Not sure if you have a place for feature requests but I think your commercial package would benefit from a built in GDPR/data privacy feature for scheduling old data to be deleted from the admin UI (both at the host level and at the tenant level.) This would nicely complement the audit feature as something most businesses need.
Import and consolidate the approx 250,000 users, from two different services (each has it's own server and database) into a new Tiered ABP solution.
Our existing systems contain tables for Users and Organisations. Not all users are assigned to an organisation.
We aim to create Tenants for each user (single database multi-tenant model) based on either their organistion or individual User account if they are not part of an organisation. We are expecting to force users to reconfirm their accounts and generate new passwords (i've seen the article on passwordless logins which might help here.)
Where are the methods to manage tenants, users, orgs?
Add tenants by code: Is it possible to create new tenants, users, organisations by code? If so can you please provide snippit of code that would create a new Tenant, Organisation, and Saas Users without triggering user welcome emails, and email validation etc. I want the validation to happen when they login, and not when we import. I know it's based on the ms identity/Signinmanager/IdS stuff but I've no idea how this all ties in with the Abp tenant/org/2fa code.
Delete old tenants (GDPR) Is there a proper way to delete tenants or do we have to hard code sql?
If you think this is the wrong approach and have a better idea then please let me know. We would consider SQL but the plan was for the Abp/Identity Server solution to run in a separate datacenter.
BTW. The identity docs are little more than headings and screenshots of the UI (you should just put this info into the UI itself!) Also are there .net API docs for your repositories, methods etc? I thought I saw some once but can't seem to find any now.
Sorry, but how does your (personal?) frustration or opinion helping me in this discussion again?
How does it harm you? Support gave you your answer. I wrote one short followup objecting to ABP becomming dependent on an expensive commercial product, which I'm sure it won't, and you're threatening to rethink your use of the platform! Grow up.
I'm ending here before we have a Godwins Law moment.
Its a bit rich to complain about my very brief opening sentence and then write a small blog post on why I'm wrong and should go write my own identity server.
If you're going to push ABP to add a dependency on a commercial product costing thousands a year then you can expect pushback from those that have to pay for their own costs.
This has taken me some time to get right so I'm putting the solution here. Use this for either generating the keys identity server keys for production or integrating an old ASP Framework MVC project with the ABP identity server. There are other ways to store the cert rather than a file but this will work for linux too.
There are blog posts on this but they are wrong and will waste hours of your time. In particular do not include the "-certfile dev.crt" to the second openssl line as instructed by one post as it will generate an incompatable production cert.
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout dev.key -out dev.crt -subj "/CN=dev.com" -days 3650
openssl pkcs12 -export -out dev.pfx -inkey dev.key -in shout.crt
For ABP Identity Server project.
public override void PreConfigureServices(ServiceConfigurationContext context)
{
var hostingEnvironment = context.Services.GetHostingEnvironment();
PreConfigure<AbpIdentityServerBuilderOptions>(options =>
{
options.AddDeveloperSigningCredential = false;
});
PreConfigure<IIdentityServerBuilder>(identityServerBuilder =>
{
X509Certificate2 x509;
// todo: passwords need to be moved to secrets storage or deployment system
if (hostingEnvironment.IsDevelopment())
{
x509 = new X509Certificate2(
File.ReadAllBytes(Path.Combine(hostingEnvironment.ContentRootPath, "dev.pfx")),
"cert-password");
}
else
{
x509 = new X509Certificate2(
File.ReadAllBytes(Path.Combine(hostingEnvironment.ContentRootPath, "production.pfx")),
"dontaddhere");
}
identityServerBuilder
.AddSigningCredential(x509)
.AddValidationKey(x509);
});
}
Legacy MVC Framework app. OwinConfig pipeline. For production put the password and possibly certificate somewhere outsite of the git repo.
var x509 = new X509Certificate2(File.ReadAllBytes(Path.Combine(HostingEnvironment.ApplicationPhysicalPath, "dev.pfx")), "cert-password");
var key = new X509SecurityKey(x509);
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters
{
ValidAudience = ConfigurationManager.AppSettings["JwtAudience"],
ValidIssuer = ConfigurationManager.AppSettings["JwtIssuer"],
IssuerSigningKey = key,
ValidateLifetime = true,
ValidateIssuerSigningKey = true
}
});
Only recently discovered this. Switching from free OS to multi-thousands per year is a real dick move IMO. I suspect they've created the new company simply to avoid possible legal action.
Is it not likely that V4 will simply get forked? For that matter could ABP not fork it and bundle with their own Admin UI since that's already part of the package? Seems like a golden opportunity if you could.
I've heard good things about Firebase Auth which is free or near free, or Azure AD B2C? Maybe some kind of adapter module?
Our ABP Angular tiered solution needs to integrate with an older .net framework MVC solution running separately.
This is the old Jwt code we use.
// from owinconfig.cs
public void ConfigureOpenAuth(IAppBuilder app)
{
//
app.UseJwtBearerAuthentication(
new JwtBearerAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["JwtAudience"],
ValidIssuer = ConfigurationManager.AppSettings["JwtIssuer"],
IssuerSigningKey = ConfigurationManager.AppSettings["JwtSecurityKey"].ToSymmetricSecurityKey(),
ValidateLifetime = true,
ValidateIssuerSigningKey = true
}
});
}
//from JwtExtensions.cs
public static class SecurityExtensions
public static SigningCredentials ToIdentitySigningCredentials(this string jwtSecret)
{
var symmetricKey = jwtSecret.ToSymmetricSecurityKey();
var signingCredentials = new SigningCredentials(symmetricKey, SecurityAlgorithms.HmacSha256);
return signingCredentials;
}
public static SymmetricSecurityKey ToSymmetricSecurityKey(this string jwtSecret)
{
return new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSecret));
}
}
edit: ive figured i need to generate a new rsa cert somehow as its using developer mode which isnt recommended for prod.
from what ive been reading the identityserver4 jwt packages are now incompatible with .net framework.
are you share some example code for processing the Jwt token on .net framework. (currently 4.6.x but can update if needed?). im not interested in the user table stuff, just getting the claims. is there anything in the old abpboilerplate code that might work?
I saw your comment about having different App Services for each endpoint which conserned me slightly as we were planning to have just two containing all of the hosts and load balance between them. I did a quick check and it does seem you can put multiple hosts into one App Service plan.
https://docs.microsoft.com/en-us/azure/app-service/overview-hosting-plans#should-i-put-an-app-in-a-new-plan-or-an-existing-plan
Not much info about on Identity Service or deploying to Azure.
@armanozak Thanks, I'll pass that along to the dev.
@alper
Regarding the suite updating issue above. I'm not entirelly sure what caused it but I can tell you that they were modules not applications. There were two modules, the first updated fine, the second just kept reporting success even though it hadn't done anything. Cli worked ok.
Regarding the Anglar proxy issue, our dev said "It doesn't change the 'apiName' in the generated services. Even though it uses this parameter to generate them". He said it was a minor issue though.