Hello, we noticed that when demote/change the role of someone, it doesn't get reflected instantly. we figured it's because caching. but we thought UseDynamicClaims covered that case.
We don't want an admin that we demote to a simple guest to still have admin powers for an hour and thought it should be working out of the box.
This is issue is noticeable in our blazor app and our maui blazor hybrid mobile app.
We tried adding a middleware in identity service to replace the claims by the current role claims but it didn't work.
Do you have any suggestions?
11 Answer(s)
-
0
hi
Can you test this in a new microservice solution?
If it still not working, Please share your steps.
Thanks.
-
0
yes done that, same issue
Reproduction Steps:
- Create a new microservice solution.
- Create a new tenant.
- Log in as the tenant admin.
- Create a new role called "Guest".
- Create a user named "TestUser" and assign the "Admin" role.
- Open an incognito browser and log in as TestUser.
- Confirm that TestUser has admin privileges — ✅ expected.
- Log out TestUser.
- As admin, modify TestUser’s role to "Guest" (remove admin role).
- Log in again as TestUser (in incognito).
- TestUser still has admin privileges — ❌ unexpected.
Expected Behavior:
After logging out and back in, TestUser should have Guest permissions only, with admin privileges revoked. According to the ABP documentation, role changes should take effect at the next request or at least after reauthentication. For us it doesn't even work with a logout/login
Actual Behavior:
Role changes are not applied even after logout/login. It seems role claims are cached or not refreshed properly.
Only solution we found right now is creating a redis cache service and deleting user cache (not ideal)..
-
0
hi
I will check your steps. Thanks.
-
0
hi
Can you try to depend on
AbpIdentityProEntityFrameworkCoreModuleinAdministrationService?
-
0
yes it works.. thank you. I guess it's a template issue then?
-
0
Yes, I will update the template code.
Thanks.
-
0
hi
Instead of adding
AbpIdentityProEntityFrameworkCoreModule in AdministrationServiceCan you try to configure the
WebRemoteDynamicClaimsPrincipalContributorOptionsinAdministrationService?Thanks.
public override void PreConfigureServices(ServiceConfigurationContext context) { PreConfigure<WebRemoteDynamicClaimsPrincipalContributorOptions>(options => { options.IsEnabled = true; }); }Also please depends on the
typeof(AbpAspNetCoreAuthenticationJwtBearerModule)inAdministrationService. -
0
Hi!
tried the new proposed solution, doesn't work on our Blazor Web app. both proposed solutions also don't work for our MAUI Blazor hybrid mobile app.
We need the dynamic claims to also work on mobile app.
Thank you
-
0
hi
Have you added the
AbpAspNetCoreAuthenticationJwtBearerModuleinAdministrationService? -
0
yes I did
-
0
But I couldn't reproduce the problem in a new microservice template after configuring
WebRemoteDynamicClaimsPrincipalContributorOptions.The dynamic claims works.
