For context, I have a page where my users can add users to their tenant account. I am calling the IdentityUserAppService methods to do this. This is working fine. I am also authorizing the whole app and then whitelisting certain paths and pages in the WebModule to force users to login if they are not:
Configure<RazorPagesOptions>(options =>
{
options.Conventions.AuthorizeFolder("/");
options.Conventions.AllowAnonymousToAreaPage("Account", "/Login");
options.Conventions.AllowAnonymousToAreaPage("Account", "/Register");
options.Conventions.AllowAnonymousToAreaPage("Account", "/ForgotPassword");
options.Conventions.AllowAnonymousToAreaPage("Account", "/ResetPassword");
options.Conventions.AllowAnonymousToAreaPage("Account", "/EmailConfirmation");
options.Conventions.AllowAnonymousToAreaPage("Account", "/TwoFactor");
options.Conventions.AllowAnonymousToFolder("/Account");
options.Conventions.AllowAnonymousToFolder("/Payment");
options.Conventions.AllowAnonymousToFolder("/Payment/Stripe");
options.Conventions.AllowAnonymousToFolder("/Public");
options.Conventions.AllowAnonymousToPage("/Error");
options.Conventions.AllowAnonymousToPage("/PrivacyPolicy");
options.Conventions.AllowAnonymousToPage("/Payment/GatewaySelection");
options.Conventions.AllowAnonymousToPage("/Payment/Stripe/PrePayment");
options.Conventions.AllowAnonymousToPage("/Payment/Stripe/PostPayment");
});
My issue is that when the user selects ShouldChangePasswordOnNextLogin, it presumably redirects the new user to reset their password. What happens, however, is that the user is kicked back to the login page repeatedly. I am guessing that the user is not logged in at this point for some reason, and the reset password page is not being whitelisted.
Please help me understand what this path would be so I can whitelist it, or let me know if there is a more elegant way to approach this.
Charlie
7 Answer(s)
-
0
- Solution
What happens with ShouldChangePasswordOnNextLogin:
- After a successful login, if the user has IdentityUser.ShouldChangePasswordOnNextLogin = true, the Account module redirects the user to the Change Password page (not the email-based ResetPassword page). This page requires the user to be authenticated.
- Therefore, if your global authorization rules or cookie setup cause a redirect loop, it’s typically because the user is authenticated but your allow-anonymous list or return-url handling interferes, or you didn’t whitelist the correct authenticated page.
Pages you should allow and why:
- Forgot Password and Reset Password are anonymous:
- /Account/ForgotPassword
- /Account/ResetPassword
- Change Password requires authentication (used by ShouldChangePasswordOnNextLogin):
- /Account/Manage/ChangePassword (MVC UI)
- Login, Register and other account pages as you already listed.
- Forgot Password and Reset Password are anonymous:
What to change:
- Keep ForgotPassword and ResetPassword anonymous (as you already did).
- Do not try to mark ChangePassword as anonymous; the user must be authenticated to use it. Instead, ensure the login succeeds and the auth cookie is established before redirecting there, and that your conventions don’t accidentally block this authenticated page.
- If you are authorizing the whole “/” folder, do not add AllowAnonymousToFolder("/Account") globally (that would open pages that should be protected). Prefer explicit anonymous pages plus leaving authenticated pages protected.
Recommended conventions configuration (minimal and safe):
Configure<RazorPagesOptions>(options => { options.Conventions.AuthorizeFolder("/"); // Anonymous account pages that must be reachable unauthenticated options.Conventions.AllowAnonymousToAreaPage("Account", "/Login"); options.Conventions.AllowAnonymousToAreaPage("Account", "/Register"); options.Conventions.AllowAnonymousToAreaPage("Account", "/ForgotPassword"); options.Conventions.AllowAnonymousToAreaPage("Account", "/ResetPassword"); options.Conventions.AllowAnonymousToAreaPage("Account", "/EmailConfirmation"); options.Conventions.AllowAnonymousToAreaPage("Account", "/TwoFactor"); // Keep Change Password authenticated (used by ShouldChangePasswordOnNextLogin) // Do NOT whitelist it. Path: // /Account/Manage/ChangePassword // Other truly public pages options.Conventions.AllowAnonymousToPage("/Error"); options.Conventions.AllowAnonymousToPage("/PrivacyPolicy"); // Only open payment/public folders if they are truly public // options.Conventions.AllowAnonymousToFolder("/Public"); // options.Conventions.AllowAnonymousToFolder("/Payment"); // options.Conventions.AllowAnonymousToFolder("/Payment/Stripe"); // If you must open specific payment pages: // options.Conventions.AllowAnonymousToPage("/Payment/GatewaySelection"); // options.Conventions.AllowAnonymousToPage("/Payment/Stripe/PrePayment"); // options.Conventions.AllowAnonymousToPage("/Payment/Stripe/PostPayment"); });If you still get redirected back to login repeatedly:
- Confirm the login actually succeeds (no external cookie issues, no tenant mismatch).
- Ensure you don’t have AllowAnonymousToFolder("/") or AllowAnonymousToFolder("/Account") combined with AuthorizeFolder("/") creating conflicting behaviors.
- Make sure the application cookie is issued and the auth scheme matches the one used by ABP (default cookie + OIDC if used).
- If you have custom middleware that redirects unauthenticated users, ensure it doesn’t intercept the ChangePassword redirect.
Summary of the path to whitelist vs. not:
- Whitelist (anonymous): /Account/ForgotPassword, /Account/ResetPassword, /Account/Login, /Account/Register, /Account/EmailConfirmation, /Account/TwoFactor.
- Do not whitelist (must stay authorized): /Account/Manage/ChangePassword (this is where ShouldChangePasswordOnNextLogin sends the user).
- Sources
- Account Module (Forgot/Reset password are anonymous flows; change password is for authenticated users)
- https://abp.io/docs/latest/modules/account
- Customizing MVC/Razor Pages and authorization conventions
- https://abp.io/docs/latest/framework/ui/aspnet-core/mvc/razor-pages
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
That doesn't really recommend anything aside from removing the whitelisting on some of my other pages, which I need for other purposes in my app (my own Stripe implementation).
Any help would be appreciated.
-
0
hi
You can reconsider requiring authentication for all pages.
options.Conventions.AuthorizeFolder("/");Perhaps you can find an alternative solution.
What is your real use case?
Thanks.
-
0
Well, I set it up this way because I didn't want to utilize the "host" section of the app (as in, I wanted all users to be tenants), and I wanted to make sure that whenever someone was not logged in, they were redirected to the login page. This seemed like a good way to do it at the time since it forced login before users could access the app and it forced them to be tenants.
Is there a better way to go about this?
-
0
hi
You can disable the self-registration on the Host side.
Thanks.
-
0
Can you explain this in more detail please? If self-registration is disabled on the host side, will it still allow self-registration for tenants? I need tenants to be able to sign up themselves, but I don't want anyone accessing the host side.
If this will work for my purposes, then is there some code I can implement that will set that rather than configuring it in the host settings in the app? Mainly so it is more streamlined when I need to deploy elsewhere.
-
0
hi
You can enable it in Tenant and disable it on the host side.
Thanks.
