Conflict Integrating Elsa 3.5 with ABP (OpenIddict) Authentication

[IslamAlkhateeb]

Environment

• Elsa version: 3.5.0-rc2
• ABP.IO version: 9.2
• .NET SDK: net9.0
• Hosting: Monolithic ABP.IO application
• Elsa configuration: Added Elsa via .AddElsa() in a layered module (Workflows.HttpApi)

---

🧩 Problem Summary

I’m integrating Elsa 3.5 into an ABP.IO-based system. My goal is to expose the Elsa Studio APIs and allow users to authenticate using ABP’s Identity (based on OpenIddict). However, I faced these issues:

1. When I enable .UseIdentity() with TokenOptions.SigningKey, the Elsa APIs require their own bearer token signature, which collides with ABP’s AddAbpJwtBearer setup.

2. I cannot set a custom AuthorizationPolicy or override how Elsa handles identity validation for /elsa/api routes. For example:

   elsa.UseWorkflowsApi(options =>
   {
       options.AuthorizationPolicy = "ElsaApi"; // ❌ Not available in v3.5.0-rc2
   });

3. I cannot disable Elsa's default authentication pipeline (UseDefaultAuthentication) without breaking the API route security. Elsa automatically configures JWT auth, which causes conflicts if ABP already configured JWT.

4. The only workaround I found was to manually inject a fake identity via custom middleware for /elsa/api, like so:

   app.Use(async (context, next) =>
   {
       if (context.Request.Path.StartsWithSegments("/elsa/api"))
       {
           var claims = new[]
           {
               new Claim("sub", "elsa-admin"),
               new Claim("scope", "elsa:*"),
               new Claim("permissions", "*")
           };
           var identity = new ClaimsIdentity(claims, "Bearer");
           context.User = new ClaimsPrincipal(identity);
       }
       await next();
   });

   While this works, it’s not a clean or scalable solution.

---

💡 Feature Requests / Suggestions

• Allow overriding or disabling UseDefaultAuthentication() when calling AddElsa().
• Allow setting a custom AuthorizationPolicy when configuring UseWorkflowsApi().
• Provide better integration examples with OpenIddict / external authentication providers.
• Make it easier to integrate Elsa Studio securely into existing authentication infrastructure.

---

📌 Notes

The closest working example I found is from this PoC repo by @sfmskywalker:
https://github.com/sfmskywalker/abp-elsa-poc

However, it uses a pre-release build with custom patches and isn’t directly usable in production.

---

🙏 Request

What’s the recommended approach to:

1. Use ABP.IO's existing identity (via OpenIddict)
2. Expose Elsa Studio APIs
3. Avoid configuring a second parallel JWT authentication

Would love feedback or guidance from the Elsa team or community.

[rolandgriesser]

I'm stuck with the same problem and my workaround is a bit different - apparently, FastEndpoints won't automatically create the policies defined in the Elsa.Workflows.Api or Elsa.Labels packages. The UseDefaultAuthentication will at least add the SecurityRoot policy rule (for the Labels-package, nothing will be added unfortunately).
With your workaround, I think you'll also disable all the permission-related stuff of all elsa/api-Endpoints (e.g. create:role etc.), as you give the user full permissions.
I think just adding the policies should be sufficient, this is the description of the FastEndpoints.Policies-method:

/// <summary>
/// specify one or more authorization policy names you have added to the middleware pipeline during app startup/ service configuration that should be
/// applied to this endpoint.
/// </summary>
/// <param name="policyNames">one or more policy names (must have been added to the pipeline on startup)</param>
protected void Policies(params string[] policyNames)

So this is what I did:

services.AddAuthorization(options =>
{
    // We don't call UseDefaultAuthentication, so we need to define our own policies
    options.AddPolicy(IdentityPolicyNames.SecurityRoot, policy => policy.RequireAuthenticatedUser());
    // For the Labels feature, this seems to be a bug in Elsa as it doesn't define any policies by default
    options.AddPolicy(Elsa.Labels.Endpoints.Labels.Delete.Constants.PolicyName, policy => policy.RequireAuthenticatedUser());
    options.AddPolicy(Elsa.Labels.Endpoints.Labels.Get.Constants.PolicyName, policy => policy.RequireAuthenticatedUser());
    options.AddPolicy(Elsa.Labels.Endpoints.Labels.List.Constants.PolicyName, policy => policy.RequireAuthenticatedUser());
    options.AddPolicy(Elsa.Labels.Endpoints.Labels.Post.Constants.PolicyName, policy => policy.RequireAuthenticatedUser());
    options.AddPolicy(Elsa.Labels.Endpoints.Labels.Update.Constants.PolicyName, policy => policy.RequireAuthenticatedUser());
    options.AddPolicy(Elsa.Labels.Endpoints.WorkflowDefinitionLabels.List.Constants.PolicyName, policy => policy.RequireAuthenticatedUser());
    options.AddPolicy(Elsa.Labels.Endpoints.WorkflowDefinitionLabels.Update.Constants.PolicyName, policy => policy.RequireAuthenticatedUser());
});

[t4trust]

@IslamAlkhateeb can we get your email address to discuss or discord

[IslamAlkhateeb]

Sure! You can reach me at [email protected]
I’m also available on Discord ialkhateeb