IdentityUser.PasswordHash Change
Until now, we were setting a random password to the User for external/social logins. In this way, the user can not know the password and can not login to the application via password. She always needs to login via external/social login provider, e.g. facebook.
However, we found it unnecessary. With the v3.1, account module will not set the password, so IdentityUser.PasswordHash on the database will remain null for these users. The result is same.
While old user data will work as before, you can manually (via SQL) update PasswordHash to null for users those are externally logging in to the application. Be careful! You may accidently delete all passwords of your users. It is your responsibility. If you don't take any action, no problem.
The New External Login Provider System
We are introducing a different kind of external login, defined here: https://github.com/abpframework/abp/issues/4977
This is adding another change to the user entitiy. It adds IsExternal to the IdentityUser entity. It is set to true for this new kind of external login providers, not for social or openid connect logins.
You need to add a database migration for existing EF Core based projects.
Set password for users with social login
Currently, when a user logged in via facebook, she is assumed that always login via facebook in the future. But, user may want to set a password and directly login to the application via user (or email) and password.
Previous problem was the password was random and the user didn't know it (as explained before), so can't change it. When we set password to null in the database, for social logins, we can now know that the user has not set it before and we can one-time allow user to set the password without entering the current password.
In this way, the user will be able to login via user&pass and facebook together.
I created an issue for that: https://github.com/abpframework/abp/issues/4982
For the "The New External Login Provider System" (explained above), we won't allow user to set a password, because we always want to check username&password from the external source (like LDAP). In this way, when user changes password on the provider side, it will directly be available on our application. This new ext login provider system is for secure applications and it doesn't use oauth - it directly gets password from user. See #4977 for more.
hikalkan
All 4 comments
@hikalkan thanks.
As I know,
In angular app,It use oAuth to Sign in
login(username: string, password: string): Observable<any> {
const tenant = this.store.selectSnapshot(SessionState.getTenant);
return from(this.oAuthService.loadDiscoveryDocument()).pipe(
switchMap(() =>
from(
this.oAuthService.fetchTokenUsingPasswordFlow(
username,
password,
new HttpHeaders({ ...(tenant && tenant.id && { __tenant: tenant.id }) }),
),
),
),
switchMap(() => this.store.dispatch(new GetAppConfiguration())),
tap(() => {
const redirectUrl =
snq(() => window.history.state.redirectUrl) || (this.options || {}).redirectUrl || '/';
this.store.dispatch(new Navigate([redirectUrl]));
}),
take(1),
);
}
So,will angular support External Login Provider System?
yinchang0626
on 7 Aug 2020
Good point. We should also change https://github.com/abpframework/abp/blob/dev/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/AspNetIdentity/AbpResourceOwnerPasswordValidator.cs
I've created an issue: https://github.com/abpframework/abp/issues/4985 I will try to include this to v3.1.
hikalkan
on 7 Aug 2020
Is this issue also applicable to local Active Directory and/or Azure Active Directory?
leonkosak
on 7 Aug 2020
Is this issue also applicable to local Active Directory and/or Azure Active Directory?
Yes, you can use this system to check user & pass from a local AD. Actually, we will implement it for ABP Commercial 馃槃
hikalkan
on 8 Aug 2020
Related issues
hikalkan
路
3Comments
hikalkan
路
3Comments
wakuflair
路
3Comments
ugurozturk
路
3Comments
vfabregat
路
3Comments