To run your ABP application as a Docker container inside Azure App Service, you need to ensure that your container listens on port 80 (the only port Azure App Service routes traffic to by default). By default, ABP's Docker templates are configured to use port 80 for HTTP, but .NET 8+ changes the default to 8080, and HTTPS-only configurations can cause issues if not handled properly.
Here’s how you can resolve your issue:
ENV ASPNETCORE_URLS=http://+:80
appsettings.Production.json or via environment variable:"Kestrel": {
"Endpoints": {
"Http": {
"Url": "http://*:80"
}
}
},
"App": {
"SelfUrl": "https://<your-app-service-url>"
}
ASPNETCORE_FORWARDEDHEADERS_ENABLED=true
Authority to your public HTTPS URL (the App Service URL), but allow the app to run on HTTP internally:"AuthServer": {
"Authority": "https://<your-app-service-url>",
"RequireHttpsMetadata": "false"
}
Certificates
App Service Configuration
ASPNETCORE_URLS = http://+:80AbpLicenseCode (if needed)Testing
https://<your-app-service-url>/.well-known/openid-configuration and it should be reachable.No major refactoring is required—just ensure your container listens on port 80 and does not enforce HTTPS redirection internally. If you need end-to-end HTTPS (including inside the container), you must handle certificate mounting and Kestrel configuration, but for most App Service scenarios, this is not necessary.
Kubernetes is not required unless you have more advanced orchestration needs.
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
In order for the "Feature management" option to appear under the Settings menu in your ABP Blazor Server application, you must have the Feature Management module properly installed and configured in your solution.
Even if you have features defined in code, the UI for Feature Management will not appear unless the required module packages are referenced and registered in your project.
Steps to ensure Feature Management is available:
Volo.Abp.FeatureManagement.BlazorVolo.Abp.FeatureManagement.HttpApi.ClientVolo.Abp.FeatureManagement.Application.ContractsVolo.Abp.FeatureManagement.DomainVolo.Abp.FeatureManagement.EntityFrameworkCore (or your DB provider)dotnet add package Volo.Abp.FeatureManagement.Blazor
dotnet add package Volo.Abp.FeatureManagement.HttpApi.Client
YourProjectBlazorModule), add the module dependencies:[DependsOn(
typeof(AbpFeatureManagementBlazorModule),
typeof(AbpFeatureManagementHttpApiClientModule)
)]
public class YourProjectBlazorModule : AbpModule
{
// ...
}
builder.ConfigureFeatureManagement(); in your DbContext's OnModelCreating method.dotnet ef migrations add Added_FeatureManagement
dotnet ef database update
Permissions
Restart the Application
Once these steps are completed, the "Feature management" option should appear under the Settings menu.
Reference:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
To use the ABP access-token.bin for licensing in a GitHub Actions (or any CI/CD) Docker build, you need to copy the access-token.bin file into the container so the ABP licensing system can find it. Here’s a step-by-step solution:
abp login <username>
This will create the file at:
~/.abp/cli/access-token.bin (Linux/macOS)
or
%USERPROFILE%\.abp\cli\access-token.bin (Windows)
Add the access-token.bin file to your repository as a GitHub Actions secret (for example, as a base64-encoded string).
In your GitHub Actions workflow, decode the secret and write it to a file before building the Docker image:
- name: Decode ABP access token
run: |
echo "${{ secrets.ABP_ACCESS_TOKEN_BIN }}" | base64 -d > access-token.bin
RUN mkdir -p /root/.abp/cli
COPY access-token.bin /root/.abp/cli/access-token.bin
This approach is confirmed as the solution for running ABP commercial modules in Docker and CI/CD environments.
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
The error "invalid issuer in discovery document expected: https://localhost:44338 current: https://localhost:44338/" is caused by a trailing slash mismatch between the issuer URL in your Angular environment configuration and the issuer returned by your backend's OpenID Connect discovery document. ABP's Angular OAuth module performs strict validation, so both URLs must match exactly (including or excluding the trailing slash).
The error "Cannot read properties of undefined (reading 'grant_type')" is a side effect of the failed discovery document validation, which prevents the OAuth flow from initializing properly.
How to fix:
environment.ts or environment.prod.ts).oAuthConfig.issuer property.https://localhost:44338/ (with a trailing slash), then set:oAuthConfig: {
issuer: 'https://localhost:44338/', // Note the trailing slash
...
}
If it returns without the slash, remove it in the config.
Reference:
This should resolve both the issuer validation and the grant_type errors, allowing the login buttons to work as expected.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
Storing access tokens in local storage is the default approach in ABP Angular applications, but it is not possible to set HttpOnly or SameSite attributes for tokens stored in browser storage from the Angular side. These attributes are only available for cookies set by the server, not for values stored in local or session storage.
To comply with security requirements such as HttpOnly and SameSite, you must switch from storing tokens in local storage to using secure cookies. This requires significant changes:
There is no built-in ABP Angular mechanism to store access tokens in HttpOnly cookies, as this is a limitation of browser JavaScript APIs. The only way to achieve this is to handle authentication entirely on the server and use cookies for session management.
No verified source available for this specific query.
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
In the ABP SaaS module, features assigned via an edition are linked to the tenant's subscription. When an edition (and its subscription) expires, the expected behavior is that the features provided by that edition should no longer be available to the tenant.
However, by default, the ABP SaaS module does not automatically invalidate or remove the features from the tenant when the edition expires. The features remain accessible unless you implement custom logic to handle feature invalidation upon edition expiration.
To achieve the behavior where features become invalid after the edition expires, you need to implement a mechanism (such as a background job or event handler) that checks for expired subscriptions and updates or removes the tenant's feature values accordingly.
The ABP SaaS module provides extensibility points where you can hook into subscription/edition changes and enforce your own business rules for feature availability.
For more details, refer to the official documentation and related support discussions:
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
The behavior you are seeing is the expected and intended design of ABP's permission dependency system. When you use .RequirePermissions("AbpIdentity.Users", "AbpIdentity.Roles") in your permission definition, ABP will only consider your custom permission as "granted" if both the permission itself and all required permissions are granted to the user. However, this dependency is enforced at runtime (authorization check), not in the UI.
The ABP Permission Management UI (the permissions pop-up/modal) does not automatically select or enforce dependent permissions when you select a permission that has dependencies. It also does not prevent saving if dependencies are not met. The dependency is only checked when the permission is used (e.g., when accessing a page or API that requires it).
There is currently no built-in way in ABP to make the permission management UI automatically select, enforce, or visually indicate permission dependencies. The UI will allow you to grant a permission without its dependencies, but at runtime, the permission will not be effective unless all dependencies are also granted.
If you want the UI to enforce or visually indicate permission dependencies, you would need to customize the Permission Management UI. This would involve overriding the relevant components/pages to add logic that checks for dependencies and updates the UI accordingly.
In summary:
.RequirePermissions only affects runtime authorization, not the UI.Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
There is no secure way to keep the Blazorise product token hidden from the client in a Blazor WebAssembly (WASM) application. In WASM, all application code and configuration—including any tokens or secrets—are downloaded to the user's browser, making it impossible to keep such values confidential.
Even if you retrieve the product token from Azure Key Vault in your host project, you cannot securely pass it to the WASM client without exposing it. Any method of injecting the token into the client (such as via API, configuration, or JavaScript interop) will ultimately make it accessible to end users.
The Blazorise product token is intended to be used on the client side, and the licensing model assumes it will be visible in the distributed application. This is a limitation of all client-side web technologies, not just ABP or Blazorise.
If you require the product token to remain secret, you would need to use a server-side Blazor (Blazor Server) or another server-rendered technology, where the token can be kept on the server and not exposed to the client.
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
For the issue with [DisableValidation] and 400 errors in WebAssembly (WASM) mode:
HttpClient) to your API endpoints. This bypasses the client-side validation layer and ensures the [DisableValidation] attribute is respected server-side.For the file upload API returning "Unsupported Media Type" in WASM mode:
Content-Type does not match what the API expects (e.g., multipart/form-data for file uploads). In Blazor WASM, ensure you are using IBrowserFile and MultipartFormDataContent when sending files, and that your API action is decorated with [Consumes("multipart/form-data")].HttpClient directly to construct and send the multipart request.Example for file upload in Blazor WASM:
var content = new MultipartFormDataContent();
content.Add(new StreamContent(file.OpenReadStream()), "File", file.Name);
await httpClient.PostAsync("api/your-endpoint", content);
And in your API controller:
[HttpPost]
[Consumes("multipart/form-data")]
public async Task<IActionResult> Upload([FromForm] YourFileUploadDto input)
{
// handle file
}
Summary:
[DisableValidation], use direct HTTP calls for endpoints where you want to avoid client-side validation.HttpClient with MultipartFormDataContent and ensure your API expects multipart/form-data.Sources:
This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.
