I have been working off of this documentation: https://abp.io/docs/latest/solution-templates/layered-web-application/deployment/azure-deployment/step3-deployment-github-action?UI=MVC&DB=EF&Tiered=No, and it does work to deploy to Azure, but if I have the line there to generate openiddict.pfx, it always fails, and it doesn't throw any error message that helps me understand what is going on.
For reference, here is my workflow (I also have never been able to make the DbMigrator work, and I may have to open a new ticket for that too if I can't get it to work):
# Docs for the Azure Web Apps Deploy action: https://github.com/Azure/webapps-deploy
# More GitHub Actions for Azure: https://github.com/Azure/actions
name: Build and deploy ASP.Net Core app to Azure Web App - armada
on:
push:
branches:
- Armada-ABP-Pro
workflow_dispatch:
jobs:
build:
runs-on: windows-latest
permissions:
contents: read #This is required for actions/checkout
steps:
- uses: actions/checkout@v4
- name: Set up .NET Core
uses: actions/setup-dotnet@v4
with:
dotnet-version: 'v9.0'
- name: Install ABP CLI
run: |
dotnet tool install -g Volo.Abp.Cli
abp install-libs
shell: bash
- name: Build with dotnet
run: dotnet build --configuration Release
- name: dotnet publish
run: dotnet publish -c Release -r win-x64 --self-contained false -o "$env:DOTNET_ROOT\myapp"
shell: pwsh
working-directory: ./src/ArmadaIO.Web # Replace with your project name
env:
ASPNETCORE_ENVIRONMENT: Production
- name: Generate openiddict.pfx
run: dotnet dev-certs https -v -ep ${{env.DOTNET_ROOT}}\myapp\openiddict.pfx -p c41eb3e7-8a8e-429f-9052-0850406f2f11 # Replace with your password
- name: Upload artifact for deployment job
uses: actions/upload-artifact@v4
with:
name: .net-app
path: ${{env.DOTNET_ROOT}}/myapp
deploy:
runs-on: windows-latest
needs: build
environment:
name: 'Production'
url: ${{ steps.deploy-to-webapp.outputs.webapp-url }}
permissions:
id-token: write #This is required for requesting the JWT
contents: read #This is required for actions/checkout
steps:
- name: Download artifact from build job
uses: actions/download-artifact@v4
with:
name: .net-app
- name: Login to Azure
uses: azure/login@v2
with:
client-id: ${{ secrets.AZUREAPPSERVICE_CLIENTID_D0E4A82237114C8FB52A40680A31F7B7 }}
tenant-id: ${{ secrets.AZUREAPPSERVICE_TENANTID_AF7C7E6475CD4DE9A6FC1907FEBD8DF6 }}
subscription-id: ${{ secrets.AZUREAPPSERVICE_SUBSCRIPTIONID_9000905F725645769C73D60324653A76 }}
- name: Deploy to Azure Web App
id: deploy-to-webapp
uses: azure/webapps-deploy@v3
with:
app-name: 'armada'
slot-name: 'Production'
package: .
If I comment out the openiddict line, it runs and deploys (but ofc doesn't actually run and throws a startup error saying it can't find openiddict.pfx). If I uncomment the line, it just shows me this: 
and if I pull up the raw logs for that line it shows me this:
2025-08-20T20:23:04.5490958Z ##[group]Run dotnet dev-certs https -v -ep C:\Program Files\dotnet\myapp\openiddict.pfx -p [mypassword]
2025-08-20T20:23:04.5491858Z [36;1mdotnet dev-certs https -v -ep C:\Program Files\dotnet\myapp\openiddict.pfx -p [mypassword][0m
2025-08-20T20:23:04.5526676Z shell: C:\Program Files\PowerShell\7\pwsh.EXE -command ". '{0}'"
2025-08-20T20:23:04.5526989Z env:
2025-08-20T20:23:04.5527153Z DOTNET_ROOT: C:\Program Files\dotnet
2025-08-20T20:23:04.5527379Z ##[endgroup]
2025-08-20T20:23:05.1704144Z Specify --help for a list of available options and commands.
2025-08-20T20:23:05.3106943Z ##[error]Process completed with exit code 1.
So I feel stuck here. I did find this blog post: https://codejack.com/2022/12/deploying-abp-io-to-an-azure-appservice/, and I used it for testing, but that didn't work for me either. Here is my WebModule with the default code, as well as the commented code that I was using to test based on the blog post above:
public override void PreConfigureServices(ServiceConfigurationContext context)
{
var hostingEnvironment = context.Services.GetHostingEnvironment();
var configuration = context.Services.GetConfiguration();
context.Services.PreConfigure<AbpMvcDataAnnotationsLocalizationOptions>(options =>
{
options.AddAssemblyResource(
typeof(ArmadaResource),
typeof(ArmadaIODomainModule).Assembly,
typeof(ArmadaIODomainSharedModule).Assembly,
typeof(ArmadaIOApplicationModule).Assembly,
typeof(ArmadaIOApplicationContractsModule).Assembly,
typeof(ArmadaIOWebModule).Assembly
);
});
PreConfigure<OpenIddictBuilder>(builder =>
{
builder.AddValidation(options =>
{
options.AddAudiences("ArmadaIO");
options.UseLocalServer();
options.UseAspNetCore();
});
});
if (!hostingEnvironment.IsDevelopment())
{
PreConfigure<AbpOpenIddictAspNetCoreOptions>(options =>
{
options.AddDevelopmentEncryptionAndSigningCertificate = false;
});
PreConfigure<OpenIddictServerBuilder>(serverBuilder =>
{
serverBuilder.AddProductionEncryptionAndSigningCertificate("openiddict.pfx", configuration["AuthServer:CertificatePassPhrase"]!);
serverBuilder.SetIssuer(new Uri(configuration["AuthServer:Authority"]!));
//serverBuilder.AddEncryptionCertificate(GetEncryptionCertificate(hostingEnvironment, configuration));
//serverBuilder.AddSigningCertificate(GetSigningCertificate(hostingEnvironment, configuration));
});
}
}
//private X509Certificate2 GetSigningCertificate(IWebHostEnvironment hostingEnv,
// IConfiguration configuration)
//{
// var fileName = $"cert-signing.pfx";
// var passPhrase = configuration["ArmadaCertificate:X590:PassPhrase"];
// var file = Path.Combine(hostingEnv.ContentRootPath, fileName);
// if (File.Exists(file))
// {
// var created = File.GetCreationTime(file);
// var days = (DateTime.Now - created).TotalDays;
// if (days > 180)
// {
// File.Delete(file);
// }
// else
// {
// try
// {
// return new X509Certificate2(file, passPhrase, X509KeyStorageFlags.MachineKeySet);
// }
// catch (CryptographicException)
// {
// File.Delete(file);
// }
// }
// }
// // file doesn't exist, was deleted because it expired, or has an invalid passphrase
// using var algorithm = RSA.Create(keySizeInBits: 2048);
// var subject = new X500DistinguishedName("CN=Armada Signing Certificate");
// var request = new CertificateRequest(subject, algorithm,
// HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
// request.CertificateExtensions.Add(new X509KeyUsageExtension(
// X509KeyUsageFlags.DigitalSignature, critical: true));
// var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow,
// DateTimeOffset.UtcNow.AddYears(2));
// File.WriteAllBytes(file, certificate.Export(X509ContentType.Pfx, passPhrase));
// return new X509Certificate2(file, passPhrase, X509KeyStorageFlags.MachineKeySet);
//}
//private X509Certificate2 GetEncryptionCertificate(IWebHostEnvironment hostingEnv,
// IConfiguration configuration)
//{
// var fileName = $"cert-encryption.pfx";
// var passPhrase = configuration["ArmadaCertificate:X590:PassPhrase"];
// var file = Path.Combine(hostingEnv.ContentRootPath, fileName);
// if (File.Exists(file))
// {
// var created = File.GetCreationTime(file);
// var days = (DateTime.Now - created).TotalDays;
// if (days > 180)
// {
// File.Delete(file);
// }
// else
// {
// try
// {
// return new X509Certificate2(file, passPhrase, X509KeyStorageFlags.MachineKeySet);
// }
// catch (CryptographicException)
// {
// File.Delete(file);
// }
// }
// }
// // file doesn't exist, was deleted because it expired, or has an invalid passphrase
// using var algorithm = RSA.Create(keySizeInBits: 2048);
// var subject = new X500DistinguishedName("CN=Armada Encryption Certificate");
// var request = new CertificateRequest(subject, algorithm,
// HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
// request.CertificateExtensions.Add(new X509KeyUsageExtension(
// X509KeyUsageFlags.KeyEncipherment, critical: true));
// var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow,
// DateTimeOffset.UtcNow.AddYears(2));
// File.WriteAllBytes(file, certificate.Export(X509ContentType.Pfx, passPhrase));
// return new X509Certificate2(file, passPhrase, X509KeyStorageFlags.MachineKeySet);
//}
I was able to get this working one time in the past, but I can't seem to recreate it unfortunately. I did create an openiddict.pfx using the command in the terminal, then I uploaded it to my Azure certificates. That doesn't seem to work either. Perhaps I need to upload openiddict.pfx directly into the project root in Azure? I am not very knowledgeable about this, so I'm not sure what is safe or what could cause security issues.
Any advice here would be appreciated. Thanks.
The AI generated response is how I thought this functioned, which is why (as indicated in my OP) I created an app service that is decorated with [AllowAnonymous] and calls _tenantAppService.CreateAsync(input).
Somehow, this is still throwing an authorization error. I have emailed a Google Drive link to my project files in case you are able to find a bug or some miconfiguration.
Charlie
I have an open ticket for this (#9614), but I haven't received help so I am opening another to see if I can get help here and maybe get refunded for that ticket.
I created a custom registration page, which I am planning on using to allow customers to sign up themselves, creating a tenant and signing up for an edition at the same time.
Here is my page model for my registration page that will handle creating the tenant and subscribing the edition to that tenant:
[AllowAnonymous]
public class RegisterModel : ArmadaPageModel
{
private readonly ITenantAppService _tenantAppService;
private readonly IMultiTenancyAppService _multiTenancyAppService;
private readonly IEditionAppService _editionAppService;
private readonly ISubscriptionAppService _subscriptionAppService;
private readonly ICurrentTenant _currentTenant;
public RegisterModel(
ITenantAppService tenantAppService,
IMultiTenancyAppService multiTenancyAppService,
IEditionAppService editionAppService,
ISubscriptionAppService subscriptionAppService,
ICurrentTenant currentTenant)
{
_tenantAppService = tenantAppService;
_multiTenancyAppService = multiTenancyAppService;
_editionAppService = editionAppService;
_subscriptionAppService = subscriptionAppService;
_currentTenant = currentTenant;
}
[BindProperty]
public RegisterTenantViewModel Input { get; set; } = new();
public async Task OnGetAsync()
{
List<EditionDto> editions = await _multiTenancyAppService.GetEditionsAsync();
List<SelectListItem> editionSelectItems = editions.Select(e => new SelectListItem
{
Text = e.DisplayName,
Value = e.Id.ToString()
}).ToList();
Input.AvailableEditions = editionSelectItems;
}
public async Task<IActionResult> OnPostAsync()
{
if (!ModelState.IsValid)
{
await OnGetAsync(); // reload editions
return Page();
}
// Confirm we are NOT in tenant context
if (_currentTenant.Id != null)
{
throw new Exception("Cannot register a tenant while already in a tenant context.");
//return Forbid(); // Registration should only be done as host
}
//var tenantDto = await _tenantAppService.CreateAsync(new SaasTenantCreateDto
//{
// Name = Input.TenantName,
// AdminEmailAddress = Input.Email,
// AdminPassword = Input.Password,
// EditionId = Input.EditionId
//});
var tenantDto = await _multiTenancyAppService.CreateTenantAsync(new SaasTenantCreateDto
{
Name = Input.TenantName,
AdminEmailAddress = Input.Email,
AdminPassword = Input.Password,
EditionId = Input.EditionId
});
// 2. Manually switch to new tenant context
using (_currentTenant.Change(tenantDto.Id))
{
// 3. Create subscription with edition ID
var subscription = await _subscriptionAppService.CreateSubscriptionAsync(
Input.EditionId,
tenantDto.Id
);
// 4. Redirect to Stripe or confirmation
//return Redirect(subscription.PaymentUrl);
}
return Page();
}
}
I also created an appservice called MultiTenancyAppService which helps me populate the editions dropdown, as well as attempt to create a tenant (since calling tenantAppService.CreateAsync() was throwing an authorization error):
[AllowAnonymous]
public class MultiTenancyAppService : ArmadaIOAppService, IMultiTenancyAppService
{
private readonly IRepository<Edition, Guid> _editionRepository;
private readonly ITenantAppService _tenantAppService;
private readonly IRepository<Tenant, Guid> _tenantRepository;
public MultiTenancyAppService(IRepository<Edition, Guid> editionRepository, ITenantAppService tenantAppService, IRepository<Tenant, Guid> tenantRepository)
{
_editionRepository = editionRepository;
_tenantAppService = tenantAppService;
_tenantRepository = tenantRepository;
}
public async Task<List<EditionDto>> GetEditionsAsync()
{
List<Edition> editions = await _editionRepository.GetListAsync();
List<EditionDto> dtos = ObjectMapper.Map<List<Edition>, List<EditionDto>>(editions);
return dtos;
}
public async Task<SaasTenantDto> CreateTenantAsync(SaasTenantCreateDto input)
{
if (string.IsNullOrWhiteSpace(input.Name) || string.IsNullOrWhiteSpace(input.AdminEmailAddress) || string.IsNullOrWhiteSpace(input.AdminPassword))
{
throw new UserFriendlyException("Please fill all required fields before submission");
}
return await _tenantAppService.CreateAsync(input);
}
}
It is still throwing a "Exception of type 'Volo.Abp.Authorization.AbpAuthorizationException' was thrown" error on the "await _tenantAppService.CreateAsync(input);" line when trying to create a tenant, even though I have the [AllowAnonymous] decorator on the page model and the app service. I am under the assumption that by default, a register page is creating a tenant when in host mode, since a tenant isn't logged in, so this seems like unintuitive functionality. I'm assuming part of this is because the page itself is accessible to non-tenant users, but that is necessary figuring the only people registering will be those who are not yet tenants.
Please advise me on a potential solution to this.
Charlie
Asking again to be prioritized or reassigned.
I need this bumped up in priority. It's been nearly 3 weeks since I opened this ticket, and I still haven't received enough help to resolve this. I made some progress but I cannot get past the authorization error I encountered in my last message and this delay is slowing down development.
Charlie
Thank you for the detailed write-up. This will be very helpful as a reference as I am working on this.
My main question currently has to do with the last message I sent. I am getting a "Exception of type 'Volo.Abp.Authorization.AbpAuthorizationException' was thrown" error on the "await _tenantAppService.CreateAsync(input);" line. The code I provided looks functionally similar to yours, so I am unsure as to why I am receiving this authorization exception in my app service.
I'm assuming part of this is because the page itself is accessible to non-tenant users, but that is necessary figuring the only people registering will be those who are not yet tenants.
Please advise me on how to resolve this. Let me know if you want a copy of the project files for review.
Thanks, Charlie
I'm not sure why I haven't received a response yet; it's been 10 days since I last received a reply. Either way, perhaps I can receive some help in terms of if the direction I am going is correct, and how to create a tenant programmatically (since I wasn't able to find it in the documentation).
Here is my page model for my registration page that will handle creating the tenant and subscribing the edition to that tenant:
[AllowAnonymous]
public class RegisterModel : ArmadaPageModel
{
private readonly ITenantAppService _tenantAppService;
private readonly IMultiTenancyAppService _multiTenancyAppService;
private readonly IEditionAppService _editionAppService;
private readonly ISubscriptionAppService _subscriptionAppService;
private readonly ICurrentTenant _currentTenant;
public RegisterModel(
ITenantAppService tenantAppService,
IMultiTenancyAppService multiTenancyAppService,
IEditionAppService editionAppService,
ISubscriptionAppService subscriptionAppService,
ICurrentTenant currentTenant)
{
_tenantAppService = tenantAppService;
_multiTenancyAppService = multiTenancyAppService;
_editionAppService = editionAppService;
_subscriptionAppService = subscriptionAppService;
_currentTenant = currentTenant;
}
[BindProperty]
public RegisterTenantViewModel Input { get; set; } = new();
public async Task OnGetAsync()
{
List<EditionDto> editions = await _multiTenancyAppService.GetEditionsAsync();
List<SelectListItem> editionSelectItems = editions.Select(e => new SelectListItem
{
Text = e.DisplayName,
Value = e.Id.ToString()
}).ToList();
Input.AvailableEditions = editionSelectItems;
}
public async Task<IActionResult> OnPostAsync()
{
if (!ModelState.IsValid)
{
await OnGetAsync(); // reload editions
return Page();
}
// Confirm we are NOT in tenant context
if (_currentTenant.Id != null)
{
throw new Exception("Cannot register a tenant while already in a tenant context.");
//return Forbid(); // Registration should only be done as host
}
//var tenantDto = await _tenantAppService.CreateAsync(new SaasTenantCreateDto
//{
// Name = Input.TenantName,
// AdminEmailAddress = Input.Email,
// AdminPassword = Input.Password,
// EditionId = Input.EditionId
//});
var tenantDto = await _multiTenancyAppService.CreateTenantAsync(new SaasTenantCreateDto
{
Name = Input.TenantName,
AdminEmailAddress = Input.Email,
AdminPassword = Input.Password,
EditionId = Input.EditionId
});
// 2. Manually switch to new tenant context
using (_currentTenant.Change(tenantDto.Id))
{
// 3. Create subscription with edition ID
var subscription = await _subscriptionAppService.CreateSubscriptionAsync(
Input.EditionId,
tenantDto.Id
);
// 4. Redirect to Stripe or confirmation
//return Redirect(subscription.PaymentUrl);
}
return Page();
}
}
I also created an appservice called MultiTenancyAppService which helps me populate the editions dropdown, as well as attempt to create a tenant (since calling tenantAppService.CreateAsync() was throwing an authorization error):
[AllowAnonymous]
public class MultiTenancyAppService : ArmadaIOAppService, IMultiTenancyAppService
{
private readonly IRepository<Edition, Guid> _editionRepository;
private readonly ITenantAppService _tenantAppService;
private readonly IRepository<Tenant, Guid> _tenantRepository;
public MultiTenancyAppService(IRepository<Edition, Guid> editionRepository, ITenantAppService tenantAppService, IRepository<Tenant, Guid> tenantRepository)
{
_editionRepository = editionRepository;
_tenantAppService = tenantAppService;
_tenantRepository = tenantRepository;
}
public async Task<List<EditionDto>> GetEditionsAsync()
{
List<Edition> editions = await _editionRepository.GetListAsync();
List<EditionDto> dtos = ObjectMapper.Map<List<Edition>, List<EditionDto>>(editions);
return dtos;
}
public async Task<SaasTenantDto> CreateTenantAsync(SaasTenantCreateDto input)
{
if (string.IsNullOrWhiteSpace(input.Name) || string.IsNullOrWhiteSpace(input.AdminEmailAddress) || string.IsNullOrWhiteSpace(input.AdminPassword))
{
throw new UserFriendlyException("Please fill all required fields before submission");
}
return await _tenantAppService.CreateAsync(input);
}
}
It is still throwing an authorization error when trying to create a tenant, even though I have the [AllowAnonymous] decorator on the page model and the app service. I am under the assumption that by default, a register page is creating a tenant when in host mode, since a tenant isn't logged in, so this seems like unintuitive functionality.
Please advise me on if this is the correct direction for a custom registration page, as well how to go about creating the tenant. If there is any documentation I missed, please link it. I have looked through much of it, but it is possible I missed something that would be relevant here.
Thanks in advance for your help, Charlie
Hi, bumping this to see if I can get some help.
Sorry for the delay; just getting to this now.
I understand conceptually what you mean in the first answer, but if you wouldn't mind providing example code as you offered to give me a basic understanding of the implementation of creating a tenant and payment at the same time, that would be much appreciated. I am unsure if it utilizes the existing register page or if it uses a custom page so getting an example would really help.
Regarding the second question: I was intending on using tenant domain resolvers and generating a subdomain for each tenant, so that will work with my original plan. However, I guess I was under the assumption that most people would probably just go to my root domain, which would redirect them to a login page, and then from there would redirect them to their tenant dashboard with their custom tenant subdomain. I guess I really just need to redirect the user when they are not logged in to the login/register pages, which I guess I could do when mapping endpoints in the Configure method in Program.cs?
I am new to some of this backend stuff, so I appreciate your patience if I am asking stupid questions!
Charlie
I am hoping to get a little knowledge to piece together some of these modules into a cohesive unit. I have all of the modules installed, and I followed the documentation to add a Stripe webhook, product and price, and I then used that to configure my StripeOptions. I also setup an Plan, GatewayPlan, and Edition, so theoretically, once I have a page set up to allow customers to subscribe to an edition, it should work. However, I have a few questions that don't seem to be elucidated in the documentation:
In this example code in the documentation: var paymentRequest = await SubscriptionAppService.CreateSubscriptionAsync(editionId, CurrentTenant.GetId());, it seems to imply that the tenant already needs to be a tenant and be signed in to be able to subscribe to an edition. This seems confusing to me. I need my users to be able to sign up for an edition at the same time they sign up to be a tenant (it doesn't make sense to have a tenant without an edition assigned to them). Would I just do this all at the same time?
Related to 1, I don't have a use for the "host" section of the app, and really only need the app accessible via the admin and tenants. Is there a way to "disable" the host (non-tenant) functionality and just force the user to login or register before being redirected to the homepage? Unless host does something else I am unaware of, but I don't want users to be able to access anything without being logged in.
I am stuck on these at the moment, so any advice on how to structure this would be greatly appreciated.
Charlie
