Activities of "jacek.bialy"
Unfortunately, it seems that you didn’t read my problem description and proposed functionality carefully. As I mentioned, ABP supports authenticator apps, but it does not allow enforcing them for users. Please take another look at my description. I’m happy to assist and answer any questions or concerns.
Description:
Currently, in ABP, enforcing multi-factor authentication (MFA) only includes SMS/email methods, which are not considered fully secure. There is no option to enforce the use of an authenticator app.
Problem:
- The current MFA enforcement does not include authenticator apps.
- SMS and email are vulnerable to attacks (e.g., phishing, SIM-swap).
- From a standard business security requirements perspective, an authenticator app should be available as a mandatory MFA option.
Expected Solution:
- Add an option to enforce MFA using an authenticator app (Google Authenticator, Microsoft Authenticator, etc.).
- Allow administrators (preferably at the tenant level) to enforce this setting for all users.
- During login, check if the user has already configured an authenticator app. If not, enforce its setup, similar to the existing process available in the "My Account" section.
Benefits:
- Improved login security.
- Compliance with modern security standards.
- Better control for administrators over MFA policies.
It looks like that was the issue. Now 404 error does not occur anymore.
Done :)
Robert is on vacation for a few days, so let me continue describing the problem. It’s true that the two mentioned options will make MFA available during login. Unfortunately, in our case, we need to enforce one specific MFA method for users. It must always be the Authenticator App. Therefore, we need the next step after entering the username and password to either be the token app configuration (for first-time login) or a screen requiring login confirmation in the Authenticator App, depending on whether the user is logging in for the first time or not.
Example flow: https://www.youtube.com/watch?v=JCFAoMPFq-Q
We believe this is a very standard approach offered by most providers, e.g., Microsoft Entra. Hence, our question is how this can be achieved using ABP.
Key requirements:
- Enforcing MFA exclusively through the Authenticator App.
- During the first login, after successfully entering the username and password, the user should be able to configure the Authenticator App.
- During subsequent logins, the step requiring login confirmation in the Authenticator App should immediately appear.
Having that configuration I found two possible security issues: Steps to reproduce: - I'm logged in as user from tenant1 so my portal domain is tenant1-portal.com - I modify URL in browser to tenant2-portal.com - I'm redirected to portal main page with domain tenant2-portal.com - when I click Login button I'm automatically logged in, still as a tenant1 user but with url tenant2-portal.com That's the first issue. - then when I click Log out button it looks like I'm logged out out and redirected to portal main page - domain tenant2-portal.com - set URL to tenant1-portal.com - try to login - user is automatically logged in as tenant1 user (even though I logged out in previous steps) That's the second issue. Do you have any possible solutions for these issues?
Now everything works fine :) I've got one question about ABP/LeptopX future updates. Now when I've got modified Default.cshtml file in my solution the only way to keep that file up to date is to compare it with newest LeptopX source? There is no automation possible right?
You can try this
Yes, this code correctly adds _tenant parameter, that's half of the success :)
It can hide the tenant field; you can give it a try.
I put that razor code in correct location and now that version of code is displayed during login process. Unfortunately there are still 2 issues:
1. "Login" button is always disabled, even when I provide both user name and password.
2. Logo above login form is not displayed at all. There is only application name displayed but it looks like it's not affected by css style.
it works for me.
It works only when you are already on the login page and you modify the URL but when you are redirected from the portal page then it doesn't work for host (empty tenant). As I previously mentioned I'm using code below to correctly redirect user from portal to the auth server. PortalBlazorModule.cs
options.Events.OnRedirectToIdentityProviderForSignOut = redirectContext =>
{
var currentTenant = redirectContext.HttpContext.RequestServices.GetRequiredService<ICurrentTenant>();
redirectContext.ProtocolMessage.IssuerAddress += $"?__tenant={currentTenant?.Id}";
return Task.CompletedTask;
};
You can override the account layout page.
I'm using app-pro template, so probably the code that you provided won't work to hide the tenant field on login page?
I've already tried and I don't know how to properly redirect user from portal to AuthServer. I tried to use __tenant parameter, so in PortalBlazorModule.cs i've added:
options.Events.OnRedirectToIdentityProviderForSignOut = redirectContext =>
{
var currentTenant = redirectContext.HttpContext.RequestServices.GetRequiredService<ICurrentTenant>();
redirectContext.ProtocolMessage.IssuerAddress += $"?__tenant={currentTenant?.Id}";
return Task.CompletedTask;
};
But: - It does not hide Tenant field on login page (only enabling domain tenant resolver hides that field). Tenant is correctly selected but field is still visible. - It does not work with host. __tenant is sent as empty value and then previously selected tenant is selected not the empty tenant/value - host.
