Identity¶

Identity module is used to manage roles, users and their permissions, based on the Microsoft Identity library.

User Interface¶

This module provides MVC/Razor Pages UI.

Menu Items¶

This module adds an Identity management menu item under the Administration menu:

• Users: User management page.
• Roles: Role management page.
• Claim Types: Claim type management page.
• Organization Units: Organization unit management page.
• Security Logs: Security log search page.

IdentityMenuNames class has the constants for the menu item names.

Features¶

This section covers some other features provided by this module.

User management¶

Users management is used to manage the users in your system.

You can create a new user or edit an existing user:

• A user can have zero or more roles in the system.
• You can set user lockout settings per user.

User permissions¶

A user has union of the permissions of the assigned roles. Identity module also allows to grant extra permissions to a specific user.

User claims¶

You can also set custom claim values for a user.

Claim types are retrieved from the claim list defined in the Claim Type Management.

Role Management¶

Roles page is used to manage roles in the system. A role is a set of permissions assigned to the users.

You can create a new role or edit a role:

• Default roles are assigned to new users by default.
• Public roles are visible to other users.

Role permissions¶

You can manage permissions of a role:

• A permission is an action of the application granted to roles and users.
• A user with a role will inherit all the permissions granted for the role.
• Any module can define permissions. Once you define a new permission, it will be available in this page.
• Left side is the list of modules. Once you click to a module name, you can check/uncheck permissions related to that module.

Role claims¶

You can set custom claim values for a role:

Claim types are retrieved from the claim list defined in the Claim Types Management.

Claim Type Management¶

Identity module allows to define custom claim types.

• Custom claims can be used to store additional information to a user or role.
• Custom claim values then can be accessed in the application code for an authenticated user.
• Claim Types are also used by the OpenIddict module if you're using it.

Identity Module Settings¶

Identity module adds a new tab to the Settings page to customize the behavior on runtime.

Organization Units¶

Organization Units (OU) can be used to manage organization units, members of organization units and roles of organization units.

OrganizationUnit Entity¶

An OU is represented by the OrganizationUnit entity. The fundamental properties of this entity are:

• TenantId: Tenant's Id of this OU. Can be null for host OUs.
• ParentId: Parent OU's Id. Can be null if this is a root OU.
• Code: A hierarchical string code that is unique for a tenant.
• DisplayName: Shown name of the OU.

Identity Security Log¶

The security log system records some important operations or changes about your account (like login and change password). You can also save the security log if needed.

You can inject and use IdentitySecurityLogManager or ISecurityLogManager to write security logs. It will create a log object by default and fill in some common values, such as CreationTime, ClientIpAddress, BrowserInfo, current user/tenant, etc. Of course, you can override them.

await IdentitySecurityLogManager.SaveAsync(new IdentitySecurityLogContext()
{
    Identity = "IdentityServer",
    Action = "ChangePassword"
});

Configure AbpSecurityLogOptions to provide the application name (in case of you have multiple applications and want to distinguish the applications in the logs) for the log or disable this feature.

Configure<AbpSecurityLogOptions>(options =>
{
    options.ApplicationName = "AbpSecurityTest";
});

Session Management¶

Session Management feature is responsible for managing user sessions in the identity system. It provides APIs to create, update, retrieve, and revoke sessions, supporting features like concurrent session control, device tracking, and session cache synchronization.

• Session Management

Two Factor Authentication¶

Two-factor authentication (2FA) is a specific type of multi-factor authentication (MFA) that requires the authenticating party to produce two separate identifying factors to verify your identity. The first factor is something you know "username & password" and the second factor is something you have "mobile device or email" to verify authentication requests. 2FA protects against phishing, social engineering and password brute-force attacks and secures your logins from attackers exploiting weak or stolen credentials.

• Two Factor Authentication

External Login Providers¶

An ExternalLoginProvider is a component responsible for authenticating users against external identity sources, such as LDAP directories or OAuth-compliant identity providers. This allows your application to support enterprise authentication scenarios, single sign-on, and integration with third-party identity systems.

• LDAP Login
• OAuth Login

Data seed¶

This module adds some initial data to the database when you run .DbMigrator if the IsUserSeedEnabled option is set:

• Creates an admin role with all the permissions granted.
• Creates an platon user with the admin role and 1q2w3E* as the password.

You normally change this password when you first run the application in your production environment. But if you want to change the password of the seed data, find the *ProjectName*DbMigrationService in your solution, locate to the MigrateAsync method. There will be a line like that:

await _dataSeeder.SeedAsync();

Change it like that:

await _dataSeeder.SeedAsync(
    new DataSeedContext()
        .WithProperty("CustomAdminPassword", "CustomDefaultPassword1234!")
);

Just like the password, you can also set the admin email (use the AdminEmail key in this case).

You can also use DefaultIdentityDataSeederOptions options to provide the default user name and password.

Configure<DefaultIdentityDataSeederOptions>(options =>
{
    options.IsUserSeedEnabled = true;
    options.AdminPasswordPropertyName = "CustomAdminPassword";
    options.AdminPasswordDefaultValue = "CustomDefaultPassword1234!"
});

Options¶

IdentityOptions¶

IdentityOptions is the standard options class provided by the Microsoft Identity library. So, you can set these options in the ConfigureServices method of your module class.

Example: Set minimum required length of passwords

Configure<IdentityOptions>(options =>
{
    options.Password.RequiredLength = 5;
});

AbpIdentityAspNetCoreOptions¶

AbpIdentityAspNetCoreOptions can be configured in the UI layer, in the ConfigureServices method of your module. Example:

Configure<AbpIdentityAspNetCoreOptions>(options =>
{
    //Set options here...
});

AbpIdentityAspNetCoreOptions properties:

• ConfigureAuthentication (default: true): Identity module calls AddAuthentication and AddIdentityCookies extension methods by default to configure the authentication for the Identity library. It sets DefaultScheme to IdentityConstants.ApplicationScheme and DefaultSignInScheme to IdentityConstants.ExternalScheme. You can set this property to false to suppress it and configure it yourself.

Distributed Events¶

This module defines the following ETOs (Event Transfer Objects) to allow you to subscribe to changes on the entities of the module;

• UserEto is published on changes done on an IdentityUser entity.
• IdentityRoleEto is published on changes done on an IdentityRole entity.
• IdentityClaimTypeEto is published on changes done on an IdentityClaimType entity.
• OrganizationUnitEto is published on changes done on an OrganizationUnit entity.

Example: Get notified when a new user has been created

public class MyHandler :
    IDistributedEventHandler<EntityCreatedEto<UserEto>>,
    ITransientDependency
{
    public async Task HandleEventAsync(EntityCreatedEto<UserEto> eventData)
    {
        UserEto user = eventData.Entity;
        // TODO: ...
    }
}

UserEto, IdentityRoleEto and OrganizationUnitEto are configured to automatically publish the events. You should configure yourself for the others.

Subscribing to the distributed events is especially useful for distributed scenarios (like microservice architecture). If you are building a monolithic application, or listening events in the same process that runs the Identity Module, then subscribing to the local events can be more efficient and easier.