Base solution for your next web application
Open Closed

Token based authentication and Change Password #6780


User avatar
0
PhilWynn created

Hi,

I am using the Abp Web Api in an external app. When authenticating, using the 'Authenticate' request, I recieve the same response regardless as to whether the ShouldChangePasswordOnNextLogin flag is set.

Is there an easy way to determine, at login, whether this flag is set?

Also, could you give me some guidance as to how I would change the user password using the Web api.

Many thanks


14 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi,

    Authenticate method should return shouldResetPassword as true.

    It should return something like this:

  • User Avatar
    0
    PhilWynn created

    Hi,

    Apologies for my lack of understanding here. I am getting an encrypted result, as below. How would I un-encrypt this to obtain the data above?

    { "result": "ZGczQCd9iH2DTcH8cEBOfwObxcz44YKChhVoSwx6f-JB3HVtbY06MLF6OnKjrpus52e4Sa4JTPnRKzsN3bQ5SfxJt_wBEkvRwiRgokN69qy6G37D2EXBwM9_L2hvDRvJoT_GIzJuGtOPCUrY2MsCenmNsAjcm4xmGzOeXDpUizdffR88lflj-p_MLTAdbtP8oainBtNk_Rma_oJ1vTBDiPvhor_AoxWqx--Is8GkS7E_4SrtdQPrZ5GFJC3CieCKyVGR4O1C0M4FfXYN4kqKhfcM5Q5IMIcIrkZN15_Sccjj7NPbY_rphR0H704Vnht7zsSP1brG3CXi2oP3JfB6SHpzRS2UCkVaiATofwKH8wn9Vm6Eaxfow-MTdKxjVuNChQIdmceYTuvkFlXO-z-3ohwkc286MkOGS6IwkJOyWPoYGRsa-KHHX5JpoBufCxBi4TOc9hA3XdQI4DNMr752XCGGV9oCmBUbBUkEKYDpFphHPDz23Otr1X-dXjDJ7vaHyWl_ixsdcvy6k_Q_xbzNOzj7PRC8JsTiGT_BXdMkZFonld6qy5Mh8jXwu82ZBVY7r3arGMhIZrKgJ26mJdHhPmnd7M-5Efyiyh3uMnLLWdN12g0IxD1wURW1LGOuQlHrwbd3hp4981kb3d_SvWdNbw", "targetUrl": null, "success": true, "error": null, "unAuthorizedRequest": false, "__abp": true }

  • User Avatar
    0
    maliming created
    Support Team

    @philwynn The return content you currently get indicates that your login is successful, and the encrypted JWT token

  • User Avatar
    0
    PhilWynn created

    Hi, I realise that my login is successful. However, I need to know if the user is required to change his password. How can I un-encrypt the token to get this information?

    If this is not possible, how would you recommend I fulifll this requirement?

    Many thanks

  • User Avatar
    0
    maliming created
    Support Team

    see: https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L128

  • User Avatar
    0
    PhilWynn created

    Hi @maliming

    Thank you, but I seem to have lost my access to the git hub repository.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @philwynn

    I have added your user back to GitHub agin, so now you have access for two GitHub users (PhilipWynn and PhilipWynn2).

    In order to get shouldResetPassword as true, set it to true while creating or editing the user:

  • User Avatar
    0
    PhilWynn created

    Hi,

    Thanks for the info, but I'm afraid you haven't answered my originial question.

    When I log into the system using the "Authenticate" request (as detailed in https://docs.aspnetzero.com/documents/aspnet-mvc-jquery/latest/Development-Guide-Mvc-Angularjs#token-based-authentication) I get an encrypted token back. How do I determine from this whether or not the user is required to change his password?

    A previous post indicated the information contained within the encrypted token, but how do I access this information?

    Regards

  • User Avatar
    0
    ryancyq created
    Support Team

    Hi, we have not implemented the Authenticate method to include shouldResetPassword in its response for WebApi project.

    see https://github.com/aspnetzero/aspnet-zero/blob/12aa34c15797a886ee68492b77380ee5e9fbdd8c/src/MyCompanyName.AbpZeroTemplate.WebApi/WebApi/Controllers/AccountController.cs#L38-L53

  • User Avatar
    0
    PhilWynn created

    Hi,

    I realise that this is not currently implemented in the Authenicate method.

    I have a situation where I would like to communicate, to the consumer of the Authenticate method, that the password needs resetting.

    My question to you is: how do I return the ShouldResetPassword flag to the consumer? If it is to be contained within the encrypted ticket, how can this be viewed?

    Many thanks

  • User Avatar
    0
    maliming created
    Support Team

    You can refer to the aspnet-zero-core version of the code, the principle is the same.

    https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L127

  • User Avatar
    0
    PhilWynn created

    Hi,

    Apologies, but I will need a little mor guidance. The code written for the Core version of the controller differs too much from the MVC version.

    Please could I request some sample code to give me guidance as to how I can modifiy the Authenticate method.

    Many thanks

  • User Avatar
    0
    maliming created
    Support Team

    These codes are generic.

    When the token is requested, the system finds that the user needs to change the password before logging in. At this time, the model returned to the front end has a flag (shouldResetPassword), which means that the user needs to change the password, and then you can guide the user to reset the password.

  • User Avatar
    0
    PhilWynn created

    Thank you for the prompt response. I will give this some more thought.