Base solution for your next web application
Open Closed

OpenId and email address not saved #11099


User avatar
0
ivanosw1 created
  • What is your product version? 11.2
  • What is your product type (Angular or MVC)? Angular
  • What is product framework type (.net framework or .net core)? .net core

If issue related with ABP Framework

  • What is ABP Framework version? 7.2.1

I've read many post about but I think the problem of email mapping is still alive. AspnetZero configured to use Abp.Io as Oaut2 server.

Abp.Io configuration says that email is returned (and is true)

{
    "issuer": "https://localhost:44322",
    "jwks_uri": "https://localhost:44322/.well-known/openid-configuration/jwks",
    "authorization_endpoint": "https://localhost:44322/connect/authorize",
    "token_endpoint": "https://localhost:44322/connect/token",
    "userinfo_endpoint": "https://localhost:44322/connect/userinfo",
    "end_session_endpoint": "https://localhost:44322/connect/endsession",
    "check_session_iframe": "https://localhost:44322/connect/checksession",
    "revocation_endpoint": "https://localhost:44322/connect/revocation",
    "introspection_endpoint": "https://localhost:44322/connect/introspect",
    "device_authorization_endpoint": "https://localhost:44322/connect/deviceauthorization",
    "frontchannel_logout_supported": true,
    "frontchannel_logout_session_supported": true,
    "backchannel_logout_supported": true,
    "backchannel_logout_session_supported": true,
    "scopes_supported": ["openid", "profile", "email", "address", "phone", "role", "AccountService", "IdentityService", "AdministrationService", "SaasService", "ProductService", "offline_access"],
    "claims_supported": ["sub", "birthdate", "family_name", "gender", "given_name", "locale", "middle_name", "name", "nickname", "picture", "preferred_username", "profile", "updated_at", "website", "zoneinfo", "email", "email_verified", "address", "phone_number", "phone_number_verified", "role"],
    "grant_types_supported": ["authorization_code", "client_credentials", "refresh_token", "implicit", "password", "urn:ietf:params:oauth:grant-type:device_code", "LinkLogin", "Impersonation"],
    "response_types_supported": ["code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token"],
    "response_modes_supported": ["form_post", "query", "fragment"],
    "token_endpoint_auth_methods_supported": ["client_secret_basic", "client_secret_post"],
    "id_token_signing_alg_values_supported": ["RS256"],
    "subject_types_supported": ["public"],
    "code_challenge_methods_supported": ["plain", "S256"],
    "request_parameter_supported": true
}

The email address is returned after a succesfull login

The email is not mapped in database

Open id configuration:

 "OpenId": {
      "IsEnabled": "true",
      "ClientId": "UnoIns",
      "Authority": "https://localhost:44322",
      "LoginUrl": "https://localhost:44322/connect/authorize",
      "ValidateIssuer": "false",
      "ClaimsMapping": [
        {
          "claim": "name",
          "key": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
        },
        {
          "claim": "email",
          "key": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
        },
        {
          "claim": "unique_name",
          "key": "preferred_username"
        }
      ]
    },

Angular configuration:

private getOpenIdConnectConfig(loginProvider: ExternalLoginProvider): AuthConfig {
        let authConfig = new AuthConfig();
        authConfig.loginUrl = loginProvider.additionalParams['LoginUrl'];
        authConfig.issuer = loginProvider.additionalParams['Authority'];
        authConfig.skipIssuerCheck = loginProvider.additionalParams['ValidateIssuer'] === 'false';
        authConfig.clientId = loginProvider.clientId;
        authConfig.responseType = 'id_token';
        authConfig.redirectUri = window.location.origin + '/account/login';
        authConfig.scope = 'openid profile email';
        authConfig.requestAccessToken = false;
        return authConfig;
    }

What I'm missing?

Thank you.


8 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Could you remove the below mapping and try again ?

    {
      "claim": "unique_name",
      "key": "preferred_username"
    }
    
  • User Avatar
    0
    ivanosw1 created

    I've removed the mapping but the login fails:

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Could you try this mapping instead ? It was my mistake, value of unique_name is used as the email address.

    {
      "claim": "name",
      "key": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
    },
    {
      "claim": "unique_name",
      "key": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    }
    
  • User Avatar
    0
    ivanosw1 created

    Ok, this configuration is correct. The email is mapped. Thank you very much.

    Just one question about this: I noticed that the username is a hash value. Is it by design to deny direct access to ANZ with this account created by openid? And what happens if you choose two different sopendid servers (google and twitter) but only want one account on the ANZ?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Since same email address can be used in different platforms, AspNet Zero generates a hash value for username but you can change it in your source code if you want. You can change it in "Authentication/External/DefaultExternalLoginInfoManager.cs" in your Web.Core project.

    And what happens if you choose two different sopendid servers (google and twitter) but only want one account on the ANZ?

    I couldn't understand this, could you provide a bit more detail ?

    Thanks,

  • User Avatar
    0
    ivanosw1 created

    Thank you @ismcagdas

    And what happens if you choose two different sopendid servers (google and twitter) but only want one account on the ANZ?

    I mean that if I have a Twitter ([email protected]) and a Google ([email protected]) account and the first time I choose Twitter for authentication, and the second time I choose Google, ANZ will create two differents accounts?

  • User Avatar
    0
    ismcagdas created
    Support Team

    Thanks for the explanation :). Yes, in that case, two different users will be created. We have a related issue on our roadmap for linking different social media users of the same user, https://github.com/aspnetzero/aspnet-zero-core/issues/3247

  • User Avatar
    0
    ivanosw1 created

    Ok, I got it.

    Thank you very much.