Base solution for your next web application
Open Closed

IdentityServer4 AccessTokenValidation #3969

User avatar
0
evadmin created

Hello, I'm using the latest version of Abp0 (.net core 2.0). I'm trying to figure out how to secure the web host project against an server running IdentityServer4. I see that the default authentication uses JWT bearer token, but I don't understand what to use for the SecurityKey value.

So I tried to use IdentityServerAuthencitation by adding IdentityServer4 AccessTokenValidation.2.0.0-rc2 which is supposed to support dotnetcore 2.0, but that's not working either.

Does anyone have some advice or an example of how to authenticate the API (web host project) with a JWT given an existing API resource registered with an existing IdentityServer4 implementation?

Go to accepted answer
2 Answer(s)
  • User Avatar
    0
    evadmin created

    So I was finally able to make this work with a hack. I'll share what I did in case anyone else runs into trouble.

    When accessing protected routes, AuthorizationHelper.AuthorizeAsync() is called:

    public async Task AuthorizeAsync(IEnumerable<IAbpAuthorizeAttribute> authorizeAttributes)
        {
            if (!_authConfiguration.IsEnabled)
            {
                return;
            }

            if (!AbpSession.UserId.HasValue)  //this was ALWAYS NULL for me
            {
                throw new AbpAuthorizationException(
                    LocalizationManager.GetString(AbpConsts.LocalizationSourceName, "CurrentUserDidNotLoginToTheApplication")
                    );
            }

            foreach (var authorizeAttribute in authorizeAttributes)
            {
                await PermissionChecker.AuthorizeAsync(authorizeAttribute.RequireAllPermissions, authorizeAttribute.Permissions);
            }
        }

    Digging deeper, I found that userIdClaim in ClaimsAbpSession was ALWAYS NULL as well:

    public class ClaimsAbpSession : AbpSessionBase, ISingletonDependency
    {
        public override long? UserId
        {
            get
            {
                if (OverridedValue != null)
                {
                    return OverridedValue.UserId;
                }
                
                //userIdClaim is always null because AbpClaimTypes.UserId == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier";
                var userIdClaim = PrincipalAccessor.Principal?.Claims.FirstOrDefault(c => c.Type == AbpClaimTypes.UserId);
                if (string.IsNullOrEmpty(userIdClaim?.Value))
                {
                    return null;
                }

                long userId;
                if (!long.TryParse(userIdClaim.Value, out userId))
                {
                    return null;
                }

                return userId;
            }
        }

    The accessToken returned by IdentityServer4 as a "sub" claim with the UserId value in it, so I simply added

    AbpClaimTypes.UserId = "sub";

    to Evsuite.Admin.Web.Host.AuthConfigurer.Configure();

    Now ClaimsAbpSession.UserId is set to the correct AbpUsers.Id.

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @evadmin,

    Thank you very much your feedback :)

Assignee
No one
Labels
Non yet