Open Closed

Replace AbpZero #147


0
pnw created

I got the idea from reading other posts in this forum that I can provide Identity & Authorization to ABP using my own interface implementations instead of using Zero. My User and Role stuff isn't quite like what Zero wants. I see that there are two articles in ABP's documentation that hint at what I need to do but I still don't know exactly what to do. I also have the idea that if I implement the interfaces correctly, I can use ABP's declarative permissions approach on the Application Services.

One of the core problems I have with the Zero table structure is that it assumes a User has a Role. In my company, a User may belong to more than one Organization and they may not have the same role in each Org. The Zero table structure and Permission methods don't take Organization into account.

For example, this method in AbpUserManager just needs User and Permission.

public virtual async Task<bool> IsGrantedAsync(long userId, string permissionName)

A method that I need would look like this

public virtual async Task<bool> IsGrantedAsync(long userId, int organizationId, string permissionName)

To completely replace AbpZero is too much work since it does a lot and is hard to follow. I hope that implementing _just_what ABP needs will be simpler. My table structures to support User-Organization-Role already exist.

While waiting for a response, I'll watch some Pluralsight courses on ASP.NET Identity & Authorization.


3 Answer(s)
  • 0
    bogdan created

    I hope that implementing just what ABP needs will be simpler.

    I've made the same conclusion some time ago and have made a wrapper around the ASP.Net Identity.

    The Zero table structure and Permission methods don't take Organization into account.

    It looks like claims-based authorization can help you. They are supported by ASP.Net Identity.

    My table structures to support User-Organization-Role already exist.

    To use this data you need a custom implementation of IPermissionChecker interface which will be able to handle permissions in the form "Organisation=1234". You can use this permisson either by an attiribute [AbpAuthorize("Organisation=1234")] or by injecting IPermissionChecker and using it directly.

  • 0
    pnw created

    <cite>bogdan: </cite>

    I've made the same conclusion some time ago and have made a wrapper around the ASP.Net Identity.

    To use this data you need a custom implementation of IPermissionChecker interface which will be able to handle permissions in the form "Organisation=1234". You can use this permisson either by an attiribute [AbpAuthorize("Organisation=1234")] or by injecting IPermissionChecker and using it directly.

    That is exactly what I'm looking for. I see how IPermissionsManager and IPermissionChecker work but where I do set up the claims and integrate the Identity and claims into AbpSession? There must be another class for that?

    In my case, the Identity is determined before my app even starts. Our corporate STS puts our identity in a cookie. I guess I'm looking for the Abp version of the ClaimsTransformation - where I have access to the cookies and the database so I can assemble all the claims together.

  • 0
    bogdan created

    Sorry, for the delay.

    but where I do set up the claims and integrate the Identity and claims into AbpSession? There must be another class for that?

    Yes. Create your own AbpSessionWithClaims following the same approach as Abp.Zero.

    In my case, the Identity is determined before my app even starts. Our corporate STS puts our identity in a cookie. I guess I'm looking for the Abp version of the ClaimsTransformation - where I have access to the cookies and the database so I can assemble all the claims together.

    Not sure if I understand correctly. Abp does not support claims so far. You can pretend that permissions are claims. I'm using something like this: [AbpPermission("MyClaim=MyValue")] public void MyAppMethod() {..}

    and my implementation of IPermissionChecker parses such permission text into claim objects. Then you need to verify these claims against user claims:

    { ... ClaimsPrincipal userPrincipal = ... get current from session ...; var (claimType, claimValue) = ParsePermission(permissionName);
    bool isPermissioned = AbpSession.UserPrincipal.HasClaim(claimType, claimValue); ... }

    Tuple<string,string> ParsePermissionInfo(string permission) {...}