Activities of "jacek.bialy"

Unfortunately, it seems that you didn’t read my problem description and proposed functionality carefully. As I mentioned, ABP supports authenticator apps, but it does not allow enforcing them for users. Please take another look at my description. I’m happy to assist and answer any questions or concerns.

Description:

Currently, in ABP, enforcing multi-factor authentication (MFA) only includes SMS/email methods, which are not considered fully secure. There is no option to enforce the use of an authenticator app.

Problem:

• The current MFA enforcement does not include authenticator apps.
• SMS and email are vulnerable to attacks (e.g., phishing, SIM-swap).
• From a standard business security requirements perspective, an authenticator app should be available as a mandatory MFA option.

Expected Solution:

• Add an option to enforce MFA using an authenticator app (Google Authenticator, Microsoft Authenticator, etc.).
• Allow administrators (preferably at the tenant level) to enforce this setting for all users.
• During login, check if the user has already configured an authenticator app. If not, enforce its setup, similar to the existing process available in the "My Account" section.

Benefits:

• Improved login security.
• Compliance with modern security standards.
• Better control for administrators over MFA policies.

• ABP Framework version: v9.0.4
• UI Type: Blazor Server
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace:
• Steps to reproduce the issue:

I'd like to report a bug. I tested that on empty project created with cli. Log in as a tenant admin. Go to "Users" grid. Select particular user and click "Login with this user". I'm correctly logged in as selected user on portal. Then click on user name and go to "My account" option. New tab is opened with Auth server but I'm logged in as the tenant admin not the previously selected user.

It looks like that was the issue. Now 404 error does not occur anymore.

Done :)

• ABP Framework version: v9.0.2
• UI Type: Blazor Server
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace:
• Steps to reproduce the issue:

We have an issue that occasionally becomes visible. It happens only on our environment on Azure. Locally, we are unable to reproduce it.

• Click the "Login" button on the portal:

• After about 1s the main content of portal disappears (menu is still visible) and a 404 error appears and it's visible for about another 1s
• Then, there's a redirect to the auth server, where the correct login form appears

Do you have any ideas about what might be causing this? We've analyzed logs and browser console, but with no success. As i said it happens from time to time and in my opinion it existed also on v8 version of ABP. If needed, I can share the URL of our test environment and movie with the issue presented via email.

Robert is on vacation for a few days, so let me continue describing the problem. It’s true that the two mentioned options will make MFA available during login. Unfortunately, in our case, we need to enforce one specific MFA method for users. It must always be the Authenticator App. Therefore, we need the next step after entering the username and password to either be the token app configuration (for first-time login) or a screen requiring login confirmation in the Authenticator App, depending on whether the user is logging in for the first time or not.

Example flow: https://www.youtube.com/watch?v=JCFAoMPFq-Q

We believe this is a very standard approach offered by most providers, e.g., Microsoft Entra. Hence, our question is how this can be achieved using ABP.

Key requirements:

• Enforcing MFA exclusively through the Authenticator App.
• During the first login, after successfully entering the username and password, the user should be able to configure the Authenticator App.
• During subsequent logins, the step requiring login confirmation in the Authenticator App should immediately appear.

Having that configuration I found two possible security issues: Steps to reproduce: - I'm logged in as user from tenant1 so my portal domain is tenant1-portal.com - I modify URL in browser to tenant2-portal.com - I'm redirected to portal main page with domain tenant2-portal.com - when I click Login button I'm automatically logged in, still as a tenant1 user but with url tenant2-portal.com That's the first issue. - then when I click Log out button it looks like I'm logged out out and redirected to portal main page - domain tenant2-portal.com - set URL to tenant1-portal.com - try to login - user is automatically logged in as tenant1 user (even though I logged out in previous steps) That's the second issue. Do you have any possible solutions for these issues?

Now everything works fine :) I've got one question about ABP/LeptopX future updates. Now when I've got modified Default.cshtml file in my solution the only way to keep that file up to date is to compare it with newest LeptopX source? There is no automation possible right?

You can try this

Yes, this code correctly adds _tenant parameter, that's half of the success :)

It can hide the tenant field; you can give it a try.

I put that razor code in correct location and now that version of code is displayed during login process. Unfortunately there are still 2 issues: 1. "Login" button is always disabled, even when I provide both user name and password. 2. Logo above login form is not displayed at all. There is only application name displayed but it looks like it's not affected by css style.