Open Closed

Enable OAuth External login Provider (Azure Ad) on ABP Framework(6.0) #3761


User avatar
0
cstudart created

Hi all,

I am using ABP Commercial v6.0.0-rc.4, but I think there is not Bugs & Issues already open for it.

I am trying to enable OAuth external login via ABP Framework in order to be able to import users.

I followed the documentation https://docs.abp.io/en/commercial/latest/modules/identity/oauth-login to a enable OAuth. See my configuration below:

When I try to login using my Azure AD credentials or when I try import users I am getting "External provider authentication failed".

It is working via postman.

Thanks!


20 Answer(s)
  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    See: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri

    The Authority should be https://login.microsoftonline.com/{tenant}/v2.0

  • User Avatar
    0
    cstudart created

    Hi,

    See: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc#find-your-apps-openid-configuration-document-uri

    The Authority should be https://login.microsoftonline.com/{tenant}/v2.0

    Hi liangshiwei,

    Thanks for you reply. Yes, I already tried https://login.microsoftonline.com/{tenant}/v2.0 and also https://login.microsoftonline.com/{tenant}/oauth2/v2.0 and https://login.microsoftonline.com/{tenant}

    All of the cases I get the same error message.

    Like I said via postman it works.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Let me explain how it works.

    • First, ABP will send a request to the OpenID configuration document endpoint. ($"{Authority}/.well-known/openid-configuration)

    The configuration document endpoint will responsed:

    You can try access to https://login.microsoftonline.com/{tenant}/v2.0.well-known/openid-configuration to check it.

    PS: Don't forget replace {tenant}.

  • User Avatar
    0
    cstudart created

    Hi,

    Let me explain how it works.

    • First, ABP will send a request to the OpenID configuration document endpoint. ($"{Authority}/.well-known/openid-configuration)

    The configuration document endpoint will responsed:

    You can try access to https://login.microsoftonline.com/{tenant}/v2.0.well-known/openid-configuration to check it.

    PS: Don't forget replace {tenant}.

    Yes, I know how openId connection works. Yes, I can access the openId configuration metadata for my tenant, also on the logs I can see the openId metadata. The error that I am getting is this:

    at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.GetDiscoveryResponseAsync() at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.GetAccessTokenAsync(String userName, String password) at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.AuthenticateAsync(String userName, String password) [11:08:22 WRN] ---------- RemoteServiceErrorInfo ---------- { "code": "Volo.Abp.Identity:010011", "message": "External login provider authenticate failed", "details": null, "data": {}, "validationErrors": null }

    Once again, when I try openId connection on Postman it works.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Yes, I can access the openId configuration metadata for my tenant, also on the logs I can see the openId metadata. The error that I am getting is this:

    Please share the full logs, thanks.

  • User Avatar
    0
    cstudart created

    Yes, I can access the openId configuration metadata for my tenant, also on the logs I can see the openId metadata. The error that I am getting is this:

    Please share the full logs, thanks.

    [11:08:19 DBG] Found in the cache: pn:R,pk:admin,n:AbpIdentity.Users [11:08:19 INF] Try to use OAUTH for external authentication [11:08:19 INF] Start processing HTTP request GET https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration [11:08:19 INF] Sending HTTP request GET https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration [11:08:20 INF] Received HTTP response headers after 697.5794ms - 200 [11:08:20 INF] End processing HTTP request after 697.8031ms - 200 [11:08:20 ERR] Get discovery error: {"token_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantId}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/{tenantId}/kerberos","tenant_region_scope":"NA","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"} Volo.Abp.AbpException: Get discovery error: {"token_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/{tenantId}/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/{tenantId}/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"kerberos_endpoint":"https://login.microsoftonline.com/{tenantId}/kerberos","tenant_region_scope":"NA","cloud_instance_name":"microsoftonline.com","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net"} at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.GetDiscoveryResponseAsync() at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.GetAccessTokenAsync(String userName, String password) at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.AuthenticateAsync(String userName, String password) [11:08:22 WRN] ---------- RemoteServiceErrorInfo ---------- { "code": "Volo.Abp.Identity:010011", "message": "External login provider authenticate failed", "details": null, "data": {}, "validationErrors": null }

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    I will check it out

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    This is a problem, we will fix it in the 6.0 version., BTW, your ticket refunded.

    For now, you can try:

    
    [ExposeServices(typeof(OAuthExternalLoginManager))]
    public class MyOAuthExternalLoginManager : OAuthExternalLoginManager
    {
        public MyOAuthExternalLoginManager(IOAuthSettingProvider oAuthSettingProvider, IHttpClientFactory httpClientFactory) : base(oAuthSettingProvider, httpClientFactory)
        {
        }
    
        protected async override Task<DiscoveryDocumentResponse> GetDiscoveryResponseAsync()
        {
            using (var httpClient = HttpClientFactory.CreateClient(HttpClientName))
            {
                var request = new DiscoveryDocumentRequest
                {
                    Address = await OAuthSettingProvider.GetAuthorityAsync(),
                    Policy = new DiscoveryPolicy
                    {
                        RequireHttps = await OAuthSettingProvider.GetRequireHttpsMetadataAsync(),
                        ValidateEndpoints = false,
                        ValidateIssuerName = false
                    }
                };
                
                var discoveryResponse = await httpClient.GetDiscoveryDocumentAsync(request);
                if (discoveryResponse.IsError)
                {
                    throw discoveryResponse.Exception ?? new AbpException("Get discovery error: " + discoveryResponse.Raw);
                }
    
                return discoveryResponse;
            }
        }
    }```
    
  • User Avatar
    0
    cstudart created

    Hi,

    This is a problem, we will fix it in the 6.0 version., BTW, your ticket refunded.

    For now, you can try:

    Thanks!!

    I am still getting an error but now it seems to be directly from the Azure Ad

    12:28:37 ERR] Get access token error: {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: a7f3a95c-2848-4eac-a01f-4d0257db3d00\r\nCorrelation ID: 3000c73d-0b0d-48fb-9781-200178c2152a\r\nTimestamp: 2022-09-29 10:28:28Z","error_codes":[50126],"timestamp":"2022-09-29 10:28:28Z","trace_id":"a7f3a95c-2848-4eac-a01f-4d0257db3d00","correlation_id":"3000c73d-0b0d-48fb-9781-200178c2152a","error_uri":"https://login.microsoftonline.com/error?code=50126"} Volo.Abp.AbpException: Get access token error: {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: a7f3a95c-2848-4eac-a01f-4d0257db3d00\r\nCorrelation ID: 3000c73d-0b0d-48fb-9781-200178c2152a\r\nTimestamp: 2022-09-29 10:28:28Z","error_codes":[50126],"timestamp":"2022-09-29 10:28:28Z","trace_id":"a7f3a95c-2848-4eac-a01f-4d0257db3d00","correlation_id":"3000c73d-0b0d-48fb-9781-200178c2152a","error_uri":"https://login.microsoftonline.com/error?code=50126"} at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.GetAccessTokenAsync(String userName, String password) at Volo.Abp.Identity.ExternalLoginProviders.OAuth.OAuthExternalLoginManager.AuthenticateAsync(String userName, String password)

    Maybe it is missing pass the grant_type

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Get access token error: {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: a7f3a95c-2848-4eac-a01f-4d0257db3d00\r\nCorrelation ID.

    I guess the username or password is incorrect, could you provide an azure ad test configuration with me via email? shiwei.liang@volosoft.com

    I can check it and quickly fix it.

  • User Avatar
    0
    cstudart created

    Hi,

    Get access token error: {"error":"invalid_grant","error_description":"AADSTS50126: Error validating credentials due to invalid username or password.\r\nTrace ID: a7f3a95c-2848-4eac-a01f-4d0257db3d00\r\nCorrelation ID.

    I guess the username or password is incorrect, could you provide an azure ad test configuration with me via email? shiwei.liang@volosoft.com

    I can check it and quickly fix it.

    The login works (when I login using my Azure Ad credentials). The error is just on the import users.

    As the login works, I assume the setups for the OAuth are all good. Does that make sense?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    Did you provide the password when you import a user?

  • User Avatar
    0
    cstudart created

    Hi,

    Did you provide the password when you import a user?

    I tried with and without, both the same error. it is a bit weird that I need to provide the password of the user that I am trying to import.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    it is a bit weird that I need to provide the password of the user that I am trying to import.

    Yes, but it's a limit of OAuth, we have to provide a username and password to check if the user is valid.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    After my check, it should work after https://support.abp.io/QA/Questions/3761#answer-3f02f82f-0c97-563c-cab8-3a069adc445c

    Tips: ABP needs to get the email to create a user. you can check the user info endpoint.

  • User Avatar
    0
    cstudart created

    it is a bit weird that I need to provide the password of the user that I am trying to import.

    Yes, but it's a limit of OAuth, we have to provide a username and password to check if the user is valid.

    That means that I need to know the user password?!?!

  • User Avatar
    0
    cstudart created

    After my check, it should work after https://support.abp.io/QA/Questions/3761#answer-3f02f82f-0c97-563c-cab8-3a069adc445c

    I am using that change, but still not working for me.

    Tips: ABP needs to get the email to create a user. you can check the user info endpoint.

    I am not sure what you mean. I am trying to import uses that already exist on Azure Ad by using the email and the current password, but still not working for me. Am I doing something wrong?

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    That means that I need to know the user password?!?!

    Unfortunately, yes.

    This is the resource-owner-password-flow rule.

    I am trying to import uses that already exist on Azure Ad by using the email and the current password, but still not working for me. Am I doing something wrong?

    Could you provide the azure ad configuration(clientid,secret... and a test account) to me via email? shiwei.liang@volosoft.com

  • User Avatar
    0
    cstudart created

    Hi,

    That means that I need to know the user password?!?!

    Unfortunately, yes.

    Sorry, but if to use the import external user feature it requires to know the user password, the feature is not really useful for us. I would like to import the user so before the user login he/she setting like role, for example, will be already set.

  • User Avatar
    0
    liangshiwei created
    Support Team Fullstack Developer

    Hi,

    This is a limit of OAuth: https://auth0.com/docs/get-started/authentication-and-authorization-flow/resource-owner-password-flow

    I think the OAuth external login provider is not suite for you. you can custom your own provider.

    Maybe Azure provides an HTTP API that can search users(I'm not sure.)

    public class MyAzureAdExternalLoginProvider : ExternalLoginProviderBase, ITransientDependency
    {
        public const string Name = "AzureAd";
    
        public MyAzureAdExternalLoginProvider()
                : base(....)
        {
        }
    
        public async override Task<bool> TryAuthenticateAsync(string userName, string plainPassword)
        {
            ....
        }
        
        public async override Task<bool> IsEnabledAsync()
        {
            .....
        }
    
        protected async override Task<ExternalLoginUserInfo> GetUserInfoAsync(string userName)
        {
            //Use the username to send an HTTP request to Azure API to query a user.
        }
    }
    
    
    Configure<AbpIdentityOptions>(options =>
    {
        options.ExternalLoginProviders.Add<MyAzureAdExternalLoginProvider>(MyAzureAdExternalLoginProvider.Name);
    });
    
Made with ❤️ on ABP v8.2.0-preview Updated on March 25, 2024, 15:11