Activities of "enisn"

What ABP provides out of the box

• SaaS tenant management app service (ITenantAppService) is host‑only and protected by SaasHostPermissions.Tenants.*.
• Edition → Plan linkage and subscription payment creation via a host app service (SubscriptionAppService.CreateSubscriptionAsync(Guid editionId, Guid tenantId)), which creates a PaymentRequest with required extra properties:
  • EditionConsts.EditionIdParameterName
  • TenantConsts.TenantIdParameterName
• Payment events update the tenant’s edition and period:
  • SubscriptionCreatedHandler sets tenant.EditionId and tenant.EditionEndDateUtc.
  • SubscriptionUpdatedHandler refreshes tenant.EditionEndDateUtc and optionally tenant.EditionId.

Relevant code in this repository:

• SaaS tenant creation (host‑only app service): src/Volo.Saas.Host.Application/Volo/Saas/Host/TenantAppService.cs
• Public subscription creation API (host context): src/Volo.Saas.Host.Application/Volo/Saas/Subscription/SubscriptionAppService.cs
• Payment request and plan types: abp/payment/src/Volo.Payment.Domain/Volo/Payment/...
• Payment → SaaS event handlers: src/Volo.Saas.Domain/Volo/Payment/Subscription/SubscriptionCreatedHandler.cs, SubscriptionUpdatedHandler.cs

Problem: Self‑service signup causes AbpAuthorizationException

If you call TenantAppService.CreateAsync from a public page, you’ll get AbpAuthorizationException because it is decorated with [Authorize(SaasHostPermissions.Tenants.Default)] and intended for host administrators.

Solution overview

Create a dedicated, public endpoint that:

1. Creates the tenant via domain layer (ITenantManager + ITenantRepository) and publishes TenantCreatedEto (to seed the admin user, etc.),
2. Starts the subscription by calling SubscriptionAppService.CreateSubscriptionAsync(editionId, tenantId),
3. Keeps tenant inactive (or passive) until payment succeeds, and activates it on payment event if desired.

This avoids host‑only permissions while keeping the standard cross‑module behaviors (user seeding and subscription updates) intact.

Minimal implementation

1. Create a public application service or controller for registration

using System;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Volo.Abp;
using Volo.Abp.EventBus.Distributed;
using Volo.Saas.Tenants;
using Volo.Saas.Host.Dtos; // for consistency if you reuse DTOs
using Volo.Saas.Host.Application.Volo.Saas.Subscription; // ISubscriptionAppService

[AllowAnonymous]
public class PublicTenantRegistrationAppService : MyAppAppService
{
    private readonly ITenantManager _tenantManager;
    private readonly ITenantRepository _tenantRepository;
    private readonly IDistributedEventBus _eventBus;
    private readonly ISubscriptionAppService _subscriptionAppService;

    public PublicTenantRegistrationAppService(
        ITenantManager tenantManager,
        ITenantRepository tenantRepository,
        IDistributedEventBus eventBus,
        ISubscriptionAppService subscriptionAppService)
    {
        _tenantManager = tenantManager;
        _tenantRepository = tenantRepository;
        _eventBus = eventBus;
        _subscriptionAppService = subscriptionAppService;
    }

    public async Task<StartSubscriptionResultDto> RegisterAndSubscribeAsync(RegisterTenantInput input)
    {
        // 1) Create tenant via domain layer (no host permission needed)
        var tenant = await _tenantManager.CreateAsync(input.TenantName, editionId: input.EditionId);

        tenant.SetActivationState(TenantActivationState.Passive); // keep passive until payment succeeds
        await _tenantRepository.InsertAsync(tenant, autoSave: true);

        // 2) Publish TenantCreatedEto to seed admin user (same as TenantAppService does)
        await _eventBus.PublishAsync(new TenantCreatedEto
        {
            Id = tenant.Id,
            Name = tenant.Name,
            Properties =
            {
                {"AdminEmail", input.AdminEmail},
                {"AdminPassword", input.AdminPassword}
            }
        });

        // 3) Start subscription (creates PaymentRequest with TenantId/EditionId extra props)
        var paymentRequest = await _subscriptionAppService.CreateSubscriptionAsync(input.EditionId, tenant.Id);

        return new StartSubscriptionResultDto
        {
            TenantId = tenant.Id,
            PaymentRequestId = paymentRequest.Id,
            // redirect URL depends on your payment gateway UI
        };
    }
}

public class RegisterTenantInput
{
    public string TenantName { get; set; }
    public Guid EditionId { get; set; }
    public string AdminEmail { get; set; }
    public string AdminPassword { get; set; }
}

public class StartSubscriptionResultDto
{
    public Guid TenantId { get; set; }
    public Guid PaymentRequestId { get; set; }
}

2. Handle activation after payment

SubscriptionCreatedHandler and SubscriptionUpdatedHandler update edition and end date. If you also want to flip activation state on initial payment, add a small handler:

using System;
using System.Threading.Tasks;
using Volo.Abp.DependencyInjection;
using Volo.Abp.EventBus.Distributed;
using Volo.Payment.Subscription;
using Volo.Saas.Tenants;

public class ActivateTenantOnPaidHandler : IDistributedEventHandler<SubscriptionCreatedEto>, ITransientDependency
{
    private readonly ITenantRepository _tenantRepository;

    public ActivateTenantOnPaidHandler(ITenantRepository tenantRepository)
    {
        _tenantRepository = tenantRepository;
    }

    public async Task HandleEventAsync(SubscriptionCreatedEto eventData)
    {
        var tenantId = Guid.Parse(eventData.ExtraProperties[TenantConsts.TenantIdParameterName]?.ToString());
        var tenant = await _tenantRepository.FindAsync(tenantId);
        if (tenant == null) return;

        tenant.SetActivationState(TenantActivationState.Active);
        await _tenantRepository.UpdateAsync(tenant);
    }
}

3. Tenant‑only access options

• Require authentication everywhere by default and redirect to login/registration for anonymous users.
• Enforce tenant context via a lightweight middleware or policy. Example middleware:

using System.Threading.Tasks;
using Microsoft.AspNetCore.Http;
using Volo.Abp.MultiTenancy;

public class TenantRequiredMiddleware
{
    private readonly RequestDelegate _next;
    public TenantRequiredMiddleware(RequestDelegate next) => _next = next;

    public async Task InvokeAsync(HttpContext context, ICurrentTenant currentTenant)
    {
        var path = context.Request.Path.Value ?? string.Empty;
        if (path.StartsWith("/Account", StringComparison.OrdinalIgnoreCase) ||
            path.StartsWith("/Public", StringComparison.OrdinalIgnoreCase))
        {
            await _next(context);
            return;
        }

        if (!currentTenant.IsAvailable)
        {
            context.Response.Redirect("/Account/Login");
            return;
        }

        await _next(context);
    }
}

Also consider the domain/subdomain tenant resolver to route tenants to their own subdomains.

Notes and gotchas

• TenantAppService.CreateAsync is host‑only. Use domain + repository + event bus in a public endpoint to avoid authorization errors.
• SubscriptionAppService.CreateSubscriptionAsync must be invoked in host context with a valid tenantId. It automatically emits a PaymentRequest with PaymentType.Subscription and a product PlanId.
• Payment events already set EditionId and subscription periods. If you need custom onboarding (e.g., activation), add your own distributed event handler.
• Keep your registration endpoint [AllowAnonymous] but aggressively validate inputs and throttle to prevent abuse.

References

• SaaS module docs: https://abp.io/docs/latest/modules/saas
• Payment module docs: https://abp.io/docs/latest/modules/payment
• Multi‑tenancy tenant resolvers (domain/subdomain): https://abp.io/docs/latest/framework/architecture/multi-tenancy#domain-subdomain-tenant-resolver

This post answers how to combine tenant signup with edition subscription, how to restrict access to tenant-only, and how to fix the AbpAuthorizationException you hit when creating tenants from a public page.

1) Can users sign up as a tenant and subscribe to an edition in one flow?

Yes. Create the tenant first, then immediately create the subscription for the new tenantId, and redirect to the payment gateway. Keep the tenant Passive until payment succeeds, then activate it on the subscription-created event.

Why: CreateSubscriptionAsync(editionId, tenantId) expects a valid tenant context. The provided host-side implementation already packages the correct payment request with extra properties for EditionId and TenantId.

• Subscription creation implementation (in repo): src/Volo.Saas.Host.Application/Volo/Saas/Subscription/SubscriptionAppService.cs
• Payment request model types: abp/payment/src/Volo.Payment.Domain/Volo/Payment/...
• Extra property keys: EditionConsts.EditionIdParameterName and TenantConsts.TenantIdParameterName

Payment events update the tenant after checkout:

• SubscriptionCreatedHandler sets tenant.EditionId and tenant.EditionEndDateUtc.
• SubscriptionUpdatedHandler refreshes tenant.EditionEndDateUtc and can update EditionId if provided.

Docs: SaaS, Payment

2) How to “disable” host (non-tenant) access and force login/registration?

You don’t need to remove host; just restrict what end users see:

• Require authentication for app pages and hide host UI/menu.
• Enforce tenant context with a small middleware (redirect when CurrentTenant.IsAvailable is false) or a policy.
• Consider domain/subdomain tenant resolver for per-tenant URLs (see ABP docs on multi-tenancy resolvers).

Docs: Multi-tenancy resolvers

Fix: AbpAuthorizationException when creating a tenant from a public page

TenantAppService.CreateAsync is host-only and protected by SaasHostPermissions.Tenants.*, so calling it from a public page throws. Instead:

1. Create your own public endpoint ([AllowAnonymous]) that uses the domain layer to create the tenant: ITenantManager + ITenantRepository.
2. Publish TenantCreatedEto (to seed admin user etc.).
3. Call CreateSubscriptionAsync(editionId, tenantId) to start payment.
4. Activate the tenant on SubscriptionCreatedEto if desired.

Code pointers in the source code:

• Host-only app service that throws when called without host permissions: src/Volo.Saas.Host.Application/Volo/Saas/Host/TenantAppService.cs
• Domain creation API (safe to use from your public endpoint): src/Volo.Saas.Domain/Volo/Saas/Tenants/TenantManager.cs
• Subscription creation that embeds tenant/edition IDs: src/Volo.Saas.Host.Application/Volo/Saas/Subscription/SubscriptionAppService.cs
• Payment → SaaS handlers setting edition and period:
  • src/Volo.Saas.Domain/Volo/Payment/Subscription/SubscriptionCreatedHandler.cs
  • src/Volo.Saas.Domain/Volo/Payment/Subscription/SubscriptionUpdatedHandler.cs

Recommended flow (concise)

• Public page collects tenant info + editionId.
• Create tenant via domain (ITenantManager), set Passive.
• Publish TenantCreatedEto with admin email/password.
• Call CreateSubscriptionAsync(editionId, tenant.Id) and redirect to payment.
• On SubscriptionCreatedEto: set tenant.ActivationState = Active (custom handler), while built-in handlers set edition + end date.

Overview

Prepared a guide that explains how the ABP SaaS and Payment modules work together to enable tenant subscriptions, based on analysis of the source code and official documentation.

How Tenant Subscription Works

Current Architecture

The tenant subscription process in ABP follows this workflow:

1. Tenant Must Exist First: The SubscriptionAppService.CreateSubscriptionAsync(editionId, tenantId) method requires both parameters, meaning a tenant must already be created before subscribing to an edition.

2. Payment Request Creation: When creating a subscription, the system:

   • Creates a payment request with PaymentType.Subscription
   • Associates the tenant ID and edition ID in ExtraProperties
   • Links the payment to the edition's plan ID

3. Event-Driven Updates: When payment is successful, the Payment module publishes a SubscriptionCreatedEto event, which the SaaS module handles to:

   • Update the tenant's EditionId
   • Set the EditionEndDateUtc based on the subscription period

Key Components

// From SubscriptionAppService.cs
public virtual async Task<PaymentRequestWithDetailsDto> CreateSubscriptionAsync(Guid editionId, Guid tenantId)
{
    var edition = await EditionManager.GetEditionForSubscriptionAsync(editionId);
    
    var paymentRequest = await PaymentRequestAppService.CreateAsync(new PaymentRequestCreateDto
    {
        Products = new List<PaymentRequestProductCreateDto>
        {
            new PaymentRequestProductCreateDto
            {
                PlanId = edition.PlanId,
                Name = edition.DisplayName,
                Code = $"{tenantId}_{edition.PlanId}",
                Count = 1,
                PaymentType = PaymentType.Subscription,
            }
        },
        ExtraProperties =
        {
            { EditionConsts.EditionIdParameterName, editionId },
            { TenantConsts.TenantIdParameterName, tenantId },
        }
    });

    // Additional tenant setup...
}

Answers to Your Questions

1. Tenant Registration + Edition Subscription

Current State: You are correct that the current documentation assumes a tenant already exists. However, you can implement a combined registration flow.

Solution: Create a custom service that handles both tenant creation and subscription initiation:

public class TenantRegistrationService
{
    public async Task<TenantRegistrationResult> RegisterTenantWithSubscription(
        string tenantName, 
        string adminEmail, 
        string adminPassword, 
        Guid editionId)
    {
        // 1. Create tenant first
        var tenant = await _tenantAppService.CreateAsync(new SaasTenantCreateDto
        {
            Name = tenantName,
            AdminEmailAddress = adminEmail,
            AdminPassword = adminPassword,
            EditionId = editionId, // Pre-assign edition
            ActivationState = TenantActivationState.Passive // Keep inactive until payment
        });

        // 2. Create subscription payment request
        var paymentRequest = await _subscriptionAppService.CreateSubscriptionAsync(
            editionId, 
            tenant.Id);

        return new TenantRegistrationResult
        {
            TenantId = tenant.Id,
            PaymentRequestId = paymentRequest.Id,
            PaymentUrl = $"/Payment/GatewaySelection?paymentRequestId={paymentRequest.Id}"
        };
    }
}

Key Points:

• Create the tenant with ActivationState.Passive initially
• Pre-assign the EditionId during tenant creation
• Only activate the tenant after successful payment (handle this in the SubscriptionCreatedHandler)

2. Disabling Host Functionality

Current Architecture: ABP's multi-tenancy system distinguishes between:

• Host: Administrative context (no tenant ID)
• Tenant: Specific tenant context (with tenant ID)

Solutions for Tenant-Only Access:

Option A: Custom Authorization Policy

public class RequireTenantAuthorizationHandler : AuthorizationHandler<RequireTenantRequirement>
{
    protected override Task HandleRequirementAsync(
        AuthorizationHandlerContext context,
        RequireTenantRequirement requirement)
    {
        var currentTenant = context.User.FindFirst(AbpClaimTypes.TenantId);
        
        if (currentTenant != null && !string.IsNullOrEmpty(currentTenant.Value))
        {
            context.Succeed(requirement);
        }
        else
        {
            context.Fail();
        }

        return Task.CompletedTask;
    }
}

Option B: Custom Middleware

public class TenantRequiredMiddleware
{
    public async Task InvokeAsync(HttpContext context, ICurrentTenant currentTenant)
    {
        // Skip for authentication/registration pages
        if (IsAuthenticationPage(context.Request.Path))
        {
            await _next(context);
            return;
        }

        if (!currentTenant.IsAvailable)
        {
            context.Response.Redirect("/Account/TenantSelection");
            return;
        }

        await _next(context);
    }
}

Option C: Override Home Page Logic

public class HomeController : Controller
{
    public IActionResult Index()
    {
        if (!CurrentTenant.IsAvailable)
        {
            return RedirectToPage("/Account/TenantRegistration");
        }

        // Normal tenant home page logic
        return View();
    }
}

3. Recommended Implementation Strategy

Based on the source code analysis, here's the recommended approach:

Phase 1: Custom Tenant Registration Flow

1. Create a public tenant registration page
2. Implement combined tenant creation + subscription initiation
3. Handle the payment flow completion to activate tenants

Phase 2: Tenant-Only Access Control

1. Implement custom authorization to require tenant context
2. Create a tenant selection/registration landing page
3. Redirect non-tenant users to registration

Phase 3: Event Handlers

// Handle successful subscription to activate tenant
public class SubscriptionActivationHandler : IDistributedEventHandler<SubscriptionCreatedEto>
{
    public async Task HandleEventAsync(SubscriptionCreatedEto eventData)
    {
        var tenantId = Guid.Parse(eventData.ExtraProperties[TenantConsts.TenantIdParameterName]?.ToString());
        var tenant = await _tenantRepository.GetAsync(tenantId);
        
        // Activate tenant after successful payment
        tenant.SetActivationState(TenantActivationState.Active);
        await _tenantRepository.UpdateAsync(tenant);
    }
}

Key Architectural Insights

Multi-Tenancy Flow

1. Host Context: Used for administrative functions (creating tenants, managing editions)
2. Tenant Context: Used for tenant-specific operations
3. Current Design: Assumes host admins create tenants manually

Payment Integration

1. Payment Request: Links to tenant and edition via ExtraProperties
2. Webhook Events: Update tenant status when subscription changes
3. Subscription Lifecycle: Managed through distributed events

Missing Pieces for Self-Service

The current ABP SaaS module is designed for admin-managed tenants. For self-service tenant registration, you need to:

1. Create public APIs (without admin authorization)
2. Implement custom tenant registration workflows
3. Handle payment completion to activate tenants
4. Add tenant selection/registration UI for non-authenticated users

Conclusion

While ABP doesn't provide out-of-the-box self-service tenant registration, the architecture supports building this functionality. The key is to create custom services that combine tenant creation with payment initiation, and implement proper access controls to enforce tenant-only access.

According to your questions:

1. This example (var paymentRequest = await SubscriptionAppService.CreateSubscriptionAsync(editionId, CurrentTenant.GetId());) shows how to create a payment link. So you can create a tenant at the code-behind and pass that parameter to this method without actually chaning tenant yet and redirect browser to that payment link immediately. ABP provides you an infrastructure you can build your own way to implement it if you need custom solutions.

2. Host termionology stands for the manager of the system. If you need to build an application only accessed by tenants, you can use tenant domain resolvers and generate subdomain for your each tenant, so they can acess the application with their own special links: https://abp.io/docs/latest/framework/architecture/multi-tenancy#domain-subdomain-tenant-resolver

ABP provides you a structure but it doesn't force you to use it. The modules and framework is modular and highly customizable according to need. If you want to achieve a specific customization, please tell me to guide you. Do you need an example code how to create a tenant with a form and create payment for that tenant at the same time?

Given your app crashes only in Release mode on physical iOS devices while functioning properly in Debug mode and simulator, this strongly suggests an issue tied to linker behavior, AOT compilation, or runtime entitlements, especially with regards to ABP's internal use of Secure Storage.

Here are our prioritized suggestions to further isolate and resolve the issue:

1. Revisit Linker Configuration Stick with the default linker setting: SdkOnly instead of None, as overly aggressive linker stripping can remove reflection-dependent services that ABP relies on.

If still unstable, try [Preserve] attributes or a linker descriptor (Linker.xml) for critical modules, especially those using reflection or DI-heavy services.

2. Verify Entitlements for Secure Storage MAUI apps read from secure storage in Release mode by default. Please ensure:

Entitlements.plist includes Keychain Access Groups.

In iOS Bundle Signing, Custom Entitlements points to your Entitlements.plist.

You’ve tested the SecureStorage sample independently in a Release build to validate your signing and entitlements pipeline.

3. Instrument for Logging Set up native crash logs using Xcode’s Devices & Simulators window after the crash.

Integrate a lightweight try-catch log writer for early startup to capture any fault at the MauiProgram.cs or DI registration level.

4. Build Environment Check You mentioned using VS Code on macOS — while building MAUI apps for iOS doesn’t strictly require full Visual Studio, the ABP tooling might assume certain project behaviors more aligned with VS for Mac. If possible, try compiling using Visual Studio for Mac to cross-validate.

Have you configured requirements for Secure Storage? MAUI app uses secure storage in Release mode to store tokens. Probably it tries to read auth token at the startup.

https://learn.microsoft.com/en-us/dotnet/maui/platform-integration/storage/secure-storage?view=net-maui-9.0&tabs=macios#get-started

That might be the problem, I cannot be sure about it, we need more logs to understand it

Since docs module is an open-source module, the issue can be tracked from here: https://github.com/abpframework/abp/issues/23012

It seems there is bug in the module, thanks for the reporting it. I'll deliver this issue to the team so they'll fix it

Hi, we identified that your Firefox version is 41.0.2, which is considered a legacy version. Due to this, some of our modern dependencies are incompatible with it, causing the issue you’re experiencing.

To resolve this, please update to the latest Firefox version, 139.0.1, and try again.

Hi,

I delivered this issue to our team and they could not reproduce this problem. Can you share use your environments like Firefox version, Operating System Build etc?

Also, check the followings thay can cause the problem on your browser:

• Browser Extensions– Sometimes, installed extensions (especially ad blockers or script blockers) interfere with site functionality. Ask them to disable all extensions temporarily and retry.

• Firefox Version – Ensure they’re using the latest stable version of Firefox. If not, they should update to the most recent release.

• Different Device – If possible, they should try accessing the website from another computer or mobile device with Firefox.

• Network Issues – Some ISP configurations or DNS settings can cause problems. Using a different network (e.g., mobile hotspot) could rule this out.

• Safe Mode Test – Running Firefox in Safe Mode (about:support → Restart with Add-ons Disabled) can help determine if an extension or setting is causing problems.