ABP Support Request: Intermittent GrantedPolicies = 0 for authenticated admin user (ABP 10.0.2)
Hi ABP team,
We are investigating an intermittent production issue where an authenticated user suddenly loses effective permissions (menus/actions disappear) without logging out.
Environment
- ABP version:
10.0.2 - App type: ABP commercial-style modular app (
Web+HttpApi.Host) - Cache stack:
IDistributedCache(Redis) + custom in-memory L1 decorator overIDistributedCache - Redis: Azure Cache for Redis
- Hosting: Azure App Service
Context
We already implemented an L1 cache decorator around IDistributedCache to handle the previously observed Redis transient/cancellation path.
That fix helped for Redis outages, but we are now seeing a different failure mode where cache is healthy, user is authenticated, yet GrantedPolicies becomes zero.
What we observed (latest incident)
Incident window (UTC): 2026-02-27 19:33:10Z to 19:35:53Z.
1) User is authenticated and claims look valid
Claims diagnostic: User=admin, UserId=e82af67f-ecf7-4559-8140-c9596aa9f91a, TotalClaims=11, Roles=[admin], AllKeyClaimsPresent=true
2) App config reports zero policies for that same authenticated user
Multiple requests in the same window show:
AppConfig diagnostic: User=admin has 0 grantedPolicies. Auth IsAuthenticated=true, CurrentUser set=true
Seen on:
//HostDashboard/Abp/ApplicationConfigurationScript/Abp/ApplicationLocalizationScript/Abp/ServiceProxyScript
3) Authorization failures follow immediately
Many permission checks fail for the same request/user after the zero-policy state appears.
4) Redis appears healthy during this exact window
Redis status check ... IsConnected=true(periodic checks around the incident)- No corresponding Redis outage signature in this incident window
5) No classic application-configuration 500 chain this time
For this window we did not see the older pattern (API 500 + remote call exception/cancellation) that we saw in a separate earlier incident.
Why this is confusing
It looks like a valid, authenticated principal can occasionally resolve to an application configuration with GrantedPolicies = 0, and that value then appears to be reused by cache for a short period.
Questions for ABP team
- Are there known scenarios in ABP
10.0.2whereApplicationConfigurationcan be successfully generated with an emptyGrantedPoliciesdictionary for an authenticated user that otherwise has roles/claims? - Is there any known race condition around dynamic claims/permission value providers that could yield transient empty results without exceptions?
- Is ABP expected to cache an empty
GrantedPoliciesresult the same way as a normal one, and is there a recommended guard to avoid caching suspiciously empty results for authenticated users? - Is there a recommended extension point to validate/reject an
ApplicationConfigurationDtowhenIsAuthenticated=trueandGrantedPolicies.Count==0? - Are there patches after
10.0.2related to intermittent empty permission resolution inRemotePermissionChecker/ application configuration generation?
Notes
- We can share anonymized log snippets with trace IDs if needed.
- We already have diagnostics proving this is not always tied to Redis transport failures.
Thanks in advance. Any guidance on whether this is a known issue or recommended mitigation pattern would be very helpful.
15 Answer(s)
-
0
以下信息可能有用: 不正常时: 在MVC前端访问:https://manage.domain.com/Abp/ApplicationConfigurationScript 时,currentUser包含用户信息。但在redis缓存中,键 c:Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.ApplicationConfigurationDto,k:AppName1:ApplicationConfiguration_1d5fa0de27ae42a8a24f5f46ea0793fb_7ad543414c677529e7243a1f648d059c_zh-Hans 中currentUser不包含用户信息。
The following information may be helpful:
When incorrect: When accessing https://manage.domain.com/Abp/ApplicationConfigurationScript in the MVC frontend, currentUser contains user information. However, in the Redis cache, currentUser in the key c:Volo.Abp.AspNetCore.Mvc.ApplicationConfigurations.ApplicationConfigurationDto,k:SmartBus:ApplicationConfiguration_1d5fa0de27ae42a8a24f5f46ea0793fb_7ad543414c677529e7243a1f648d059c_zh-Hans does not contain user information.
-
0
hi
We already implemented an L1 cache decorator around IDistributedCache to handle the previously observed Redis transient/cancellation path.
If you remove this feature, does the problem still exist? I just want to confirm whether they're related.
Thanks.
-
0
hi lanpin
This might be because your access token has expired or is invalid. We have a
CheckTokenExpirationextension method to check it.
Thanks.
-
0
BTW, you can test with this sultion: https://abp.io/support/questions/10483/v1010-Tiered-Empty-grantedPolicies-in-WebPublic-MVC-when-CmsKit-is-enabled#answer-3a1fbf3e-08f2-5b12-1295-acf09d5eb112
Thanks.
-
0
[maliming] said: hi
We already implemented an L1 cache decorator around IDistributedCache to handle the previously observed Redis transient/cancellation path.
If you remove this feature, does the problem still exist? I just want to confirm whether they're related.
Thanks.
No, we had to add this to work around the issue though it sounds like it's still an issue (user report now): https://gist.github.com/kfrancis/0064c960832458254dcca9591948a103
We've deployed that change you mentioned. Can you explain why the additional authenticate call is needed?
-
0
No, no change in function. Still an issue.
-
0
hi
Can you try this? https://abp.io/support/questions/10483/v1010-Tiered-Empty-grantedPolicies-in-WebPublic-MVC-when-CmsKit-is-enabled#answer-3a1fc36a-b259-117e-907a-2687f3b22102
Can you remove the CMS module to see if this is fixed?
//typeof(CmsKitProPublicWebModule)Thanks.
-
0
@maliming 我需要的是用户在登录管理后台之后可以一直保持在线。在添加checkTokenExpiration之后,ManageHost确实可以在出错之前检测,但这并不是我的要求。我想最佳方案应该是Web(MVC)Host可以检查accesstoken是否过期,如果过期则自动使用refreshToken重新获取accessToken并继续完全用户的后续请求,并将新的令牌返回给用户cookies。这整个过程对用户是无感知的。
What I need is for users to remain online after logging into the admin panel. While adding
checkTokenExpirationdoes allow ManageHost to detect errors before they occur, this isn't what I require. I think the best solution would be for the Web (MVC) Host to check if the access token has expired. If it has, it should automatically obtain a new access token using arefreshToken, continue processing all subsequent user requests, and return the new token to the user's cookies. This entire process should be seamless for the user.
补充一下: 在未添加CheckTokenExpiration之前,用户登录一段时间后会失去所有权限和菜单,保持不注销并继续等待一段时间,用户权限和菜单会自行恢复。在用户失去权限和菜单时,通过redis-cli flushall强制清空所有缓存,可以立即恢复用户权限和菜单。
To add to the above: Before adding CheckTokenExpiration, users would lose all permissions and menu access after logging in for a period of time. If they remained logged in and waited for a while, their permissions and menu access would be automatically restored. When a user loses permissions and menu access, a forced clear of all cache using
redis-cli flushallcan immediately restore their permissions and menu access. -
0
[maliming] said: hi
Can you try this?
https://abp.io/support/questions/10483/v1010-Tiered-Empty-grantedPolicies-in-WebPublic-MVC-when-CmsKit-is-enabled#answer-3a1fc36a-b259-117e-907a-2687f3b22102
Can you remove the CMS module to see if this is fixed?
//typeof(CmsKitProPublicWebModule)Thanks.
I also did that, no change.
-
0
hi lanpin
Can you create a new question?
Thanks.
-
0
hi kfrancis
Another customer says this fixed their problem.
https://abp.io/support/questions/10483/v1010-Tiered-Empty-grantedPolicies-in-WebPublic-MVC-when-CmsKit-is-enabled#answer-3a1fc36a-b259-117e-907a-2687f3b22102
Can you try that?
If it's still not working, can you share your code? I will check and try to reproduce it locally.
liming.ma@volosoft.com
Thanks.
-
0
@maliming 我以为我们遇到的是同一个问题,我已经尝试解决并提交了一个PR:https://github.com/abpframework/abp/pull/25011 。 之后我将不再在此主题回复。
I thought we were having the same problem. I've already tried to solve it and submitted a PR: https://github.com/abpframework/abp/pull/25011 I will no longer reply to this thread.
-
0
Thanks @lanpin
-
0
@mailming No, still an issue.
-
0
hi kfrancis
If it's still not working, can you share your code? I will check and try to reproduce it locally.
liming.ma@volosoft.com
Thanks.
