In v7.0.0, unable to edit if you have a user who is mapped to an organization unit that has roles associated with the organization unit. This ends up saying the user has those roles, but then when you try to save, it also fails as it says: WARN 2019-09-13 17:21:05,791 [255 ] Mvc.ExceptionHandling.AbpExceptionFilter - User already in role 'IT Engineering'. Abp.UI.UserFriendlyException: User already in role 'IT Engineering'. at Abp.IdentityFramework.IdentityResultExtensions.CheckErrors(IdentityResult identityResult, ILocalizationManager localizationManager) in D:\Github\aspnetboilerplate\src\Abp.ZeroCore\IdentityFramework\IdentityResultExtensions.cs:line 72 at MotionCX.MotionCXAppServiceBase.CheckErrors(IdentityResult identityResult) in C:\mcx\MP.Server\aspnet-core\src\MotionCX.Application\MotionCXAppServiceBase.cs:line 62
That said, if you uncheck all roles, then save, it works fine. Then, you can edit the user again, and the roles show up (due to the role being in th orgnaization unit). This causes a lot of issues (obviously). Not sure if this is already a ticket opened on this, but I tried to find one, and wasn't able to locate it.
Finally got back to this... one quick quesiton though, were you able to get this to work if they start at the b2c end point and then redirecting it after logging in to the ANZ? Only ask this as I'm failing pretty hard on getting that part to work. That said, if I start at ANZ and then choose the external login and go to the b2c, then I can get it to work. I might be missing an obvious on this?
ps: I apologize for having to ask this again. I spent a decent amount of time trying to get this to work... as I'd assume it shouldn't matter as it still ends up hitting the signin-oidc
pss: I think you were able to get it to work from starting at the b2c point... but just want to make sure in case i'm wasting my time
@richardghubert - Awesome, and thanks for the response. I got side tracked for another tasks, so it might be a few days before I have a chance tyo go back on this. Glad to hear you got it working and I also appreciate the info around how the claims issue, as I'm pretty sure that is the issue I'm having currently. Will let you know how it goes. One other question I do have though, are you first logging in through ANZ, and from there, choosing to go through the external open id connect? I was able to get that to work when using the ADD (issue i'm having was in b2c, but think the claim issue you specified will likely resolve that one).
Anyways, thanks again for the info!
@richardghubert or @ismcagdas
Quick question on this, were you able to get it to work? I think I was able to get it to work (though having issues with api management... but that is a different topic).
I also have one additional question around this, if I were to remove the internal login completely and just use the external login with b2c... I know this likely would need some changese especially with non-tenant users... Maybe a better question, do you know of any examples where someone has done that in abp and/or anz?
Should have went back to the role manager one in aspnetboilerplate. Had read about it but that was several months ago. Going to just add an extra one on the jwt to make this a little easier to follow what is going on (especially with tenants). Closing this
Interesting. Have been totally looking at the wrong locations for the issue on this. I had kept seeing the roles showing up with the expected name (i had just made RoleTest and RoleTest2). Looks like this only shows up in "DisplayName", though it is creating the names for it as just as it is listed above in the jwt (as well as in the scope claims). Is this expected?
Also, I should at least state that I also tried calling ther /connect/userinfo and checking there as well as ensuring that the client details in the openid scopes has the roles (also tried just role too) in place. I also tried to ensure we were adding the roles inside the IEnumerable<IdentityResource> too (i think I forgot to note that in the code above). This was done in the IdentityServerConfig file, and tried both these lines:
new IdentityResource{Name = "roles", UserClaims={JwtClaimTypes.Role}} as well as new IdentityResource("roles", new [] { "role"})
Tried several other items too, but well, hopefully I'm just missing something of the obvious? I was able to add multiple roles in the IdentityServer4 samples as well as the source code. Have pulled all code from aspnetboilerplate and removed nuget packages and pointing to those projects as well as added it to downloaded project that was generated from ANZ. WIll set up another submodule to pull from IdentitySercver4 too.
In the process of trying to add Roles to the claims in the JWT in order to make ANZ usable as an SSO. I was able to do this by reading some of the issues in identityserver4 and made a couple lines of changes in the authroization in the startup folder. That said, no matter what I do, the only role claim that is readable is "Admin", any other role that is added to the user comes up with something like this: { "sub": "5", "name": "testUser", "AspNet.Identity.SecurityStamp": "45FE42SK2IAH3TW7VBNQDAD6WCCNKQQF", "role": [ "Admin", "8ac1fcbf73784e1c895e798dad4c83e6", "4d7d67d8393d49e69d2190dc060c04cc" ], "jti": "77c44272-7049-43ae-91df-1b8d73540db2", "iat": 1556466541, "token_validity_key": "5b92fb9d-d2b1-4093-8bd5-0885259b9486", "user_identifier": "5", "nbf": 1556466541, "exp": 1556552941, "iss": "MotionCX", "aud": "MotionCX" }
The lines that I added were:
using Microsoft.AspNetCore.Authentication.OAuth.Claims;
And then, in the open id area, I added the following:
options.ClaimActions.MapJsonKey("role", "role"); options.ClientId = configuration["Authentication:OpenId:ClientId"]; options.Authority = configuration["Authentication:OpenId:Authority"]; options.SignedOutRedirectUri = configuration["App:WebSiteRootAddress"] + "Account/Logout"; options.ResponseType = OpenIdConnectResponseType.IdToken; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.ClaimActions.Add(new JsonKeyClaimAction("role", "role", "role"));
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = bool.Parse(configuration["Authentication:OpenId:ValidateIssuer"]),
RoleClaimType = "role"
};
This allowed it to show up (i also tried numerous other ideas there were in the identityserver4 issues in their github issues, but nothing else did any change. I could be doing something silly on this, and I will keep on working on this, but figured I'd open up a ticket just in case you'd already know the issue aroudn it.