Hello, I'm using the latest version of Abp0 (.net core 2.0). I'm trying to figure out how to secure the web host project against an server running IdentityServer4. I see that the default authentication uses JWT bearer token, but I don't understand what to use for the SecurityKey value.
So I tried to use IdentityServerAuthencitation by adding IdentityServer4 AccessTokenValidation.2.0.0-rc2 which is supposed to support dotnetcore 2.0, but that's not working either.
Does anyone have some advice or an example of how to authenticate the API (web host project) with a JWT given an existing API resource registered with an existing IdentityServer4 implementation?
2 Answer(s)
-
0
So I was finally able to make this work with a hack. I'll share what I did in case anyone else runs into trouble.
When accessing protected routes, AuthorizationHelper.AuthorizeAsync() is called:
public async Task AuthorizeAsync(IEnumerable<IAbpAuthorizeAttribute> authorizeAttributes) { if (!_authConfiguration.IsEnabled) { return; } if (!AbpSession.UserId.HasValue) //this was ALWAYS NULL for me { throw new AbpAuthorizationException( LocalizationManager.GetString(AbpConsts.LocalizationSourceName, "CurrentUserDidNotLoginToTheApplication") ); } foreach (var authorizeAttribute in authorizeAttributes) { await PermissionChecker.AuthorizeAsync(authorizeAttribute.RequireAllPermissions, authorizeAttribute.Permissions); } }
Digging deeper, I found that userIdClaim in ClaimsAbpSession was ALWAYS NULL as well:
public class ClaimsAbpSession : AbpSessionBase, ISingletonDependency { public override long? UserId { get { if (OverridedValue != null) { return OverridedValue.UserId; } //userIdClaim is always null because AbpClaimTypes.UserId == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"; var userIdClaim = PrincipalAccessor.Principal?.Claims.FirstOrDefault(c => c.Type == AbpClaimTypes.UserId); if (string.IsNullOrEmpty(userIdClaim?.Value)) { return null; } long userId; if (!long.TryParse(userIdClaim.Value, out userId)) { return null; } return userId; } }
The accessToken returned by IdentityServer4 as a "sub" claim with the UserId value in it, so I simply added
AbpClaimTypes.UserId = "sub";
to Evsuite.Admin.Web.Host.AuthConfigurer.Configure();
Now ClaimsAbpSession.UserId is set to the correct AbpUsers.Id.
-
0
Hi @evadmin,
Thank you very much your feedback :)