ABP Framework API Scope - asp.net-core

I cloned MicroserviceDemo solution, before run project PublicWebsite.Host, I commented below code in PublicWebSiteHostModule.cs, but why PublicWebsite.Host still can access PublicWebSiteGateway, ProductService and BloggingService? In my view, I think app only access to required scopes. (Other hand, comment or don't comment below code, PublicWebsite.Host still run correctly. Sorry for my English).
Thanks you!
context.Services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = "oidc";
})
.AddCookie("Cookies", options =>
{
options.ExpireTimeSpan = TimeSpan.FromDays(365);
})
.AddOpenIdConnect("oidc", options =>
{
options.Authority = configuration["AuthServer:Authority"];
options.ClientId = configuration["AuthServer:ClientId"];
options.ClientSecret = configuration["AuthServer:ClientSecret"];
options.RequireHttpsMetadata = false;
options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("role");
options.Scope.Add("email");
options.Scope.Add("phone");
//options.Scope.Add("PublicWebSiteGateway");
//options.Scope.Add("ProductService");
//options.Scope.Add("BloggingService");
options.ClaimActions.MapAbpClaimTypes();
});

Related

ASP.NET Core 2.0 IdentityServer cookies arent invalid after the Expiration Time

I am trying to make Users session to close in a certain timespan but it doesnt seem to work and it keeps allowing also multiples sessions
on Startup.cs i have on ConfigureServices before UseMvc
services.AddAuthentication(options=> {
options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
options.LoginPath = "/xxxxxxx/Login";
options.Cookie.Expiration = TimeSpan.FromMinutes(10);
options.Cookie.HttpOnly = true;
options.Cookie.SameSite = SameSiteMode.Strict;
options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
options.ExpireTimeSpan = TimeSpan.FromMinutes(10);
options.LogoutPath = "/xxxxx/Logout";
});
an after UseMvc
services.AddIdentityServer(x=>
{
x.Authentication.CookieLifetime = TimeSpan.FromMinutes(10);
x.Authentication.CookieSlidingExpiration = true;
})
...
services.Configure<SecurityStampValidatorOptions>(options =>
options.ValidationInterval = TimeSpan.FromSeconds(10));
services.ConfigureApplicationCookie(o =>
{
o.Cookie.Expiration = TimeSpan.FromMinutes(10);
o.Cookie.MaxAge = o.Cookie.Expiration;
o.LoginPath = new PathString("/xxxx/Login");
o.ExpireTimeSpan = TimeSpan.FromMinutes(10);//aqui configura el timeout
o.SlidingExpiration = true;
});
so it could close on 10minutes but it doesnt expires...
so what could I do to set the expiration time for each session with IdentityServer?

2 openid connect in asp.net core application

I've been trying to add second identity provider to my web app, but have a problem with the configuration.
The app has the folowing configuration
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = "cookie";
options.DefaultSignInScheme = "cookie";
options.DefaultChallengeScheme = "oidc";
options.DefaultSignOutScheme = "oidc";
})
.AddCookie("cookie")
.AddOpenIdConnect("oidc", options =>
{
options.Authority = AppConfig.AuthorizationServerAdress;
options.ClientId = AppConfig.OpenidApp;
options.ClientSecret = AppConfig.OpenidAppSecret;
options.ResponseType = OpenIdConnectResponseType.Code;
options.ResponseMode = OpenIdConnectResponseMode.Query;
options.UsePkce = true;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
})
.AddCookie("cookie2")
.AddOpenIdConnect("oidc2", options =>
{
options.Authority = AppConfig.AuthorizationExternalServerAdress;
options.ClientId = AppConfig.OpenidExternalApp;
options.ClientSecret = AppConfig.OpenidExternalAppSecret;
options.ResponseType = OpenIdConnectResponseType.Code;
options.ResponseMode = OpenIdConnectResponseMode.Query;
options.UsePkce = true;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
});
It works by default with the first oidc provider, but if I use oidc2 to log in and then navigate to my app, I'll go to my default oidc provider. It means that the second provider will be ignored.
Can somebody help me with the configuration, please?
The problem is that both handlers will listen for the callback request from your identityprovider on URL /signin-oidc
So, to solve it, you need to make sure they are different, like:
.AddOpenIdConnect("oidc", options =>
{
//other options
options.CallbackPath = new PathString("/oidc/handler1");
}
.AddOpenIdConnect("oidc2", options =>
{
//other options
options.CallbackPath = new PathString("/oidc/handler2");
}
also, see OpenIdConnect: Manually handle Callback
But, in general I advice that your clients and apps only should trust one provider (token issuer) and let users choose how to authenticate through your primary provider, like in this picture:

Where is app.UseOpenIdConnectAuthentication() and OpenIdConnectMiddleware in ASP.NET Core 3?

Context
I am trying to migrate an application which uses app.UseOpenIdConnectAuthentication() but this extension method not found in package Microsoft.AspNetCore.Authentication.OpenIdConnect
The actual source of this extension method uses the class OpenIdConnectMiddleware which also seems to be gone.
Question
How can I migrate this application?
Change your startup file to the example below
public void ConfigureServices(IServiceCollection services)
{
services.AddControllersWithViews();
services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultAuthenticateScheme = "oidc";
options.DefaultSignInScheme = "Cookies";
})
.AddCookie()
.AddOpenIdConnect(options =>
{
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvc-client";
options.ClientSecret = "secret-key";
options.ResponseType = "id_token token";
options.Scope.Add("openid");
options.Scope.Add("profile");
options.Scope.Add("email");
});
}

Why my OAuth provider works incorrectly when I add Identity to a project?

I have code that authenticates an user using OAuth. Here is this code: Github link
I use this code in the ConfigureServices() method of the Startup class:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(options=>
{
options.LoginPath = new PathString("/Account/Login");
options.LogoutPath = new PathString("/Account/Logout");
options.AccessDeniedPath = new PathString("/Account/Forbidden");
})
.AddVkontakte(options => // here
{
options.ApiVersion = "5.95";
options.ClientId = Configuration["VKontakte:ClientId"];
options.ClientSecret = Configuration["VKontakte:ClientSecret"];
});
services.AddDefaultIdentity<User>(options =>
{
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
})
.AddEntityFrameworkStores<ApplicationContext>()
.AddDefaultTokenProviders();
services.AddMvc();
}
But when I try to authenticate using it, nothing happens. It works the way I want, only when I remove this strokes
...
services.AddDefaultIdentity<User>(options =>
{
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
})
.AddEntityFrameworkStores<ApplicationContext>()
.AddDefaultTokenProviders();
In both cases, the code behind .AddVkontakte(...) works correctly, I checked it in the network inspector of the browser. My code makes requests to the OAuth provider(vk.com) and successfully gets responses. But I don't understand why AddDefaultIdentity<User>(...) doesn't allow .AddVkontakte(...) to authenticate an user.
What do you think about this?
Okay, I looked at this question (Asp Core 2.1 Jwt + Identity. userManager store does not implement IUserRoleStore), and tried to change a little bit options passed to AddAuthentication, and it worked!
Here is the final code:
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(options=> // defined some options
{
options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
options.DefaultSignInScheme = IdentityConstants.ApplicationScheme;
})
.AddCookie(options=>
{
options.LoginPath = new PathString("/Account/Login");
options.LogoutPath = new PathString("/Account/Logout");
options.AccessDeniedPath = new PathString("/Account/Forbidden");
})
.AddVkontakte(options =>
{
options.ApiVersion = "5.95";
options.ClientId = Configuration["VKontakte:ClientId"];
options.ClientSecret = Configuration["VKontakte:ClientSecret"];
});
services.AddDefaultIdentity<User>(options =>
{
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
})
.AddEntityFrameworkStores<ApplicationContext>()
.AddDefaultTokenProviders();
services.AddMvc();
}
I don't know what does it mean, but it works! Wait and see.

ASP.NET Authorize Filter Denies Access for User in Specified Role

In my ASP.NET Core 2.0 Application, I am stuck with an issue an Admin logged in User cannot access controller I used the Authorize Filter on [Authorize(Policy="AdminAlone")].
I confirmed that the user is in the "Administrators" role and added the policy in startup.cs but it redirects to an AccessDenied view when I try to access the controller.
I saw a similar problem on this link, but the solution didn't help me
Startup Class in MVC Client - ConfigureServices
services.AddMvc();
services.AddSession();
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddAuthorization(options =>
{
options.AddPolicy("AdminAlone", policy => policy.RequireRole("Administrators"));
});
services.AddAuthentication(options =>
{
options.DefaultScheme = "Cookies";
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultForbidScheme = JwtBearerDefaults.AuthenticationScheme;
})
.AddCookie("Cookies")
.AddOpenIdConnect("Bearer", options =>
{
options.SignInScheme = "Cookies";
options.Authority = "http://localhost:5000";
options.RequireHttpsMetadata = false;
options.ClientId = "mvcWeb";
options.ClientSecret = "spring12345";
options.ResponseType = OidcConstants.ResponseTypes.CodeIdToken;
options.SaveTokens = true;
options.GetClaimsFromUserInfoEndpoint = true;
options.Scope.Add("NuB.HospitalSearch");
options.Scope.Add("offline_access");
});
Web API ConfigureServices
var jwtSecurityTokenHandler = new JwtSecurityTokenHandler
{
InboundClaimTypeMap = new Dictionary<string, string>()
};
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(option =>
{
option.Audience = "NuB.HospitalSearch";
option.Authority = "http://localhost:5000";
option.RequireHttpsMetadata = false;
option.SecurityTokenValidators.Clear();
option.SecurityTokenValidators.Add(jwtSecurityTokenHandler);
option.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
{
ValidateAudience = true,
ValidAudience = "NuB.HospitalSearch",
ValidateIssuer = true
};
});
You may try the following. Inside your AddOpenIdConnect configuration add
options.TokenValidationParameters = new TokenValidationParameters {
NameClaimType = JwtClaimTypes.Name,
RoleClaimType = JwtClaimTypes.Role
};
In fact, this property defines the types and definitions required for validating a token. Please refer to this post from Dominick Baier for a more detailed explanation.