Base solution for your next web application
Open Closed

How can I enable both okta and auth0 for a tenant using openid #12204


User avatar
0
kansoftware created

I want to enable both okta and auth0 for a single tenant as some users may login through okta and some through auth0. I am having a multitenant application.
Do I need to custom the code or there is a functionality in the base code. Could you please help me out how can I achieve that


56 Answer(s)
  • User Avatar
    0
    oguzhanagir created
    Support Team

    Hi kansoftware

    To enable both Okta and Auth0 for a single tenant in your multi-tenant application, you will need to customize the code, as the standard ASP.NET Zero implementation typically supports only one OpenID Connect provider per tenant.

  • User Avatar
    0
    kansoftware created

    Hi kansoftware

    To enable both Okta and Auth0 for a single tenant in your multi-tenant application, you will need to customize the code, as the standard ASP.NET Zero implementation typically supports only one OpenID Connect provider per tenant.

    Ok.
    For now I have enabled okta through oidc. I have added the default options in startup.cs. But also I have configured the openid for a tenant through tenant settings page.
    I want to know how and where does it replaces the client id and other details before redirecting to okta login page.

    As for my custom code I want to set the credentials runtime because for each tenant it will be different. I hope I am making sense

  • User Avatar
    0
    kansoftware created

    I want to set OpenIdConnectOptions during runtime for tenant. Is it possible if yes then how?

  • User Avatar
    0
    maliming created
    Support Team

    hi

    These classes allow you to change the options at runtime. They get tenant settings values( from the database).

    image.png

    In fact, you can add multiple OpenIdConnect as authentication providers.

    authenticationBuilder.AddOpenIdConnect("Auth0", options => ...
    
    authenticationBuilder.AddOpenIdConnect("Okta", options =>
    

    The name is the Auth0 or Okta

    image.png

  • User Avatar
    0
    kansoftware created

    Can I call these function on login button in Account controller to set options at runtime? If yes then how

  • User Avatar
    0
    maliming created
    Support Team
  • User Avatar
    0
    kansoftware created

    hi

    Yes, See https://github.com/aspnetzero/aspnet-zero-core/commit/7541fa92769e0ff340ccfb9424a5f58c62ca1c08

    image.png

    I create a ExternalLoginCustom method in Account controller.
    In this function I wrote
    using (_openIdConnectOptions.As<TenantBasedOpenIdConnectOptions>().Change(new OpenIdConnectOptions()))
    {
    }

    First it says TenantBasedOpenIdConnectOptions does contain a function Change.
    Also the link you have shared has expired I believe, its not working.

    Also how should I set the optons in the using block.

  • User Avatar
    0
    oguzhanagir created
    Support Team

    Hi

    To access the relevant link. After logging in with the user who has the plan on the aspnetzero.com website, clicking the manage button under the Account button, you can give permission to the github user you are trying to log in from the Github Members tab on the relevant page.

  • User Avatar
    0
    kansoftware created

    Let me share you my complete scenario.
    I have a multi tenant application. I want to enable both okta and auth0 for each tenant. As asp.net zero support only one authentication for a single tenant, I understand I need to customize the code. For this I will create a entity which will have configuration details like client id, secret etc. tenant wise for different providers.
    I have enabled AllowSocialLoginSettingsPerTenant in appsettings and setup OpenId with default values. Now when ExternalLogin function gets called in Account controller on openidconnect login button, I believe it gets the default set values.

    public ActionResult ExternalLogin(string provider, string returnUrl, string ss = "")
    {
        var redirectUrl = Url.Action(
            "ExternalLoginCallback",
            "Account",
            new
            {
                ReturnUrl = returnUrl,
                authSchema = provider,
                ss = ss
            });
    
        var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);            
    
        return Challenge(properties, provider);
    }
    

    But here I want to get the custom configuration for a tenant either for auth0 or okta and accordingly redirect at runtime.

    Could you please help me with the custom code I need to place in ExternalLogin function.

  • User Avatar
    0
    maliming created
    Support Team

    hi

    Have you checked the source that I shared?

    I have a multi tenant application. I want to enable both okta and auth0 for each tenant. As asp.net zero support only one authentication for a single tenant, I understand I need to customize the code.

    You can add multiple OpenIdConnect as authentication providers. The string provider will be Auth0 or Okta

    authenticationBuilder.AddOpenIdConnect("Auth0", options => ...
    authenticationBuilder.AddOpenIdConnect("Okta", options =>
    
    public ActionResult ExternalLogin(string provider, string returnUrl, string ss = "")
    {
        using (_googleOptions.As<TenantBasedOpenIdConnectOptions>().Change(new OpenIdConnectOptions()))
        {
            // Change the client id and secret to current OpenIdConnectOptions
            
            var redirectUrl = Url.Action(
            "ExternalLoginCallback",
            "Account",
            new
            {
                ReturnUrl = returnUrl,
                authSchema = provider,
                ss = ss
            });
    
            var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);            
        
            return Challenge(properties, provider);
        }
    }
    

    https://github.com/aspnetzero/aspnet-zero-core/commit/7541fa92769e0ff340ccfb9424a5f58c62ca1c08
    https://support.aspnetzero.com/QA/Questions/12204/How-can-I-enable-both-okta-and-auth0-for-a-tenant-using-openid#answer-0665e369-ea30-363f-9ae6-3a15cec05d04

    image.png

  • User Avatar
    0
    kansoftware created

    Let me share you my complete scenario.
    I have a multi tenant application. I want to enable both okta and auth0 for each tenant. As asp.net zero support only one authentication for a single tenant, I understand I need to customize the code. For this I will create a entity which will have configuration details like client id, secret etc. tenant wise for different providers.
    I have enabled AllowSocialLoginSettingsPerTenant in appsettings and setup OpenId with default values. Now when ExternalLogin function gets called in Account controller on openidconnect login button, I believe it gets the default set values.

    public ActionResult ExternalLogin(string provider, string returnUrl, string ss = "") 
    { 
        var redirectUrl = Url.Action( 
            "ExternalLoginCallback", 
            "Account", 
            new 
            { 
                ReturnUrl = returnUrl, 
                authSchema = provider, 
                ss = ss 
            }); 
     
        var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);             
     
        return Challenge(properties, provider); 
    } 
    

    But here I want to get the custom configuration for a tenant either for auth0 or okta and accordingly redirect at runtime.

    Could you please help me with the custom code I need to place in ExternalLogin function.

    After seeing the source commit you shared, I updated my code as it is. But when trying to dynamically updating on externallogin function
    it didn't work. Below is the code

    [HttpPost]
    public ActionResult ExternalLogin(string provider, string returnUrl, string ss = "")
    {
        using (_openIdConnectOptions.As<TenantBasedOpenIdConnectOptions>().Change(new OpenIdConnectOptions {
            ClientId = "xxxxxxxxxxxxxxxxxxx",
            ClientSecret = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
            Authority = "https://dev-76726332.okta.com/oauth2/default",
            ResponseType = "code",
            Scope = { "openid", "profile", "email" }
        }))
        {               
    
            var redirectUrl = Url.Action(
            "ExternalLoginCallback",
            "Account",
            new
            {
                ReturnUrl = returnUrl,
                authSchema = provider,
                ss = ss
            });
    
    
            var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
    
            return Challenge(properties, provider);
        }
        
    }
    

    Could you please help me to figure this out that where and how can change the options?

    Also could you please explain what exactly the changes in the source means

  • User Avatar
    0
    maliming created
    Support Team

    hi

    Can you share your test project?

    I will download and debug it.

    Thanks.

    liming.ma@volosoft.com

  • User Avatar
    0
    kansoftware created

    hi

    Can you share your test project?

    I will download and debug it.

    Thanks.

    liming.ma@volosoft.com

    As per your provided code project its getting redirected correctly. Buy on login through auth0 it says
    AuthenticationFailureException: OpenIdConnectAuthenticationHandler: message.State is null or empty.
    Could you help me out what can be the reason

    Also can you please help me out with one question.
    Does asp.net zero uses the provider access token to access all the APIs in the application. Or it internally converts the provider access token to the application access token and use that

  • User Avatar
    0
    maliming created
    Support Team

    hi

    Please share a username and password of auth0

    liming.ma@volosoft.com


    What do you mean by provider access token?

    Thanks.

  • User Avatar
    0
    kansoftware created

    hi

    Please share a username and password of auth0

    liming.ma@volosoft.com


    What do you mean by provider access token?

    Thanks.

    I have shared credentials over the email.

    Provider access token means - When I login through auth0, there will be auth0 access token. So will my application functions or apis works with auth0 access tokens or not

  • User Avatar
    0
    maliming created
    Support Team

    hi

    AuthenticationFailureException: OpenIdConnectAuthenticationHandler: message.State is null or empty.

    Fixed by https://github.com/maliming/CDP-Base-Zero-13.0.0/commit/b12051c1a1e996d8a646943c594dd98ba1eef508

  • User Avatar
    0
    maliming created
    Support Team

    hi

    Provider access token means - When I login through auth0, there will be auth0 access token. So will my application functions or apis works with auth0 access tokens or not

    There is no access token obtained from auth0

    You will only get user info from auth0.
    Zero will get username and email etc..

    if there is a user in the system with the same email, you will log in automatically.

    If there is no user with your auto0 email. You will register a new user with this email, next time, you can log in automatically.

    This is how external login works.


    When you login in aspnetzero.com via your google account. zero only knows your google email, it can't get and use access token to call google API.

  • User Avatar
    0
    kansoftware created

    hi

    Provider access token means - When I login through auth0, there will be auth0 access token. So will my application functions or apis works with auth0 access tokens or not

    There is no access token obtained from auth0

    You will only get user info from auth0.
    Zero will get username and email etc..

    if there is a user in the system with the same email, you will log in automatically.

    If there is no user with your auto0 email. You will register a new user with this email, next time, you can log in automatically.

    This is how external login works.


    When you login in aspnetzero.com via your google account. zero only knows your google email, it can't get and use access token to call google API.

    Can we use auth0 access token or id token to call our api's?

  • User Avatar
    0
    maliming created
    Support Team

    hi

    No. The access token of auth0 can only call the API of auth0. The id token only contains claims for user info.

  • User Avatar
    0
    kansoftware created

    Hey,

    I am running into an issue when I calling ExternalAuthenticate API in TokenAuthController via postman to verify for mobile app.
    Its giving me 500 internal server error.
    URL - https://localhost:44302/api/TokenAuth/ExternalAuthenticate
    JSON Body -
    {
    "authProvider": "OpenIdConnect",
    "providerKey": "auth0|USER_ID",
    "providerAccessCode": "Auth0_ID_Token",
    "returnUrl": "",
    "singleSignIn": false
    }

    My goal is, mobile app team can call this API to generate the asp dot net access token and refresh token to further call the dot net apis

  • User Avatar
    0
    maliming created
    Support Team

    hi

    Its giving me 500 internal server error.

    Can you share the 500 error logs?

    Thanks.

  • User Avatar
    0
    kansoftware created

    hi

    Its giving me 500 internal server error.

    Can you share the 500 error logs?

    Thanks.

    The actual exception is - Unknown external auth provider: OpenIdConnect.

    Another issue I am facing is, when I logout from the application, then it redirects me back to the login screen but in actual it doesn't logout me from the auth0

    Also now I am implementing login through SMS on auth0. But by default it redirects me to email login page. I want to give both option based on user selection, how can I achieve that.

  • User Avatar
    0
    maliming created
    Support Team

    hi

    The actual exception is - Unknown external auth provider: OpenIdConnect.

    Please share full error logs.

    Thanks.

  • User Avatar
    0
    maliming created
    Support Team

    hi

    Another issue I am facing is, when I logout from the application, then it redirects me back to the login screen but in actual it doesn't logout me from the auth0

    Are you still using the below code for Logout?

    public async Task<ActionResult> Logout(string returnUrl = "")
    {
    
        await _signInManager.SignOutAsync();
        var userIdentifier = AbpSession.ToUserIdentifier();
    
        if (userIdentifier != null &&
            _settingManager.GetSettingValue<bool>(AppSettings.UserManagement.AllowOneConcurrentLoginPerUser))
        {
            var user = await _userManager.GetUserAsync(userIdentifier);
            await _userManager.UpdateSecurityStampAsync(user);
        }
    
        //returnUrl = NormalizeReturnUrl(returnUrl);
        //return SignOut(new AuthenticationProperties { RedirectUri = returnUrl }, CookieAuthenticationDefaults.AuthenticationScheme, OpenIdConnectDefaults.AuthenticationScheme);
        string OktaLogoutUrl = "https://dev-76726332.okta.com/oauth2/default/v1/logout"; // Replace with your Okta domain
        var postLogoutRedirectUri = Url.Action("Login", "Account", null, Request.Scheme); // Redirect back to your application's home page
        var logoutUrl = $"{OktaLogoutUrl}?post_logout_redirect_uri={Uri.EscapeDataString(postLogoutRedirectUri)}";
        return Redirect(logoutUrl);
    
        if (!string.IsNullOrEmpty(returnUrl))
        {
            returnUrl = NormalizeReturnUrl(returnUrl);
            return Redirect(returnUrl);
        }
    
        return RedirectToAction("Login");
    }
    
  • User Avatar
    0
    maliming created
    Support Team

    Also now I am implementing login through SMS on auth0. But by default it redirects me to email login page. I want to give both option based on user selection, how can I achieve that.

    Can you share a URL to see the SMS login page for auth0?
    Maybe auth0 has some querystring parameter to indicate the login method.