External Login / Password Changes

[hikalkan]

IdentityUser.PasswordHash Change

Until now, we were setting a random password to the User for external/social logins. In this way, the user can not know the password and can not login to the application via password. She always needs to login via external/social login provider, e.g. facebook.

However, we found it unnecessary. With the v3.1, account module will not set the password, so IdentityUser.PasswordHash on the database will remain null for these users. The result is same.

While old user data will work as before, you can manually (via SQL) update PasswordHash to null for users those are externally logging in to the application. Be careful! You may accidently delete all passwords of your users. It is your responsibility. If you don't take any action, no problem.

The New External Login Provider System

We are introducing a different kind of external login, defined here: #4977

This is adding another change to the user entitiy. It adds IsExternal to the IdentityUser entity. It is set to true for this new kind of external login providers, not for social or openid connect logins.

You need to add a database migration for existing EF Core based projects.

Set password for users with social login

Currently, when a user logged in via facebook, she is assumed that always login via facebook in the future. But, user may want to set a password and directly login to the application via user (or email) and password.
Previous problem was the password was random and the user didn't know it (as explained before), so can't change it. When we set password to null in the database, for social logins, we can now know that the user has not set it before and we can one-time allow user to set the password without entering the current password.
In this way, the user will be able to login via user&pass and facebook together.

I created an issue for that: #4982

For the "The New External Login Provider System" (explained above), we won't allow user to set a password, because we always want to check username&password from the external source (like LDAP). In this way, when user changes password on the provider side, it will directly be available on our application. This new ext login provider system is for secure applications and it doesn't use oauth - it directly gets password from user. See #4977 for more.

[yinchang0626]

@hikalkan thanks.
As I know,
In angular app,It use oAuth to Sign in

 login(username: string, password: string): Observable<any> {
    const tenant = this.store.selectSnapshot(SessionState.getTenant);

    return from(this.oAuthService.loadDiscoveryDocument()).pipe(
      switchMap(() =>
        from(
          this.oAuthService.fetchTokenUsingPasswordFlow(
            username,
            password,
            new HttpHeaders({ ...(tenant && tenant.id && { __tenant: tenant.id }) }),
          ),
        ),
      ),
      switchMap(() => this.store.dispatch(new GetAppConfiguration())),
      tap(() => {
        const redirectUrl =
          snq(() => window.history.state.redirectUrl) || (this.options || {}).redirectUrl || '/';
        this.store.dispatch(new Navigate([redirectUrl]));
      }),
      take(1),
    );
  }

So,will angular support External Login Provider System?

[hikalkan]

Good point. We should also change https://github.com/abpframework/abp/blob/dev/modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/AspNetIdentity/AbpResourceOwnerPasswordValidator.cs

I've created an issue: #4985 I will try to include this to v3.1.

[leonkosak]

Is this issue also applicable to local Active Directory and/or Azure Active Directory?

[hikalkan]

Is this issue also applicable to local Active Directory and/or Azure Active Directory?

Yes, you can use this system to check user & pass from a local AD. Actually, we will implement it for ABP Commercial 😄