Activities of "papusa"

To determine if a user logged in with a local account or via an external login (such as BankID), you can inspect the user's login providers. ABP's Identity system stores external login information in the user logins table.

As I understand it, this only shows which providers are associated with the user (from the user logins table), not which provider was actually used for the current login session. Is there a way to detect the login type of the current session?

To include a custom claim in both the access_token and id_token, you can use claims contributors in ABP. Implement IAbpClaimsPrincipalContributor and register it. In your contributor, add a custom claim (e.g., "login_type") based on the authentication context. This claim will be included in the generated tokens if added during the authentication process.

I have already implemented a claims contributor. But is this the recommended approach? I noticed it is executed four (4) times when a user logs in from Angular. Also, it does not add the claim to the id_token or access_token received on the client. This was partially solved by the suggested IOpenIddictServerHandler<OpenIddictServerEvents.ProcessSignInContext> implementation from my previous ticket, but that only adds the claim to the access_token, which is not very convenient on the client side.

The AI answer didn’t really address my third question either. Could you please clarify the recommended way to handle the scenario where a user adds a new external login?

Hi, I previously opened a ticket regarding external login with BankID, and I now have three additional questions:

Recognizing login type

• Is it possible to determine whether the user logged in with a local account or via an external login (e.g., BankID)? I'd like to make certain decisions based on the login method used.

Adding login type claim

• Is it possible to include a custom claim in both the access_token and the id_token?

Handling BankID-only actions There are some actions in my application that must only be allowed when a user is authenticated via BankID (external login).

• If the user does not yet have an external login, they should be prompted to add it.
• When a user adds an external login, it goes through the BankID login flow. However, when the request returns to the ABP application, the claims contributors are missing, so I cannot add any claim that marks the user as BankID-authenticated.
• This results in the user having to authenticate with BankID twice, which is not ideal.

Is there a recommended way to handle this scenario to avoid requiring double BankID authentication?

It works. Thank you!

I've shared a link to the BankID demo project via OneDrive. You should receive e-mail with link.

While testing the demo, I noticed that the issue only occurs when an external login is added to an existing user. If the user is registered directly via BankID, the problem doesn't appear.

Here are the steps to reproduce the issue:

1. Log in using any local user (e.g., admin).
2. Navigate to External Logins.
3. Add an external BankID account using the following test credentials:
   • National identity number: 04080599469
   • One-time code: otp
   • BankID password: qwer1234
4. After linking the external login, log out.
5. Log in using BankID.
6. In the Angular app's Home page, click the "Test national identity claim" button.
7. Expected: It should display the national identity number. Actual: It shows a message indicating the claim is not found.

Below is result for same user in angular and swagger:

I will test your case with GitHub login.

Sounds good. Thanks

I can definitely create and share a demo project with you, but please note that I won’t be able to include the external login provider credentials (like the client secret), since those are sensitive. Would that still work for you?

I can provide a test user (test identity number), or you're welcome to generate one yourself using this link: https://ra-preprod.bankidnorge.no/#/generate We're using Criipto for Norwegian BankID. You can get test account for free.

That said, I assumed the issue wasn't specific to BankID, and that any external login provider would be sufficient for testing in a demo setup. Please let me know how you'd prefer to proceed!

Previously, I was using HttpContextAccessor.HttpContext.AuthenticateAsync(IdentityConstants.ExternalScheme) to retrieve the external claims principal.

After reviewing the link you provided, I switched to using SignInManager, but the behavior hasn't changed. When logging into the Angular app, the external login is null, and I'm not receiving the expected claims when calling the API from the Angular front end.

Here's the code for my IAbpClaimsPrincipalContributor implementation. Could you please take a look and let me know if there's anything wrong or missing?

public class BankIdClaimsPrincipalContributor : IAbpClaimsPrincipalContributor, ITransientDependency { private readonly SignInManager<IdentityUser> _signInManager;

public BankIdClaimsPrincipalContributor(SignInManager<IdentityUser> signInManager)
{
    _signInManager = signInManager;
}

public async Task ContributeAsync(AbpClaimsPrincipalContributorContext context)
{
    var identity = context.ClaimsPrincipal.Identities.FirstOrDefault();
    
    var externalLogin = await _signInManager.GetExternalLoginInfoAsync();
    if (externalLogin == null)
    {
        identity?.AddClaim(new Claim("isbankidauthenticated", false.ToString().ToLower()));
        return;
    }
    
    var authenticationTypeClaim = externalLogin.Principal.FindFirst(Claims.BankId.AuthenticationType);
    var isBankIdAuthenticated = authenticationTypeClaim is { Value: Claims.BankId.NorwegianAuthenticationTypeValue };
    identity?.AddClaim(new Claim("isbankidauthenticated", isBankIdAuthenticated.ToString().ToLower()));

    if (!isBankIdAuthenticated)
    {
        return;
    }

    ForwardClaim("socialno", "nationalidentitynumber");
    ForwardClaim("dateofbirth", "dateofbirth");
    
    return;
    
    void ForwardClaim(string bankIdClaimType, string claimType)
    {
        var claim = externalLogin.Principal.FindFirst(bankIdClaimType);
        if (claim != null)
        {
            identity?.AddClaim(new Claim(claimType, claim.Value));
        }
    }
}

}

I think it might be more convenient if you could create a demo project yourself with the setup you have in mind. :)

Hi, Thanks for your response.

Could you clarify the purpose of the demo project? I’m unable to share external provider credentials, so I'm not sure how useful it would be in this case.

If you’re familiar with retrieving additional claims, perhaps you could share a demo that demonstrates the solution? :)

Here is how external provider is added in our app:

private void ConfigureExternalProviders(ServiceConfigurationContext context, IConfiguration configuration)
{
    var criiptoAuthority = configuration["Authentication:Criipto:Authority"];
    var criiptoClientId = configuration["Authentication:Criipto:ClientId"];
    var criiptoClientSecret = configuration["Authentication:Criipto:ClientSecret"];
    
    context.Services.AddAuthentication()
        .AddOpenIdConnect("Criipto", "BankID", options =>
        {
            options.ClientId = criiptoClientId;
            options.ClientSecret = criiptoClientSecret;
            options.Authority = criiptoAuthority;
            options.ResponseType = OpenIdConnectResponseType.Code;
            options.CallbackPath = new PathString("/signin-bankid");

            options.Scope.Add("ssn");
            
            options.ClaimActions.MapJsonKey("socialno", "socialno");
            options.ClaimActions.MapJsonKey("dateofbirth", "dateofbirth");
        });
}

AI answer didn't solve the problem.

We have integrated an external login provider (BankID) into our ABP application v9 (Layered/Angular/No separate auth). Login flow works, but two issues remain regarding claims handling and distinguishing login type:

1. Forwarding External Claims

• During the external login callback, BankID provides additional claims (e.g., national identity number, date of birth).
• I can see these claims in the external cookie (IdentityConstants.ExternalScheme).
• However, once ABP finalizes the login and issues tokens for the Angular app, these claims are gone.
• I tried implementing IAbpClaimsPrincipalContributor to forward them, but the external cookie is not available for angular app (different domain/port).
• Question: What is the proper ABP way to forward external provider claims (without persisting sensitive values like national identity number in the DB) so that they appear in the JWT used by the Angular client?

2. Recognizing Authentication Type in API Calls

• For security logic, I need to know if the current user authenticated via BankID or the standard username/password login.
• In Swagger tests, I can inject and see custom claims, but once Angular is used, claims seem to be rewritten and the info is lost.
• Question: What is the recommended approach in ABP to tag the authentication method (e.g., extenal (BankID) vs. local) so that this info reliably propagates into JWT tokens consumed by the Angular frontend?

Notes: I don’t want to persist national identity number in the database, so I’m looking for a runtime claim-forwarding approach. I’ve already explored AbpUserClaimsPrincipalFactory and IAbpClaimsPrincipalContributor. Claims show up in Swagger tests but not from Angular.