Käyttäjän "dmeagor" toiminnot
External provider SSO login is broken on the ABP site and our projects if you already have a local account.
Clicking SSO on login page takes me to a prefilled register page.
If I submit this page I get an error account already exists.
Note the register page doesn't even have the SSO buttons.
Proper flow should simply login with any provider with matching email address (you shouldn't have to remember which provider you used.)
This is a critical bug for us along with the dbmigrator issue I've already reported.
dbmigrator has a severe performance issue when using 500+ tenants which I believe is caused because of the efcore itterations and n+1 query issues. I think you need to disable changetracking for dbmigrator and/or open dbcontext per tenant. It would also be considerably faster and best practice if the permissions were downloaded as a single query and not 30+ separate small queries. Realistically you're limiting ABP to a small number of tenants otherwise.
Thanks.
Striple has two billling products, the standard payment system and stripe billing which include invoicing/vat etc.
Chargebee is similar to stripe billing where you forward a plan ID to them and it handles the rest through hosted checkout and plan change pages. The tenant is linked by recording a simple customer ID and subscription ID for links the accounts, and a webhook for plan changes and cancellations.
Checkout https://www.chargebee.com/docs/2.0/checkout.html
Self service portal (plan change. cancellations, invoice download etc.) https://www.chargebee.com/docs/2.0/inapp-self-serve-portal.html
Saas subscription invoicing is realy complex now as the VAT location proof rules have changed in the EU, USA, Australia and middle east trade blocks so it makes sense to use these types of service unless you only trade in your own country (which most Saas businesses don't)
We're working on a project now which will be released in the next few months and we're wondering if any of the following are planned for the commercial product.
v4.4
Subscription system & payment integration for the SaaS module.
How will this work. We use Chargebee for recurring billing. Will we be able to create plugins for the main subscription invoicing systems (Chargebee, Recurly, Chargify, Stripe Billing)? It would be great if we could have our tenants edition switch to the matching Chargebee subscription plan when they order, cancel, expire. It would be good to tie in the Chargebee dunning process to your system so that users could be alerted that their card has failed when the login.
Tenant impersonation for the SaaS module. / Custom management
How does all of this fit together as a customer management system? Currently the tenant search is near useless as it doesn't appear to search by other fields (tenant user email, billing reference etc.)
This is important as our customer service agents need to quicly access someones account with we receive a support request or worse a Terms of service abuse report. They will not have tenant id and will need to bring up a list of tenants connected to an email address or some other field. Ideally this would include custom search function we could create.
Unchangable Default Roles for Tenants
If I understand correctly roles and permissions are created at the tenant level. If this is the case then I'm not sure how to practically use the roles feature as when we add new features our application we would have to choose between leaving them inactive for all users until enabled (really bad) or manually adding them to every role in every tenant(very, very bad as we don't know what the roles were created for, they might be read only or something like that.) We're not sure what to do about this as we role out new functionality every month or so and 99.9% of our customers would simply want it enabled by default.
I think the option to add Default / template tenant roles which cannot be edited except by the host would be highly desirable.
Please add roadmap/ discussions sticky to this forum for ideas etc.
It would be good to hear others opinions on the roadmap.
Not sure if you have a place for feature requests but I think your commercial package would benefit from a built in GDPR/data privacy feature for scheduling old data to be deleted from the admin UI (both at the host level and at the tenant level.) This would nicely complement the audit feature as something most businesses need.
- ABP Framework version: 4.2
- UI type: Blazor
- DB provider: EF Core
- Tiered (MVC) or Identity Server Seperated (Angular): yes
Aim
Import and consolidate the approx 250,000 users, from two different services (each has it's own server and database) into a new Tiered ABP solution.
Background
Our existing systems contain tables for Users and Organisations. Not all users are assigned to an organisation.
We aim to create Tenants for each user (single database multi-tenant model) based on either their organistion or individual User account if they are not part of an organisation. We are expecting to force users to reconfirm their accounts and generate new passwords (i've seen the article on passwordless logins which might help here.)
Question
Where are the methods to manage tenants, users, orgs?
Add tenants by code: Is it possible to create new tenants, users, organisations by code? If so can you please provide snippit of code that would create a new Tenant, Organisation, and Saas Users without triggering user welcome emails, and email validation etc. I want the validation to happen when they login, and not when we import. I know it's based on the ms identity/Signinmanager/IdS stuff but I've no idea how this all ties in with the Abp tenant/org/2fa code.
Delete old tenants (GDPR) Is there a proper way to delete tenants or do we have to hard code sql?
If you think this is the wrong approach and have a better idea then please let me know. We would consider SQL but the plan was for the Abp/Identity Server solution to run in a separate datacenter.
BTW. The identity docs are little more than headings and screenshots of the UI (you should just put this info into the UI itself!) Also are there .net API docs for your repositories, methods etc? I thought I saw some once but can't seem to find any now.
Sorry, but how does your (personal?) frustration or opinion helping me in this discussion again?
How does it harm you? Support gave you your answer. I wrote one short followup objecting to ABP becomming dependent on an expensive commercial product, which I'm sure it won't, and you're threatening to rethink your use of the platform! Grow up.
I'm ending here before we have a Godwins Law moment.
Its a bit rich to complain about my very brief opening sentence and then write a small blog post on why I'm wrong and should go write my own identity server.
If you're going to push ABP to add a dependency on a commercial product costing thousands a year then you can expect pushback from those that have to pay for their own costs.
- With limited users IS5 will die a slow death.
- MS may well implement something now. (BTW. I'll start blaiming MS when they start charging for .net6)
- If a V4 fork emerges I hope that will be supported instead of V5.
- We're also a two man company and didn't envisage further costs.
- Other options like an Azure/Firebase/Amazon adapter should be considered if possible (I've no idea if it is.)
Solution
This has taken me some time to get right so I'm putting the solution here. Use this for either generating the keys identity server keys for production or integrating an old ASP Framework MVC project with the ABP identity server. There are other ways to store the cert rather than a file but this will work for linux too.
There are blog posts on this but they are wrong and will waste hours of your time. In particular do not include the "-certfile dev.crt" to the second openssl line as instructed by one post as it will generate an incompatable production cert.
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout dev.key -out dev.crt -subj "/CN=dev.com" -days 3650
openssl pkcs12 -export -out dev.pfx -inkey dev.key -in shout.crt
For ABP Identity Server project.
public override void PreConfigureServices(ServiceConfigurationContext context)
{
var hostingEnvironment = context.Services.GetHostingEnvironment();
PreConfigure<AbpIdentityServerBuilderOptions>(options =>
{
options.AddDeveloperSigningCredential = false;
});
PreConfigure<IIdentityServerBuilder>(identityServerBuilder =>
{
X509Certificate2 x509;
// todo: passwords need to be moved to secrets storage or deployment system
if (hostingEnvironment.IsDevelopment())
{
x509 = new X509Certificate2(
File.ReadAllBytes(Path.Combine(hostingEnvironment.ContentRootPath, "dev.pfx")),
"cert-password");
}
else
{
x509 = new X509Certificate2(
File.ReadAllBytes(Path.Combine(hostingEnvironment.ContentRootPath, "production.pfx")),
"dontaddhere");
}
identityServerBuilder
.AddSigningCredential(x509)
.AddValidationKey(x509);
});
}
Legacy MVC Framework app. OwinConfig pipeline. For production put the password and possibly certificate somewhere outsite of the git repo.
var x509 = new X509Certificate2(File.ReadAllBytes(Path.Combine(HostingEnvironment.ApplicationPhysicalPath, "dev.pfx")), "cert-password");
var key = new X509SecurityKey(x509);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["JwtAudience"],
ValidIssuer = ConfigurationManager.AppSettings["JwtIssuer"],
IssuerSigningKey = key,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
}
});
Only recently discovered this. Switching from free OS to multi-thousands per year is a real dick move IMO. I suspect they've created the new company simply to avoid possible legal action.
Is it not likely that V4 will simply get forked? For that matter could ABP not fork it and bundle with their own Admin UI since that's already part of the package? Seems like a golden opportunity if you could.
I've heard good things about Firebase Auth which is free or near free, or Azure AD B2C? Maybe some kind of adapter module?