I've had some success. I've been able to write a PasswordlessExtensionGrant : ITokenExtensionGrant that takes email and token request params, verifies the token against the user and calls:

        var principal = await _signInManager.CreateUserPrincipalAsync(user);
        return new SignInResult(OpenIddictServerAspNetCoreDefaults.AuthenticationScheme, principal);

This actually returns an access token when I call from the front end:

    let result = await this.authService.loginUsingGrant('passwordless-auth2', {token: token, email: email},);

{
    "access_token": "...",
    "token_type": "Bearer",
    "expires_in": 299
}

The problem I'm left with is how I do use the access_token in the response to actually login the user in the angular app? When using a password login, it saves the access_token in the local storage (perhaps amongst other things). I haven't been able to see where in abp code it does that, to be able to mimic something similar.

My second concern is that I don't have a refresh_token, so it won't be able to periodically gain new access_tokens.

Thanks. Let me try and get back to you. Please leave this thread open til at least next weekend.

• ABP Framework version: v7.3.3
• UI Type: Angular
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): Auth Server Separated

I am trying to implement a system where the user is sent a OTP to their email address that they can use to login without needing their password. This article doesn't quite follow our use case. Our solution has:

• Main ABP Backend (not relevant)
• Main ABP Front end (not relevant)
• Custom public site back end (not relevant)
• Custom public site front end
• Standard ABP Separated Auth Server (this serves both the main ABP front end and the custom public site front end

This is what I've done so far, based on the article mentioned above:

1. Followed steps 1-3
2. Implemented my own endpoint that sends a OTP to the user's email address as an alternative login flow, taking inspiration from step 4, and manually creating an angular proxy to call this endpoint.
3. Added a page which the email has a link to that calls another endpoint that's from step 7, passing in the token and email address to attempt login.

It all works up until my stage 3, including validating the OTP token and updating the user's security stamp, but the SignInManager.SignInAsync(user, isPersistent: false) call doesn't log the user into our public site (where this endpoint is being called from) according to angular AuthService.IsAuthenticated. I've also tried using other authenticationMethods, such as OidcConstants.AuthenticationMethods.OneTimePassword, but without success.

What the SignInAsync method does do is provide a Set-Cookie for .AspNetCore.Identity.Application.

Any tips on how to progress? Cheers.

My AppService (which is wrapped in a Controller with HttpPost and Route("login") attributes):

using System;
using System.Threading.Tasks;
using IdentityModel;
using MyCompany.MyProject.Email;
using Microsoft.AspNetCore.Authorization;
using OpenIddict.Abstractions;
using Volo.Abp.Application.Services;
using Volo.Abp.Domain.Entities;
using Volo.Abp.Identity;
using Volo.Abp.Identity.AspNetCore;

namespace MyCompany.MyProject.PasswordlessLogin;

public class PasswordlessLoginAppService : ApplicationService, IPasswordlessLoginAppService
{
    private readonly IMyProjectAuthServerEmailManager _emailManager;
    private readonly IdentityUserManager _userManager;
    private readonly AbpSignInManager _signInManager;

    public PasswordlessLoginAppService(IMyProjectAuthServerEmailManager emailManager,
        IdentityUserManager userManager, AbpSignInManager signInManager)
    {
        _emailManager = emailManager;
        _userManager = userManager;
        _signInManager = signInManager;
    }

    // [AllowAnonymous]
    public async Task SendOtpEmail(SendOtpEmailInputDto input)
    {
        var user = await _userManager.FindByEmailAsync(input.Email);
        if (user is null)
        {
            throw new EntityNotFoundException(typeof(IdentityUser));
        }

        var token = await _userManager.GenerateUserTokenAsync(user, tokenProvider: "PasswordlessLoginProvider",
            purpose: "passwordless-auth");
        await _emailManager.SendOtpEmailAsync(new SendOtpEmailInput()
        {
            Email = user.Email,
            Token = token,
        });
    }

    public async Task Login(PasswordlessLoginInputDto input)
    {
        var user = await _userManager.FindByEmailAsync(input.Email);
        if (user is null)
        {
            throw new EntityNotFoundException(typeof(IdentityUser));
        }
        var isValid = await _userManager.VerifyUserTokenAsync(user, "PasswordlessLoginProvider", "passwordless-auth", input.Token);
        if (!isValid)
        {
            throw new UnauthorizedAccessException("The token " + input.Token + " is not valid for the user " + input.Email);
        }

        await _userManager.UpdateSecurityStampAsync(user);

        await _signInManager.SignInAsync(user, isPersistent: false, authenticationMethod: OidcConstants.AuthenticationMethods.OneTimePassword);
    }
}

OK thanks. Do you know which version this will be fixed in?

On three occasions I've experienced cases where on submission of a new ABP support question I get an error on the ABP support website. I'm sorry that I don't have a print screen or anything. I think the behaviour occurs once I raise a question, then immediately after submission click the 'Add question' or something button and raise another question rather than starting from scratch and using the top level question button. If you're unable to replicate let me know and please allow me to create a few dummy questions to see if I can diagnose the problem as it's incredibly frustrating since you lose the question that you composed! Thanks.

Allow form prop extensions for dynamic properties to actually be dynamic on create forms

Is there an existing issue for this?

• [X] I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

As a developer I want to be able to use the record field in PropPredicate and PropCallback properties on Create forms So that I can dynamically set, for example, the disabled property based on the value of other properties that are currently set in the create form

Describe the solution you'd like

The syntax would remain identical to how it is now, only that it would actually work. It should be such that the documentation can be changed to say that the record field (and others?) are available on create forms (e.g. create user). https://docs.abp.io/en/abp/latest/UI/Angular/Dynamic-Form-Extensions

For example, a new extra property that I add to the form can be disabled or enabled based on whether the user has checked IsActive or not.

https://github.com/abpframework/abp/issues/17374

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
• Steps to reproduce the issue:
  • Log in as admin
  • Create a new user 'test1'
  • Logout
  • Login as test1
  • Set up 2FA authenticator app and enable 2FA
  • Logout
  • Login as test1 and confirm 2FA works as expected (without checking remember browser)
  • Logout
  • Login as admin
  • Edit test1 user to enable 'Should change password on next login'
  • Logout
  • In login page, enter credentials for test1 user
• Expected behaviour: Before asking for a new password, 2FA should be completed.
• Actual behaviour:
  • I am asked for current password, new password, new password (repeat) and after submitting that I can login without any 2FA.
  • In order to confirm 2FA is still forced, logout, login again and you will be correctly be asked for 2FA
• This is a critical security bug where 2FA can be bypassed even if the 2FA is forced.

Please let us know when this will be fixed + refund the question. Cheers.

Bug raised here https://support.abp.io/QA/Questions/5126/Bug---Should-change-password-on-next-login-should-enforce-password-to-be-different should have been fixed in 'the preview version for 7.3' but the issue is replicable both in v7.3.2 and the ABP commercial v7.4.0 as of 14/8/23.

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown

Please let us know when this will be fixed + refund the question. Cheers.

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
• Background issue: https://support.abp.io/QA/Questions/5132/Bugs---Various-issues-with-user-filtering
  • In this question some bugs were identified and should have been fixed. Most have been fixed, except this one (https://support.abp.io/QA/Questions/5582/Bug-Filtering-users-by-Modification-date-does-not-work). But also it now highlights the below issue.
• Steps to reproduce the issue:
  • Login as admin
  • Go to Administration -> Identity Management -> Users (observe ALL users shown)
  • Open the Advanced Filters expandable.
  • Select the 'Role' as 'admin'
  • Check 'Email confirmed'
  • Click 'Refresh' (observe only admins with emails confirmed are displayed)
  • Uncheck 'Email confirmed'
  • Click 'Refresh' (observe only admins with emails NOT confirmed are displayed)
• Expected behaviour
  • 1. The state of filtering is completely encompassed in the filter options that are shown.
  • 2. There is a way to no longer filter 'Email confirmed', while keeping the 'Role' filter.
• Actual behaviour
  • 1. The UI looks the same when filtering by NOT 'Email confirmed' as it does when not filtering by 'Email confirmed'. The UI does not uniquely identify the filtering that is to be applied which is very confusing as a user.
  • 2. There is no way to set the 'Email confirmed' filtering to be off without losing all other filters.
• Other issues:
  • The same is replicable for all checkbox filters.
  • Thought needs to go into whether there are other cases of this in ABP tables.
• Proposed solution: The checkbox is replaced with a dropdown that has three options: '' (the no filtering option which is already present with Roles and other fields), 'True', 'False'.

Please let us know when this will be fixed + refund the question. Cheers.

• ABP Framework version: Replicable on ABP commercial demo on 14/8/23: ABP v7.4.0. Updated on 2023-08-02 12:30 . Angular Version v16.0.6
• UI Type: Angular
• Database System: Unknown
• Tiered (for MVC) or Auth Server Separated (for Angular): Unknown
• Background issue: https://support.abp.io/QA/Questions/5132/Bugs---Various-issues-with-user-filtering
  • In this question some bugs were identified and should have been fixed. Most have been fixed, but one has not been fixed.
• Steps to reproduce the issue:
  • Login as admin
  • Go to Administration -> Identity Management -> Users
  • Open the Advanced Filters expandable.
  • Set the modified date to a single date, or a range of dates, for which you know there are no modifications (e.g. a date in the future).
• Expected behaviour: No users are shown.
• Actual behaviour: All users are shown.
• Note the filtering does work for creation date, but not for modification date.

Please let us know when this will be fixed + refund the question. Cheers.