Dear Abp Team,
We want to have tow type of users (admins, customers),
customer are enrolled via developed APIs which has many business rule like (KYC, ..etc). after customer enrolled they assigned to a specific group. Groups are acting like aggregate for many things ( allowed services, limits, fees, ...etc). we implement the following: 1- when admins create a group and link it with the allowed services, system create role with the same name of group and assign linked services permissions to this role. 2- when user added to group an event fired to give the customer-user the same role of group.
now we need to ensure the following: 1- admins can not change/delete the roles that have been created for group purposes. (except via our developed api Groups APIs) 2- admins can not add any user to those roles mentioned above. (except via our developed api Groups APIs) 3- customers-users can not login via angular/auth (the built-in apis) login page. (or if it possible to link users with a client_id, so how can we check this).
We are lookup for your support to implement the requirements with the best practices and methods.
Thanks & best regards,
hi
This may be a security risk.
You can change the
TokenController.Password
behavior to achieve it.https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L372-L377
https://github.com/abpframework/abp/blob/dev/modules/openiddict/src/Volo.Abp.OpenIddict.AspNetCore/Volo/Abp/OpenIddict/Controllers/TokenController.Password.cs#L149
Thanks @mailming, Could you please give us more clarification about the security risk you mentioned above.
Also, Is it better to implement required use-case (above) in the new module (session management) that you are working on it (I'm following your branch) ?
thanks
We need to implement 2FA for our mobile app, we use the password flow, we we enabled the 2FA the system requires/send OTP every time customer login to his account from mobile app. we want to implement the remember device 2FA which will let's sending/requiring 2FA for new device only per user.
this feature is available for web application users, but we have another use-case which mobile app users.
So, please we need your support for achieving this case.
thanks
Hi,
He is also a commercial customer not a support, you can see that he has no label of support teamYou've got to be kidding!!!!!!! You let non ABP support people answer support questions??????? WOW!!!! I share a company's project with someone not from ABP!!!!!!!!!
sorry for that , actually I just wanted to help, and you asked for my email, whatever, I was far a way from my laptop and couldn't help (so, be safe, I haven't access your repository at all)
Hi,
I have already done this previously before creating a ticket with ABP. If you give me an email address I will give you access to my project on GitHub that this issue is occurring with.
Steve
eng.aldhamdy@gmail.com
need to execute (abp install-libs ) inside the AuthServer project folder, and then re-build the project