How do I generate the Auth url that will allow a non ABP related website authenticate with ABP OpenIddict? #5493 | Support Center | ABP Commercial

okains created 9 months ago

Check the samples, to see the basic tasks: https://docs.abp.io/en/commercial/latest/samples/index The exact solution to your question may have been answered before, please use the search on the homepage.

If you're creating a bug/problem report, please include followings:

ABP Framework version: v7.3.1
UI type: Blazor
DB provider: EF Core
Tiered (MVC) or Identity Server Separated (Angular): no
Exception message and stack trace:
Steps to reproduce the issue:"

I would like to use SSO with a single tier Blazor Server ABP solution. I have a separate site that I would like to have sign in using OpenIddict, then callback with a JWT to an endpoint on that site. So similar to how the Public websites work in ABP, but not necessarily using .NET.

I can see that the Public website in my dev environment calls the following URL to auth then redirect:

https://localhost:44396/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient_id%3DABP73Public_Web_Public%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%3A7136%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520ABP73Public%26response_mode%3Dform_post%26nonce%3D638261167785072016.ZDg1NjgyZWUtZTAwNi00OGI4LTk0OTktNTZiNzVhOWIxOGFhMzk3YWM5N2UtODAwZC00YTc5LWI1MDMtNTA3OGNlNDk0MTEw%26state%3DCfDJ8MMdCuDzYEhJvMFQjtHhQGyHQ7Qq5BRX2jGkRv3Pti2RLsO3Zc0hq9QnyTqRr02P1_4NXt931DyfZ7gzkMJRP7UBUQNETvBJcwNqV3g2YbD2aOWRwEnF-gzhcrwrubi6mhAbGxqd6ZcTgmD9ndYyqCU2tW_ekfuuYY1cxmxMeeDF9CauhfMREVk0tCHTPcovRb8foC_mvAqRIvB-FSNjf-MLqwbtHeOltgqXecSXXH9K9gHrkWIe-dP2lQaq3pbrBqvU6BPCC8hd4Czj034Css0dT7AedrLKTmcde7Y47OdO%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0

This is generated by the ChallengeAccountController in the Public website. How can I best handle this outside of a .NET environment? Are there any other considerations that I am missing here?

Note: I did change the redirect_uri in this example to https://jwt.ms , and configured things ( I think ) correctly but on the redirect I didn't get a JWT. I am expecting this to work similar to how Azure B2C works, if you are familiar with that workflow. If I am missing something please let me know.

Thanks,

Karim

7 Answer(s)

maliming created 9 months ago

Support Team Fullstack Developer

You can add an OpenIdConnect and Cookies authentication schemes to your separate site

Then everything will work as Public website

context.Services.AddAuthentication(options =>
{
    options.DefaultScheme = "Cookies";
    options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
    options.ExpireTimeSpan = TimeSpan.FromDays(365);
    options.CheckTokenExpiration();
})
.AddAbpOpenIdConnect("oidc", options =>
{
    options.Authority = configuration["AuthServer:Authority"];
    options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); ;
    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;

    options.ClientId = configuration["AuthServer:ClientId"];
    options.ClientSecret = configuration["AuthServer:ClientSecret"];

    options.UsePkce = true;
    options.SaveTokens = true;
    options.GetClaimsFromUserInfoEndpoint = true;

    options.Scope.Add("roles");
    options.Scope.Add("email");
    options.Scope.Add("phone");
    options.Scope.Add("MyProjectName");
});

0

okains created 9 months ago

Hi,

The question is based around handling this outside of a .NET environment.

How can I best handle this outside of a .NET environment?

So for example, I have a simple single page site, www.mysite.com with a LOGIN button on the homepage. I need to be able to generate the fully formed URL to the Auth server (ABP OpenIddict) that contains the redirectUri to then call back to www.mysite.com/callback so that I can access a JWT.

So I need a way to generate this URL ( as noted in the original question ):

https://localhost:44396/Account/Login?ReturnUrl=%2Fconnect%2Fauthorize%3Fclient_id%3DABP73Public_Web_Public%26redirect_uri%3Dhttps%253A%252F%252Flocalhost%3A7136%26response_type%3Dcode%2520id_token%26scope%3Dopenid%2520profile%2520roles%2520email%2520phone%2520ABP73Public%26response_mode%3Dform_post%26nonce%3D638261167785072016.ZDg1NjgyZWUtZTAwNi00OGI4LTk0OTktNTZiNzVhOWIxOGFhMzk3YWM5N2UtODAwZC00YTc5LWI1MDMtNTA3OGNlNDk0MTEw%26state%3DCfDJ8MMdCuDzYEhJvMFQjtHhQGyHQ7Qq5BRX2jGkRv3Pti2RLsO3Zc0hq9QnyTqRr02P1_4NXt931DyfZ7gzkMJRP7UBUQNETvBJcwNqV3g2YbD2aOWRwEnF-gzhcrwrubi6mhAbGxqd6ZcTgmD9ndYyqCU2tW_ekfuuYY1cxmxMeeDF9CauhfMREVk0tCHTPcovRb8foC_mvAqRIvB-FSNjf-MLqwbtHeOltgqXecSXXH9K9gHrkWIe-dP2lQaq3pbrBqvU6BPCC8hd4Czj034Css0dT7AedrLKTmcde7Y47OdO%26x-client-SKU%3DID_NET6_0%26x-client-ver%3D6.21.0.0

Thanks,

Karim
0

maliming created 9 months ago
Support Team Fullstack Developer

hi

outside of a .NET environment?

What kind of application?

HTML + Javascript? PHP? Java?

Using the oauth2 class library would be best instead of processing it manually. This process is more complicated.
0

okains created 9 months ago

HTML + Javascript for now, but I want to be able to have any 3rd party site / app that we have authenticate using ABP auth.

So if you could explain how best to generate that URL and if there are any particular considerations I need to be aware of given the ABP implementation that would be great.
0

maliming created 9 months ago
Support Team Fullstack Developer

hi

You can use the javascript library like https://github.com/IdentityModel/oidc-client-js/wiki

So if you could explain how best to generate that URL and if there are any particular considerations I need to be aware of given the ABP implementation that would be great.

Abp uses standard oauth flow. https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow

okains created 9 months ago

You can add an OpenIdConnect and Cookies authentication schemes to your separate site

Then everything will work as Public website

context.Services.AddAuthentication(options => 
{ 
    options.DefaultScheme = "Cookies"; 
    options.DefaultChallengeScheme = "oidc"; 
}) 
.AddCookie("Cookies", options => 
{ 
    options.ExpireTimeSpan = TimeSpan.FromDays(365); 
    options.CheckTokenExpiration(); 
}) 
.AddAbpOpenIdConnect("oidc", options => 
{ 
    options.Authority = configuration["AuthServer:Authority"]; 
    options.RequireHttpsMetadata = Convert.ToBoolean(configuration["AuthServer:RequireHttpsMetadata"]); ; 
    options.ResponseType = OpenIdConnectResponseType.CodeIdToken; 
 
    options.ClientId = configuration["AuthServer:ClientId"]; 
    options.ClientSecret = configuration["AuthServer:ClientSecret"]; 
 
    options.UsePkce = true; 
    options.SaveTokens = true; 
    options.GetClaimsFromUserInfoEndpoint = true; 
 
    options.Scope.Add("roles"); 
    options.Scope.Add("email"); 
    options.Scope.Add("phone"); 
    options.Scope.Add("MyProjectName"); 
});

OK then, to keep things clear, let's go back to this scenario with a separate .NET application. What code to I need to call / use in order to generate the correct URL as mentioned in the initial question?

0
maliming created 9 months ago
Support Team Fullstack Developer
You can call the Challenge to initial the oidc flow.

[HttpGet] public virtual async Task<ActionResult> Challenge(string returnUrl = "") { return Challenge(new AuthenticationProperties { RedirectUri = returnUrl }, "oidc"); }

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.mvc.controllerbase.challenge?view=aspnetcore-7.0

Have an answer to this question? Log in and write your answer.