OMG thank-you Salih! These are highly relevant and useful answers; in this way I could authenticate against the identity system and still leverage all the roles-based-permissions systems that are integrated with the project.
Brilliant, thank-you again. I had temporarily solved by building partial handlers that return the JSON results of the service calls I needed but obviously that is brittle and does not scale well. Your references are definitely the correct answer.
Cheers!
You are saying to use [AllowAnonymous] on my aggregate root entities GetListAsync(GetEntityInput input) (and other aggregate entities) service calls because allowing the world to access the calls would be more secure than using an authenticated principal?
I do not understand.
So overriding AbpAuthorizationService results in a call to AuthorizeAsync for an 'actually authenticated' user after the razor page (which shows CurrentUser.IsAuthenticated == true, rightly so) asks for a service method where the principal and resource are blank (but the requirements contains the permission specified in the service classes [Authorize(policyName)] attribute so the request fails. So that breaks logged in users but works for the guest user.
If I don't override the AbpAuthorizationService then being a regular logged in user now works and I can auth my "guest" user for the page load and even though I've "signed in" subsequent calls via ajax still fails (presumably because I'm not authorizing with Identity.Application scheme, although I tried that, it did not seem to work.
My thought now is I will have to allow the API controller a way to authorize the request separately as noted above. But perhaps with an OpenID application defined in the Administration => Open ID => Applications settings area. Then I'll have to figure out how to grab a token via that system and pass it to the JS client to use in headers of all $.AJAX requests
I can get middleware and a new "GuestCookies" scheme to SignInAsync my principal so that they are authorized for my single request to my landing page and theoretically that means I could set a cookie on the landing page also and use another middleware to do the same for the HttpApiControllerModule as well. I guess I was thinking that once I authorized my user they could be authorized for my service calls and be logged into the whole system but my cookie and the IdentityCookies are not the same (different scheme).
Further complication comes from the fact that followup requests are via AJAX to the controller module which seems to be hooked up to the identity system.
I guess the thing to do is
And in this way I have custom principal for my scenario, have not polluted the identity store, utilized the existing permissions system, in the correct tenant, and can still consider the 'guest' a user for all other purposes such as AuditLogs etc.
Or I could create a single Guest user for each tenant and force sign him in on the landing page. Hahahahahasodfiiweifjaskldfjklas asfkldjfid
The guest user will not have an identity account. I want to 'fake' authorization at a landing page that only they will have the URL for. I looked at the AuthorizationService API it seems to only CHECK if the current principal is authorized, and does not seem to have any manual controls (unless I'm looking at the wrong one?)
namespace Volo.Abp.Authorization;
public interface IAbpAuthorizationService : IAuthorizationService, IServiceProviderAccessor
I have an app configured with roles based permissions as per the template, all works great for an actual logged in user. Now I want to have a page for anonymous users that uses certain services to get data and render to this "guest" user.
Obviously I want the app to be secure so I have devised a way that a unique URL slug is passed to the page and then verified as valid before rendering. I don't want to [AllowAnonymous] on my services obviously, but I do want this guest user with this un-guessable URL to access certain service methods after the initial page request.
I thought that I could create a Guest Role and assign the .Default permission group permissions to the role and use the identity system to mimic a logged in user in this case.
I cannot figure out how to keep utilizing the regular identity authentication system AND allow this scenario. I would even be okay with a cookie that is set on my initial request which is then used for further authorization or user authentication.
I have tried:
Am I going about this the wrong way? Is there a better way? How can I add a new authentication scheme to the existing project that will work alongside the regular authentication system and allow this user who makes their initial request at a specific URL an authenticated user with the system, but with my limited Guest Role?
I realize this is an advanced situation but I'm at my ropes end and am about to brute force the feature by asserting an actual user in the identity system with a Guest role but I'd rather not pollute the system and all the tenants with these needless users (note that I also may not have the guest users email address).
Any/all recommendations/insight is highly appreciated.
Yes! This was it. I configured options only in my .TestBase module (for tests) and my .WebHost module to run the module, and then in the .Web module of my downstream consuming projects. Also don't forget to [DependsOn] the storing module and the provider you are using.
Thank-you @maliming
Some additional intel: I spent some time to get the host project of my depended module to run so I could test whether the issue arise at the module level, or not. The depended module has Account Pro installed as well and does not exhibit the same issue and seems to be working as intended.
Let me know if I have implemented the re-usable module incorrectly or the consuming project incorrectly so that I can correct it. Thank-you
* An exception was thrown while activating Volo.Abp.Account.AccountController -> Volo.Abp.Account.AccountAppService -> Volo.Abp.BlobStoring.BlobContainer`1[[Volo.Abp.Account.AccountProfilePictureContainer, Volo.Abp.Account.Pro.Public.Application, Version=6.0.2.0, Culture=neutral, PublicKeyToken=null]] -> Volo.Abp.BlobStoring.BlobContainerFactory -> Volo.Abp.BlobStoring.DefaultBlobContainerConfigurationProvider. Autofac.Core.DependencyResolutionException: An exception was thrown while activating Volo.Abp.Account.AccountController -> Volo.Abp.Account.AccountAppService -> Volo.Abp.BlobStoring.BlobContainer`1[[Volo.Abp.Account.AccountProfilePictureContainer, Volo.Abp.Account.Pro.Public.Application, Version=6.0.2.0, Culture=neutral, PublicKeyToken=null]] -> Volo.Abp.BlobStoring.BlobContainerFactory -> Volo.Abp.BlobStoring.DefaultBlobContainerConfigurationProvider.
\-\-\-\> Autofac\.Core\.DependencyResolutionException: An exception was thrown while invoking the constructor 'Void \.ctor\(Microsoft\.Extensions\.Options\.IOptions`1[Volo.Abp.BlobStoring.AbpBlobStoringOptions])' on type 'DefaultBlobContainerConfigurationProvider'. ---> System.ArgumentException: value can not be null, empty or white space! (Parameter 'value') at Volo.Abp.Check.NotNullOrWhiteSpace(String value, String parameterName, Int32 maxLength, Int32 minLength) at Volo.Abp.BlobStoring.Minio.MinioBlobProviderConfiguration.set_EndPoint(String value) at ten3.Utilz.UtilzApplicationModule.<>c__DisplayClass0_0.<ConfigureServices>b__3(MinioBlobProviderConfiguration minio) at Volo.Abp.BlobStoring.Minio.MinioBlobContainerConfigurationExtensions.UseMinio(BlobContainerConfiguration containerConfiguration, Action`1 minioConfigureAction)
at ten3.Utilz.UtilzApplicationModule.<>c\_\_DisplayClass0\_0.b\_\_2(BlobContainerConfiguration container)
at Volo.Abp.BlobStoring.BlobContainerConfigurations.Configure(String name, Action`1 configureAction) at ten3.Utilz.UtilzApplicationModule.<>c__DisplayClass0_0.<ConfigureServices>b__1(AbpBlobStoringOptions options) at Microsoft.Extensions.Options.OptionsFactory`1.Create(String name)
at Microsoft.Extensions.Options.UnnamedOptionsManager`1.get_Value() at lambda_method457(Closure , Object[] ) at Autofac.Core.Activators.Reflection.BoundConstructor.Instantiate() --- End of inner exception stack trace --- at Autofac.Core.Activators.Reflection.BoundConstructor.Instantiate() at Autofac.Core.Activators.Reflection.ReflectionActivator.<>c__DisplayClass12_0.<UseSingleConstructorActivation>b__0(ResolveRequestContext ctxt, Action`1 next)
at Autofac.Core.Resolving.Middleware.DisposalTrackingMiddleware.Execute(ResolveRequestContext context, Action`1 next) at Autofac.Builder.RegistrationBuilder`3.<>c\_\_DisplayClass41\_0.b\_\_0(ResolveRequestContext ctxt, Action`1 next) at Autofac.Core.Resolving.Middleware.ActivatorErrorHandlingMiddleware.Execute(ResolveRequestContext context, Action`1 next)
\-\-\- End of inner exception stack trace \-\-\-
at Autofac.Core.Resolving.Middleware.ActivatorErrorHandlingMiddleware.Execute(ResolveRequestContext context, Action`1 next) at Autofac.Core.Resolving.Middleware.SharingMiddleware.Execute(ResolveRequestContext context, Action`1 next)
at Autofac.Core.Resolving.Middleware.CircularDependencyDetectorMiddleware.Execute(ResolveRequestContext context, Action`1 next) at Autofac.Core.Resolving.ResolveOperation.GetOrCreateInstance(ISharingLifetimeScope currentOperationScope, ResolveRequest request) at Autofac.Core.Resolving.ResolveOperation.ExecuteOperation(ResolveRequest request) at Autofac.ResolutionExtensions.TryResolveService(IComponentContext context, Service service, IEnumerable`1 parameters, Object& instance)
at Autofac.ResolutionExtensions.ResolveService(IComponentContext context, Service service, IEnumerable\`1 parameters)
at Microsoft.AspNetCore.Mvc.Controllers.ServiceBasedControllerActivator.Create(ControllerContext actionContext)
at Microsoft\.AspNetCore\.Mvc\.Controllers\.ControllerFactoryProvider\.<\>c\_\_DisplayClass6\_0\.g\_\_CreateController\|0\(ControllerContext controllerContext\)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
\-\-\- End of stack trace from previous location \-\-\-
at Microsoft\.AspNetCore\.Mvc\.Infrastructure\.ResourceInvoker\.g\_\_Awaited\|26\_0\(ResourceInvoker invoker\, Task lastTask\, State next\, Scope scope\, Object state\, Boolean isCompleted\)
I configure my web project and my module with
[DependsOn(typeof(AbpBlobStoringMinioModule))]
[DependsOn(typeof(AbpBlobStoringModule))]
and in module ConfigureServices() (web project and in the depended module)
Configure<AbpBlobStoringOptions>(options =>
{
options.Containers.Configure<AttachmentsContainer>(container =>
{
container.UseMinio(minio =>
{
minio.EndPoint = configuration[Constants.SettingsKeys.BlobStorage.Endpoint];
minio.AccessKey = configuration[Constants.SettingsKeys.BlobStorage.AccessKey];
minio.SecretKey = configuration[Constants.SettingsKeys.BlobStorage.SecretKey];
minio.BucketName = configuration[Constants.SettingsKeys.BlobStorage.BucketName];
minio.WithSSL = true;
minio.CreateBucketIfNotExists = true;
});
});
});
So I do not touch the defaultContainer setup at all but somehow have destroyed the configuration of the **Volo.Abp.Account.AccountProfilePictureContainer ** in the depended module Volo.Abp.Account.Pro.Public.Application
I have followed the directions from the documentation found at https://docs.abp.io/en/abp/6.0/Blob-Storing specifically using a typed container as per the guidance because I am making a reusable module.
It is a good practice to always use a typed container while developing re-usable modules, so the final application can configure the provider for your container without effecting the other containers.
I am expecting to not have to re-configure any BlobStoring containers, but if I must, how can I re-use the default configuration of the Account PRO Module? And will that fix my issue?
In addition to the configuration options from my initial post, it was necessary to add the following also:
context.Services.Configure<AbpAccountOptions>(options =>
{
//For impersonation in Saas module
options.TenantAdminUserName = "admin";
options.ImpersonationTenantPermission = SaasHostPermissions.Tenants.Impersonation;
//For impersonation in Identity module
options.ImpersonationUserPermission = IdentityPermissions.Users.Impersonation;
});
Your documentation should be changed to highlight the fact that the 5.0+ templates SUPPORT impersonation but that you must ENABLE it using the instructions in the document based on your template type. I was confused about it being "enabled" already as per the docs.