Summary Description In a freshly generated ABP v10.1.0 Tiered solution (Studio 2.2.1), there is a critical failure in permission resolution for the Web.Public (MVC/Razor) application when the CmsKit module is included. While the Angular UI functions correctly, the Web.Public app receives an empty grantedPolicies object in the Abp/ApplicationConfigurationScript response, effectively breaking all authorized UI elements.
Troubleshooting has revealed a "chained" failure in the template generation:
The OpenIddict Data Seeder fails to create the required CmsKit and CmsKitPublic scopes.
Even after manually patching the scopes and ensuring a successful OIDC handshake, the Permission/Feature Checkers on the Host/Public-Web boundary fail to populate the policies.
Additionally, a UI bug in ABP Studio incorrectly displays the --without-cms-kit flag in the solution configuration even when the module is present.
Check the docs before asking a question: https://abp.io/docs/latest - Checked. Check the samples to see the basic tasks: https://abp.io/docs/latest/samples - Checked. Search on the homepage: Checked. (Ref: Similar issues found in 10.x regarding empty grantedPolicies).
Solution Configurations Configuration 1: WORKING Solution (No CmsKit)
Template: app
Created ABP Studio Version: 2.2.1
Current ABP Studio Version: 2.2.1
Tiered: Yes
Multi-Tenancy: No
UI Framework: angular
Database Provider: ef
Database Management System: sqlserver
Public Website: Yes
Create Command: abp new Acs.Cts.Portal -t app --tiered --ui-framework angular --database-provider ef --database-management-system sqlserver --theme leptonx --skip-migration --skip-migrator --no-tests --public-website --without-cms-kit --dont-run-install-libs --dont-run-bundling --no-multi-tenancy --no-social-logins -file-management
Configuration 2: NON-WORKING Solution (Includes CmsKit)
Template: app
Created ABP Studio Version: 2.2.1
Current ABP Studio Version: 2.2.1
Tiered: Yes
Multi-Tenancy: No
UI Framework: angular
Database Provider: ef
Database Management System: sqlserver
Public Website: Yes
Optional Modules: CmsKit (Selected in UI)
Create Command (Observed Bug): abp new Acs.Cts.Portal -t app --tiered --ui-framework angular --database-provider ef --database-management-system sqlserver --theme leptonx --skip-migration --skip-migrator --no-tests --public-website --without-cms-kit --dont-run-install-libs --dont-run-bundling --no-multi-tenancy --no-social-logins -file-management
Note: Even though CmsKit was selected and packages are physically referenced in the solution, the Studio configuration window incorrectly displays --without-cms-kit.
Exception message and full stack trace Issue: The Web.Public (MVC/Razor) application fails to retrieve permissions for authenticated users when CmsKit is installed. The response from Abp/ApplicationConfigurationScript shows: "auth": { "grantedPolicies": {} }
Technical Findings during troubleshooting:
Missing Scopes: The v10.1 template/migrator failed to seed CmsKit and CmsKitPublic into the OpenIddictScopes table.
Invalid Scope Error: When manually adding these scopes to AbpOpenIdConnectOptions in the Web.Public module, OpenIddict returns error:invalid_scope (ID2052) because the scopes are missing from the database.
Persistent Empty Policies: After manually patching the OpenIddictDataSeedContributor to include these scopes and confirming the OIDC handshake succeeds with the correct scopes in the token, the grantedPolicies object remains empty.
Steps to reproduce the issue Create a brand new Tiered solution with Public Website using ABP Studio 2.2.1 (v10.1.0).
Select the CmsKit module during the creation process.
Run the migrations and start the AuthServer, HttpApi.Host, and Web.Public applications.
Log in as 'admin' on the Web.Public site.
Inspect the response of https://localhost:XXXX/Abp/ApplicationConfigurationScript.
Observe: The grantedPolicies object is empty { }.
Compare: Create an identical solution without CmsKit. Perform the same login.
Observe: grantedPolicies are correctly populated for the same 'admin' user.
Secondary Issues Observed ABP Studio Sync Bug: When creating a solution with CmsKit, the "Solution Configuration" window (and the generated CLI command) incorrectly lists the --without-cms-kit flag, even though the module is physically integrated into the solution.
Missing Data Seeding: The default DataSeeder for v10.1 tiered solutions appears to miss the required OpenIddict Scopes for CmsKit, preventing the Public Web client from successfully authorized communication with the API host out-of-the-box.
