Skip to content

Account

The Account Module implements essential authentication and identity management features, including:

  • Login and Logout functionality
  • User Registration
  • Forgot Password and Password Reset
  • Email Confirmation
  • Two-Factor Authentication (2FA) setup, confirmation, and management
  • **User Lockou**t for security enforcement
  • Tenant Switching in multi-tenant applications

Key Features

  • Customizable authorization flows for OAuth2/OpenID Connect
  • User consent screens for permission approval

Self-Registration & 2FA Settings Page

  • Admin-configurable options for:
    • Allowing or restricting self-registration
    • Enforcing Two-Factor Authentication (2FA) policies

User Interface

This module provides MVC/Razor Pages UI.

Toolbar Items

This module adds the following menu items under the current user's toolbar menu:

toolbar

  • My Account: Manage your profile information, email address, and password.
  • Sessions: View and manage your active login sessions across devices.
  • Linked accounts: Connect and manage external account associations.
  • Authority delegation: Configure permissions for delegated access.
  • Security Logs: Review your account's security history and events.
  • External Logins: Manage third-party authentication providers linked to your account.
  • Log out: Securely end your current session.

Features

This section introduces the main pages provided by this module.

Login

/Account/Login page provides the login functionality.

login

External login buttons becomes visible if you setup it. See the External Logins section below. Register and Forgot password and links redirect to the pages explained in the next sections.

Register

/Account/Register page provides the new user registration functionality.

register

Forgot Password & Reset Password

/Account/ForgotPassword page provides a way of sending password reset link to user's email address. The user then clicks to the link and determines a new password.

reset

Account Management

/Account/Manage page is used to change password and personal information of the user.

manage

OpenIddict Integration

GridLab.PSSX.Account.Public.Web.OpenIddict package provides integration for the OpenIddict.

Idle Session

The Idle Session Timeout feature allows you to automatically log out users after a certain period of inactivity.

Impersonation.md

User impersonation allows you to temporarily sign in as a different user in your tenant's users.

Local login

The user can't log in through the local account and use the local account-related features such as register and find password if this setting is disabled.

If you use External Logins, It is automatically called for authentication when logging in.

local-login

Switching users during OAuth login

If you have an OAuth/Auth Server application using the Account module, you can pass the prompt=select_account parameter to force the user to select an account.

Example to pass prompt=select_account parameter in OpenIdConnect:

.AddAbpOpenIdConnect("oidc", options =>
{
    // ...
    options.Events = new OpenIdConnectEvents
    {
        OnRedirectToIdentityProvider = redirectContext =>
        {
            redirectContext.ProtocolMessage.Prompt = "select_account";
            return Task.CompletedTask;
        }
    };
    // ...
});

You have three options:

  • Continue: The login process will continue with the current account.
  • Switch to another account: Will be redirected to the login page to log in with another account.
  • Create a new account: Will be redirected to the register page to create a new account.

The OAuth login process will continue after the user selects one of the options.

All available prompt parameters:

Parameter Description
login Forces the user to re-authenticate, even if they are already logged in.
consent Forces the user to re-consent to the requested permissions, even if they have consented before.
select_account Forces the user to select an account, even if they are already logged in (especially relevant if multiple accounts are available).
none Does not trigger any prompt. If the user is not logged in, or their consent is not granted, it will return an error or redirect accordingly.

Time Zone Setting

Users can to set their own time zone in the account settings page if application is supports multiple timezones.

Internals

Settings

See the AccountSettings class members for all settings defined for this module.

Application Layer

Application Services

1) AccountSettingsAppService (implements IAccountSettingsAppService): * Implements the use case of the account settings UI. 2) AccountPublicAppService (implements IAccountPublicAppService): * Implements the use cases of the register and password reset UIs. 3) AccountDynamicClaimsAppService (implements IAccountDynamicClaimsAppService): * Manages dynamic claims for user accounts, allowing runtime modification and enhancement of user identity claims beyond standard authentication data. 4) AccountExternalLoginAppService (implements IAccountExternalLoginAppService): * Handles authentication via external identity providers (e.g., Google, Facebook, Microsoft) and manages linked external accounts. 5) AccountLinkUserAppService (implements IAccountLinkUserAppService): * Facilitates account linking between different user identities, enabling unified access control across multiple accounts. 6) AccountProfileAppService (implements IAccountProfileAppService): * Manages core user profile data and personalization settings. 7) AccountSessionAppService (implements IAccountSessionAppService): * Provides active session monitoring and management capabilities. 8) AccountUserDelegationAppService (implements IAccountUserDelegationAppService): * Manages delegated access permissions where users can authorize others to act on their behalf.

Permissions

See the AccountAdminPermissions class members for all permissions defined for this module.

Options

AbpAccountOptions

AbpAccountOptions can be configured in the UI layer in the ConfigureServices method of your module. Example:

Configure<AbpAccountOptions>(options =>
{
    //Set options here...
});

AbpAccountOptions properties:

  • WindowsAuthenticationSchemeName (default: Windows): Name of the Windows authentication scheme.
  • TenantAdminUserName (default: admin): The tenant admin user name.
  • ImpersonationTenantPermission: The permission name for tenant impersonation.
  • ImpersonationUserPermission: The permission name for user impersonation.
  • ExternalProviderIconMap: A dictionary of external provider names and their corresponding font-awesome icon classes. You can add new mapping to this dictionary to change the icon of an external provider.(Popular external provider icons are already defined, such as Facebook, Google, Microsoft, Twitter, etc.)
  • IsTenantMultiDomain: Indicates whether the tenant supports multiple domains.

AbpProfilePictureOptions

AbpProfilePictureOptions can be configured in the UI layer in the ConfigureServices method of your module. Example:

Configure<AbpProfilePictureOptions>(options =>
{
    //Set options here...
});

AbpProfilePictureOptions properties:

  • EnableImageCompression (default: false): Enables the image compression for the profile picture. When enabled, the selected compression library will compress the profile picture to decrease the image size. For more information see image manipulation