/dotnet/aspnetcore/issues/6840 for more info
  • Add HTTPS binding of the ssl certificate, to the iis site
  • Recycle app pool
  • Go to the application, by browsering to it

We haven't had this issue with ABP in combination with Identity server. What am i doing wrong, in context of OpenIddict?

Thanks in advance.

Showing 1 to 7 of 7 entries
Made with ❤️ on ABP v9.1.0-preview. Updated on December 26, 2024, 06:07