ABP Support Request: Intermittent GrantedPolicies = 0 for authenticated admin user (ABP 10.0.2)

Hi ABP team,

We are investigating an intermittent production issue where an authenticated user suddenly loses effective permissions (menus/actions disappear) without logging out.

Environment

• ABP version: 10.0.2
• App type: ABP commercial-style modular app (Web + HttpApi.Host)
• Cache stack: IDistributedCache (Redis) + custom in-memory L1 decorator over IDistributedCache
• Redis: Azure Cache for Redis
• Hosting: Azure App Service

Context

We already implemented an L1 cache decorator around IDistributedCache to handle the previously observed Redis transient/cancellation path.

That fix helped for Redis outages, but we are now seeing a different failure mode where cache is healthy, user is authenticated, yet GrantedPolicies becomes zero.

What we observed (latest incident)

Incident window (UTC): 2026-02-27 19:33:10Z to 19:35:53Z.

1) User is authenticated and claims look valid

• Claims diagnostic: User=admin, UserId=e82af67f-ecf7-4559-8140-c9596aa9f91a, TotalClaims=11, Roles=[admin], AllKeyClaimsPresent=true

2) App config reports zero policies for that same authenticated user

Multiple requests in the same window show:

• AppConfig diagnostic: User=admin has 0 grantedPolicies. Auth IsAuthenticated=true, CurrentUser set=true

Seen on:

• /
• /HostDashboard
• /Abp/ApplicationConfigurationScript
• /Abp/ApplicationLocalizationScript
• /Abp/ServiceProxyScript

3) Authorization failures follow immediately

Many permission checks fail for the same request/user after the zero-policy state appears.

4) Redis appears healthy during this exact window

• Redis status check ... IsConnected=true (periodic checks around the incident)
• No corresponding Redis outage signature in this incident window

5) No classic application-configuration 500 chain this time

For this window we did not see the older pattern (API 500 + remote call exception/cancellation) that we saw in a separate earlier incident.

Why this is confusing

It looks like a valid, authenticated principal can occasionally resolve to an application configuration with GrantedPolicies = 0, and that value then appears to be reused by cache for a short period.

Questions for ABP team

1. Are there known scenarios in ABP 10.0.2 where ApplicationConfiguration can be successfully generated with an empty GrantedPolicies dictionary for an authenticated user that otherwise has roles/claims?
2. Is there any known race condition around dynamic claims/permission value providers that could yield transient empty results without exceptions?
3. Is ABP expected to cache an empty GrantedPolicies result the same way as a normal one, and is there a recommended guard to avoid caching suspiciously empty results for authenticated users?
4. Is there a recommended extension point to validate/reject an ApplicationConfigurationDto when IsAuthenticated=true and GrantedPolicies.Count==0?
5. Are there patches after 10.0.2 related to intermittent empty permission resolution in RemotePermissionChecker / application configuration generation?

Notes

• We can share anonymized log snippets with trace IDs if needed.
• We already have diagnostics proving this is not always tied to Redis transport failures.

Thanks in advance. Any guidance on whether this is a known issue or recommended mitigation pattern would be very helpful.