@Mehmet thanks did not realise i could replace whole account component, although i dont know if i still need forgot password and other pages other than login so i will try authguard injection first!
@gterdem ok great i will try reproduce in new solution and then log an issue if thats the case
Thanks again for all the help
@gterdem hi
What would be the best practise then to catch all the exceptions so I can wrap the relevant ones into User Friendly ones such as the password format when registering being incorrect. e.g if a user registers a new account with password of 'a' then thats invalid and they just get a blank screen on hitting register rather than a validation error.
@alper thanks I will get a new solution and just confirm it is indeed reproducible and will log a bug if it is. I will also try a combined solution and see if its any different
@yekalkan
Ok cool!
So now my last 2 questions really
Thanks again
Hi @alper
After further investigation I can see the properties for both PKCE and RequireClientSecrets in the src code for the ABP identityserver domain object as well as the ETO object.
https://github.com/abpframework/abp/tree/dev/modules/identityserver
but i dont have the license to the UI modules to see if they are in there, maybe you can confirm? To reiterate I am simply wondering if the options exist and I cant find them or if they have not been added to the UI yet?
hi @alper
This documentation found at this link shows a screenshot with PKCE option, i will keep looking for RequireClientSecret
Im not sure how this helps unless ABP IO is built on top of that UI? Im happy to try and add the UI for it to ABP IO if it doesnt exist I am simply wondering if it is on a screen I have missed
hi @alper
No I didnt set them using the official admin UI, i did it direct in the database. I have not looked at the official UI only the ABP IO implementation?
I will have a look at the official implementation and see if i can find them
Hi @gterdem
Ok so I have managed to mostly get what i want working, after much reading and playing around with different solutions i now have a different .net application, a blank angular project, abp io mvc and abp io angular all authenticating with 1 identity server. The angular edition is doing a full redirect to the identity server endpoint login page so that i can have external providers all work from one place.
Thankfully the npm package you guys are using for oidc already works with the implicit and PKCE. However i have a few questions related to this
To use PKCE with angular then in the identity server client setup i have to put RequirePKCE true and RequireClientSecret false, however i cant find anyway to do this through ABP Identity Server UI? I have done it direct in db but am wondering if there is some place in the UI i have missed that I could set these 2 options?
Also exceptions thrown in the Identity Server endpoint just seem to show a blank page and I have to go to the logs.txt file of the Identity server to see the issue, things that i think should show a nice error to the user like their password being in the incorrect format? Is it supposed to do that or is that a bug?
Sorry also forgot to add I want to replace the route /account/login in angular whats the best way to do this, I have done it with replaceable component however it still shows the page with tenant switch with my own content in the middle (where username password fields used to be)? I would prefer to replace the whole route without recompiling all the abp npm packages and source?
The same goes for the AuthGuard, is there an easy/correct way i can inject another version so im not breaking the source code?
Thanks again Pete
@gterdem so that example is meant to fail then?
It is using both a variable and a string representation, if what you said above is true then the following lines are incorrect in the same documentation
var userId = items[XsrfKey] as string;
and
var provider = items[LoginProviderKey] as string;
Is there someway i could proceed with the 3rd party integration into angular? Can we somehow mostly leverage the identity server endpoint from the angular app, by that i mean actually direct the not authenticated user to identity server endpoint instead of the angular login page, then back again when they log in?
Ok after more moving bits and pieces around I have it working mostly
So for the Identity Server only endpoint you need to put the following in PreConfigureServices
public override void PreConfigureServices(ServiceConfigurationContext context)
{
var configuration = context.Services.GetConfiguration();
PreConfigure<IIdentityServerBuilder>(builder =>
{
builder.Services.AddAuthentication()
.AddAzureAD(options => configuration.Bind("AzureAd", options));
builder.Services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
//this events is optional but can be useful for debugging the returned claims
options.Events.OnTokenValidated = (async context =>
{
var claims = context.Principal.Claims.ToList();
await Task.CompletedTask;
});
options.Authority = options.Authority + "/v2.0/";
options.ClientId = configuration["AzureAd:ClientId"];
options.CallbackPath = configuration["AzureAd:CallbackPath"];
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.RequireHttpsMetadata = false;
//you need client secret if your using a private app registration rather than public
options.ClientSecret = configuration["AzureAd:ClientSecret"];
options.TokenValidationParameters.ValidateIssuer = false;
options.GetClaimsFromUserInfoEndpoint = true;
options.SaveTokens = true;
options.SignInScheme = IdentityConstants.ExternalScheme;
options.Scope.Add("email");
});
});
}
Then in Configure services you need
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
System.IdentityModel.Tokens.Jwt.JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Add("sub", ClaimTypes.NameIdentifier);
So mostly what is described in the MVC link but in different locations in the Identity Server only endpoint
I also found some bugs in documentation at https://docs.abp.io/en/abp/latest/how-to/customize-signin-manager
This line
if (auth?.Principal == null || items == null || !items.ContainsKey("LoginProviderKey"))
Should be
if (auth?.Principal == null || items == null || !items.ContainsKey(LoginProviderKey))
Simlarly the line
if (!items.ContainsKey("XsrfKey"))
Should be
if (!items.ContainsKey(XsrfKey))
Note this bug only exists in the documentation, the source it is based on is correct.
Finally my next related problem is that the Identity Server endpoint is now working however the front end for the primary app doesnt show the option to login with the external AAD?
I have no idea how to make it appear as a button yet, I thought because everything was running through the Identity Server endpoint for Auth that it would be reflected, but it looks like its actually an Angular representation that looks identical. So is there a setting somewhere inside the angular project I can turn on so that it sees the same external auth methods of the identity server?
Thanks
Furthermore using the tip at the bottom of the MVC link I can confirm i am getting a full set of claims back from AAD.
So im starting to think there is a step where a user is created on ABPs side that is missing for whatever reason or i have missed a call to some process to create the user cause there is nothing in any relevant tables related to the AAD user that successfully authenticated.
Any thoughts?
Thanks in advance