Hello,
I would like to ask for asistance with Authorization. I have microservice solution with many microservices. I have 1 microservice what stores files (named: MediaService) and using Volo.FileManagement version 9.2.0 and I have another microservice what handles business logic (named: DatabaseService).
In Database service I'm using: Volo.FileManagement.Files.IFileDescriptorAppService _fileDescriptorAppService; to call to MediaService. In Database service I have (appsettings.json):
{
"AuthServer": {
"Authority": "https://localhost:44321"
},
"IdentityClients": {
"FileManagement": {
"GrantType": "client_credentials",
"ClientId": "DatabaseService",
"ClientSecret": "*****",
"Authority": "https://localhost:44321",
"Scope": "MediaService"
}...
},
"RemoteServices": {
"FileManagement": {
"BaseUrl": "https://localhost:44455",
"UseCurrentAccessToken": false
},
"MediaService": {
"BaseUrl": "https://localhost:44455",
"UseCurrentAccessToken": false
}
},
when I call method to create a file:
var uploadedFile = await _fileDescriptorAppService.CreateAsync(
null,
new()
{
Name = input.Name,
File = new RemoteStreamContent(stream, input.Name, input.ContentType),
OverrideExisting = true
}
)
MediaService is called correctly but responses with:
Request starting "HTTP/1.1" "POST" "https"://"localhost:44455""""/api/file-management/file-descriptor/upload""?Name=file.png&OverrideExisting=True&ExtraProperties=Volo.Abp.Data.ExtraPropertyDictionary&api-version=1.0" - "multipart/form-data; boundary=\"e8316996-9abb-4eef-a33d-6805ca935199\"" 29509
Authorization failed. "These requirements were not met:
PermissionRequirement: FileManagement.FileDescriptor
PermissionRequirement: FileManagement.FileDescriptor.Create"
AuthenticationScheme: "Bearer" was forbidden.
Request finished "HTTP/1.1" "POST" "https"://"localhost:44455""""/api/file-management/file-descriptor/upload""?Name=file.png&OverrideExisting=True&ExtraProperties=Volo.Abp.Data.ExtraPropertyDictionary&api-version=1.0" - 403 0 null 111.7592ms
But my token in this request looks good:
{
"iss": "https://localhost:44321/",
"aud": "MediaService",
"scope": "MediaService",
"oi_prst": "DatabaseService",
"client_id": "DatabaseService",
...
}
My OpenIddictDataSeeder on Identity service sets permissions correctly (UI shows permissions correctly set too):
await CreateApplicationAsync(
name: "DatabaseService",
type: OpenIddictConstants.ClientTypes.Confidential,
consentType: OpenIddictConstants.ConsentTypes.Implicit,
secret: "*****",
grantTypes: [OpenIddictConstants.GrantTypes.ClientCredentials],
scopes: [.. commonScopes.Union(["MediaServerService", "FileManagement"])],
permissions: [
FileManagementPermissions.FileDescriptor.Default,
FileManagementPermissions.FileDescriptor.Create
]
);
My MediaService should be connected to AdministrationService (handling permissions) correctly but that's part where I'm not sure. My appsettings.json looks correctly:
{
"AuthServer": {
"Authority": "https://localhost:44321"
},
"ConnectionStrings": {
"AbpBlobStoring": "xxx",
"FileManagement": "xxx",
"MediaService": "xxx",
"AdministrationService": "xxx", // do I need?
"SaasService": "xxx" // do I need?
},
Can you point me what I'm missing and why do I get 403? I think that communication between Database and Media services works good. Thanks in advance! Martin
6 Answer(s)
-
0
- In ABP microservice solutions, for permissions to be recognized and granted to a client (like your DatabaseService calling MediaService), the following must be ensured:
- Permission Definitions Must Be Registered in Administration Service
- The
PermissionDefinitionProviderfor FileManagement must be referenced in the AdministrationService. This is typically done by referencing the FileManagement application contracts project in the AdministrationService and ensuring the module dependency is added in the AdministrationService module:
- The
[DependsOn( typeof(Volo.FileManagement.Application.Contracts.FileManagementApplicationContractsModule), // ... other dependencies )] public class AdministrationServiceModule : AbpModule { // ... }- This ensures that FileManagement permissions are available for assignment in the permission management UI and for OpenIddict seeding.
AdministrationService Must Reference Application.Contracts
- If the AdministrationService does not reference the FileManagement application contracts, the permissions will not be registered, and permission checks in MediaService will always fail, even if the UI shows them.
Correct Permission Assignment in OpenIddictDataSeeder
- Your seeder code appears correct, but double-check that the permission names match exactly (case-sensitive) and that the correct scopes are assigned.
Remote Permission Management Configuration
- In a microservice setup, MediaService should be configured to use the AdministrationService for permission management. This is typically handled by the default solution template, but verify that your MediaService's configuration points to the correct AdministrationService endpoint for permission checks.
Restart All Services After Permission Changes
- After adding new permissions or updating dependencies, restart all relevant services (especially AdministrationService and MediaService) to ensure permission definitions are loaded.
Check for Permission Caching Issues
- Sometimes, permission changes may not reflect immediately due to caching. Clear the cache or restart services if necessary.
Summary of Steps to Fix:
- Ensure
Volo.FileManagement.Application.Contractsis referenced by AdministrationService. - Add the correct
[DependsOn]in AdministrationServiceModule. - Restart AdministrationService and MediaService after making changes.
- Double-check permission names and assignments in your seeder.
Sources:
- ABP Microservice Permission Management
- ABP Support: Permissions not showing in UI
- ABP Support: Claims/permissions troubleshooting
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
-
0
- I think I have correct
DependsOn:
[DependsOn( typeof(MediaServiceDomainSharedModule), typeof(AbpDddApplicationContractsModule), typeof(AbpAuthorizationModule), typeof(FileManagementApplicationContractsModule) )] public class MediaServiceApplicationContractsModule : AbpModule { }- I'm not sure why should I do: AdministrationService Must Reference Application.Contracts because all other my services are not referenced as well and permissions on them works properly.
Correct Permission Assignment in OpenIddictDataSeederis correct because I'm using same constants.- Can you please show me how should I
MediaService should be configured to use the AdministrationService for permission management? That's maybe point what I have not set up correctly but I cannot find documentation for that. - I restarted services many times
- I cleared cache many times.
Thank you
- I think I have correct
-
0
I found out that if I call
api/abp/application-configurationendpoint on my MediaService (with mentioned auth token) I get:"auth": { "grantedPolicies": { } },but if I call same endpoint (with same auth token) on DatabaseService I get:
"auth": { "grantedPolicies": { ... "FileManagement.DirectoryDescriptor": true, "FileManagement.DirectoryDescriptor.Create": true, "FileManagement.DirectoryDescriptor.Update": true, "FileManagement.DirectoryDescriptor.Delete": true, "FileManagement.FileDescriptor": true, "FileManagement.FileDescriptor.Create": true, "FileManagement.FileDescriptor.Update": true, "FileManagement.FileDescriptor.Delete": true }so there must be problem that my MediaService cannot reach my AdministrationService what is handling permissions. But if I compare my
appsettings.jsonin both services they looks similar (in auth parts). Can you please show me what part of code is telling microservice to use Administration service for Permissions handling? -
0
hi
Can you try this solution? Your case is similar to https://abp.io/support/questions/9739/
https://abp.io/support/questions/9739/Setting-custom-claims-in-integration-service-calls#answer-3a1b95bc-7ed8-0191-bb4f-87e1985c4613
Thanks.
-
0
Hello, I found a problem what was in our shared project where was setting about AdministrationService etc. Sorry and thank you for your asistance! Everything works fine now.
-
0
Great. 👍
