Search code examples
asp.net-corewindows-authenticationaspnetboilerplate

Integrated Windows Authentication in ABP framework

I'm attempting to use ABP with Windows Authentication rather than Table-based authentication.

The plan is to have the framework:

  1. Detect that the website is in a Windows security context and bypass the login page.
  2. Then associate Windows Identity/Roles and use those to map the Roles/Permissions defined in the database.

I did not see anything in the documentation regarding this Windows-integrated approach.

If anyone has done this previously, I appreciate any tips.

I think my best bet would be to use Policy-based authorization. So where the controllers currently use ABP auth attributes, I'll revert back to the normal ASP.NET ones.

e.g. [Authorize(Policy = "MyAppAdmin")]

Solution

  • in the spirit of sharing here is how i managed to circumvent the use of the login screen for a Window Authenticated context.

    1. make the Login panel hidden and set some dummy data on the username/password controls (the dummy data is not actually used).

    2. in the js file run the login action immediately (no user interaction) 

      abp.ajax({
    contentType: 'application/x-www-form-urlencoded',
    url: $loginForm.attr('action'),
    data: $loginForm.serialize()
});

    3. In the AccountController:

      var windowsIdentity = WindowsIdentity.GetCurrent();
loginModel.UsernameOrEmailAddress = windowsIdentity.Name;

var count = (from x in windowsIdentity.Claims where x.Value == "myclaim" select x).Count();

if (count == 0)
{
    throw _abpLoginResultTypeHelper.CreateExceptionForFailedLoginAttempt(AbpLoginResultType.InvalidUserNameOrEmailAddress, loginModel.UsernameOrEmailAddress, null);
}
    4. Create an ExternalAuthSource as described in the answer above. We will always return true becuase the real authentication is already done. 
      public override Task<bool> TryAuthenticateAsync(string userNameOrEmailAddress, string plainPassword, Tenant tenant)
{
    return Task.FromResult(true);
}
      It has the added advantage that the authenticated user is created by the ABP Framework automatically. The Role the new user is assigned depends on the which role is the Default - see Table AbpUserRoles.

    Hopefully this helps somebody trying to use the framework in a Windows-Authenticated context.