In v7.0.0, unable to edit if you have a user who is mapped to an organization unit that has roles associated with the organization unit. This ends up saying the user has those roles, but then when you try to save, it also fails as it says: WARN 2019-09-13 17:21:05,791 [255 ] Mvc.ExceptionHandling.AbpExceptionFilter - User already in role 'IT Engineering'. Abp.UI.UserFriendlyException: User already in role 'IT Engineering'. at Abp.IdentityFramework.IdentityResultExtensions.CheckErrors(IdentityResult identityResult, ILocalizationManager localizationManager) in D:\Github\aspnetboilerplate\src\Abp.ZeroCore\IdentityFramework\IdentityResultExtensions.cs:line 72 at MotionCX.MotionCXAppServiceBase.CheckErrors(IdentityResult identityResult) in C:\mcx\MP.Server\aspnet-core\src\MotionCX.Application\MotionCXAppServiceBase.cs:line 62
That said, if you uncheck all roles, then save, it works fine. Then, you can edit the user again, and the roles show up (due to the role being in th orgnaization unit). This causes a lot of issues (obviously). Not sure if this is already a ticket opened on this, but I tried to find one, and wasn't able to locate it.
In the process of trying to add Roles to the claims in the JWT in order to make ANZ usable as an SSO. I was able to do this by reading some of the issues in identityserver4 and made a couple lines of changes in the authroization in the startup folder. That said, no matter what I do, the only role claim that is readable is "Admin", any other role that is added to the user comes up with something like this: { "sub": "5", "name": "testUser", "AspNet.Identity.SecurityStamp": "45FE42SK2IAH3TW7VBNQDAD6WCCNKQQF", "role": [ "Admin", "8ac1fcbf73784e1c895e798dad4c83e6", "4d7d67d8393d49e69d2190dc060c04cc" ], "jti": "77c44272-7049-43ae-91df-1b8d73540db2", "iat": 1556466541, "token_validity_key": "5b92fb9d-d2b1-4093-8bd5-0885259b9486", "user_identifier": "5", "nbf": 1556466541, "exp": 1556552941, "iss": "MotionCX", "aud": "MotionCX" }
The lines that I added were:
using Microsoft.AspNetCore.Authentication.OAuth.Claims;
And then, in the open id area, I added the following:
options.ClaimActions.MapJsonKey("role", "role"); options.ClientId = configuration["Authentication:OpenId:ClientId"]; options.Authority = configuration["Authentication:OpenId:Authority"]; options.SignedOutRedirectUri = configuration["App:WebSiteRootAddress"] + "Account/Logout"; options.ResponseType = OpenIdConnectResponseType.IdToken; options.SaveTokens = true; options.GetClaimsFromUserInfoEndpoint = true; options.ClaimActions.Add(new JsonKeyClaimAction("role", "role", "role"));
options.TokenValidationParameters = new TokenValidationParameters()
{
ValidateIssuer = bool.Parse(configuration["Authentication:OpenId:ValidateIssuer"]),
RoleClaimType = "role"
};
This allowed it to show up (i also tried numerous other ideas there were in the identityserver4 issues in their github issues, but nothing else did any change. I could be doing something silly on this, and I will keep on working on this, but figured I'd open up a ticket just in case you'd already know the issue aroudn it.