Activities of "henryand"

I am dead in the water not being able to access the emails value for logging in. I expect it's either a claimsmapping or (hopefully not) a change to OpenIdConnectAuthProviderApi code. no email address = no username = no login

also, is there someplace i need to be referencing the userinfo endpoint

I added your suggestion but I get "unique_name claim is missing !" i don't know if the problem is because the Key still expects email instead of emails

"ClaimsMapping": [ { "claim": "email", "key": "emails" }, { "claim": "unique_name", "key": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" }
]

Abp.UI.UserFriendlyException: unique_name claim is missing ! at Stepwell.Web.Authentication.External.OpenIdConnectAuthProviderApi.GetUserInfo(String token) in C:\Dev\stepwell-tmp\src\Stepwell.Web.Core\Authentication\External\OpenIdConnectAuthProviderApi.cs:line 60 at Stepwell.Web.Controllers.TokenAuthController.GetExternalUserInfo(ExternalAuthenticateModel model) in C:\Dev\stepwell-tmp\src\Stepwell.Web.Core\Controllers\TokenAuthController.cs:line 641 at Stepwell.Web.Controllers.TokenAuthController.ExternalAuthenticate(ExternalAuthenticateModel model) in C:\Dev\stepwell-tmp\src\Stepwell.Web.Core\Controllers\TokenAuthController.cs:line 451

we are using ANZ combined Angular/Core v10.1

i am having difficulty mapping B2C to ANZ.

The customer uses an email address to login. their token has it in "emails". i don't know how to map that. can you guide me on filling out the ClaimsMapping?

  "ClaimsMapping": [
    {
      "claim": "unique_name",
      "key": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    }
  ]

here is their token with most values replaced with datatypes: "ver": "1.0", "iss": "https://domain/guid/v2.0/", "sub": "guid", "aud": "guid", "exp": 1698154189, "acr": "b2c_1a_signup_signin", "nonce": "mixedletters", "iat": 1698150589, "auth_time": 1698150589, "emails": "[email protected]", "name": "ROCCO", "given_name": "rjs", "family_name": "Sansotta", "tid": "guid", "at_hash": "mixedletters", "nbf": 1698150589

this may also help:

private getOpenIdConnectConfig(loginProvider: ExternalLoginProvider): AuthConfig { let authConfig = new AuthConfig(); authConfig.loginUrl = loginProvider.additionalParams['LoginUrl']; authConfig.issuer = loginProvider.additionalParams['Authority']; //authConfig.issuer = loginProvider.additionalParams['UserInfoEndpoint']; authConfig.skipIssuerCheck = loginProvider.additionalParams['ValidateIssuer'] === 'false'; authConfig.clientId = loginProvider.clientId; authConfig.responseType = 'id_token token'; authConfig.redirectUri = window.location.origin + '/account/login'; authConfig.customQueryParams = { "Abp.TenantId": '2' }; authConfig.scope = 'openid email profile'; authConfig.requestAccessToken = false; return authConfig; }

the issue i was having dealt with B2C wellknown not being on the same path as issuer.

We are using ANZ 10.1 Angular/Core combined.

We have a new customer that wants to authenticate with OpenIdConnect. In testing, we make it to the point where the token is received, has the info we need, but fails to validate. What i found is that they are sending the token with RS256 and our side is using HS256 algorithm to validate. Is RS256 supported in ANZ? Is there a place to indicate the token validation algorithm?

Thanks, Rocco

: adding the slash at the end of the authority gives a server error: The given key 'WellKnown' was not present in the dictionary.

i am using the Angular/Core combined ANZ v10

we have a new customer that wants us to authenticate to their B2C server with OpenIdConnect. No matter what configuration settings i try, i still get Wrong Issuer on the front end after receiving the token. I placed logging in OpenIdConnectAuthProviderApi.ValidateToken but it doesn't seem to be getting that far.

Maybe it is a mapping issue? I don't know where to put their token_endpoint, if necessary. or their JW keys. Could you explain the JWTBearer parameters? Is that ClaimsMapping correct for ANZ to use email to login instead of username?

  //from https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration
  //"issuer": "https://theirnode.b2clogin.com/TheirTenantIdGuid/v2.0/",
  //"authorization_endpoint": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize",
  //"token_endpoint": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/token",
  //"end_session_endpoint": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout",
  //"jwks_uri": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/discovery/v2.0/keys",
  //"userinfo_endpoint": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/openid/v2.0/userinfo",

  "IsEnabled": "true",
  "ClientId": "OurGuid",
  "ClientSecret": "OurSecret",
  "Authority": "https://*theirnode*.b2clogin.com/*TheirTenantIdGuid*/v2.0",
  "UserInfoEndpoint": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/openid/v2.0/userinfo",
  "LoginUrl": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/authorize",
  "LogoutUrl": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout",
  "NotAuthorizedURL": "https://theirnode.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/oauth2/v2.0/logout",
  "WellKnown": "https://*theirnode*.b2clogin.com/*theirnode*.onmicrosoft.com/b2c_1a_signup_signin/v2.0/.well-known/openid-configuration",
  "ValidateIssuer": "false",
  "ClaimsMapping": [
    {
      "claim": "email",
      "key": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
    }
  ]
"JwtBearer": {
  "IsEnabled": "true",
  "SecurityKey": "*OurSecurityKey*",
  "Issuer": "*SomeGuid*",
  "Audience": "*SameGuidAsIssuer*"
}

NOTE: adding the slash at the end of the authority gives a server error: The given key 'WellKnown' was not present in the dictionary. (the support forum will not let me reply to your message)

we are using ANZ 10.0 Angular/Core combined version, hosted in Azure, published thru DevOps pipeline.

We have need of implementing things like DAST (Dynamic Application Security Testing), SAST (Static Application Security Testing) and SCA (Software Composition Analysis) into our development/build process(es). There are plenty of tools on the market to do these things, but before beginning a potentially lengthy search, does the ASP.NET Zero team use any specific tools like this? Do you recommend any particular ones to cover the above type(s) of automated testing?

the api could still be on one url. some users would have different urls to the same site, but the different urls would not indicate the tenant. for instance, group1.domain.com and group2.domain.com having the same tenant, or domain1.com and domain2.com sharing a published instance of the app.

we use ANZ10.1 Angular/Core combined

i would like to have two urls for the same published instance of our application. i have been able to accomplish this for multi-tenant by adding the tenancy placeholder. I would like to be able to do this for the root url. for instance, qa.domain.com and test.domain.com both pointing to the same instance. I don't know how to configure the serverrootaddress, approotaddress, remoteserverbaseurl, appbaseurl, etc

thanks, Rocco