questions regarding two-factor authentication in the Identity module: What is the exact meaning of supportTwoFactor and twoFactorEnabled in the response of /api/identity/users/by-username/{username}?
{
"tenantId": null,
"userName": "user01",
"email": "username01@gmail.com",
"name": "username",
"surname": "ar",
"emailConfirmed": true,
"phoneNumber": "212XXXXXXXXX",
"phoneNumberConfirmed": true,
"supportTwoFactor": false,
"twoFactorEnabled": true,
"isActive": true,
"lockoutEnabled": true,
"isLockedOut": false,
"lockoutEnd": null,
"shouldChangePasswordOnNextLogin": false,
"concurrencyStamp": "4b8aa5a828fc44138a7634b1b9e37024",
"roleNames": null,
"accessFailedCount": 0,
"lastPasswordChangeTime": "2025-09-22T15:09:59.4341739+00:00",
"isExternal": false,
"isDeleted": false,
"deleterId": null,
"deletionTime": null,
"lastModificationTime": null,
"lastModifierId": null,
"creationTime": "2025-09-22T16:10:00.1319354",
"creatorId": null,
"id": "a129b42e-ebac-ad50-0a60-3a1c8426523a",
"extraProperties": {}
}
When twoFactorEnabled is set to true, the /connect/token endpoint in auth server always responds with RequiresTwoFactor, even after sending and validating the SMS code with /api/account/send-two-factor-code and /api/two-factor-token/verify-two-factor-code. How should we correctly obtain the token after MFA validation? What is the recommended way to integrate the MFA flow into the login process with the ABP authentication server?
How can I integrate my authentication server with an existing authentication server that does not support OAuth2?
We have defined the required scopes in the backoffice screen for our application (see the picture below). However, when making an HTTP request to obtain a token using the password grant type, we need to manually specify the scopes in the scope parameter of the token request. Since the scopes are already configured in the backoffice, shouldn’t they be dynamically included in the token request without requiring us to hardcode them in the code? Could you clarify how the scopes defined in the backoffice are intended to be used and whether there is a way to automatically include them in the token request?
public async Task<GetTokenResponseDto> GetTokenAsync(UserLoginInfoDto userLoginInfoDto)
{
var _client = _httpClientFactory.CreateClient();
string tokenUrl = $"{_authServerUrl}/connect/token";
FormUrlEncodedContent tokenRequest = new FormUrlEncodedContent(new[]
{
new KeyValuePair<string, string>("grant_type","password"),
new KeyValuePair<string, string>("client_id", _configuration["AccountClient:ClientId"]),
new KeyValuePair<string, string>("client_secret", _configuration["AccountClient:ClientSecret"]),
new KeyValuePair<string, string>("username", userLoginInfoDto.UserName),
new KeyValuePair<string, string>("password", userLoginInfoDto.Password),
new KeyValuePair<string, string>("scope", " ...SCOPES.... ") //Scopes Added Here
});
HttpResponseMessage response = await _client.PostAsync(tokenUrl, tokenRequest);
response.EnsureSuccessStatusCode();
var responseContent = await response.Content.ReadAsStringAsync();
return !string.IsNullOrWhiteSpace(responseContent) ? JsonConvert.DeserializeObject<GetTokenResponseDto>(responseContent) : throw new Exception(L["EmptyResponse"]);
}
We are currently working on customizing the error messages returned by our ABP-based application in cases where exceptions occur. We have successfully implemented custom error messages for BusinessException as described in the ABP documentation. (https://abp.io/docs/latest/framework/fundamentals/exception-handling) However, we are encountering difficulties in modifying the error messages for other types of exceptions (e.g., ArgumentException, InvalidOperationException, or generic Exception) . Our goal is to provide custom error messages to the client, with multilanguage support, instead of exposing the default exception details. Specifically, we would like to know what is the recommended approach for intercepting and modifying exception messages before they are returned to the client in non-business exception scenarios?
Hello,
I'm looking for an endpoint or a method that , given the username and password, returns the access_token,token_type, expires_in to use with a mobile app.
The login endpoint, in the AuthServer, returns only result and description.Hello, I'm working on a project based on the microservices' template, when I implement the gRPC for the inter services communication, the authorization : [Authorize(IdentityPermissions.Users.Create)] blocks me when I call the service from the client µS, 401, Unauthorized. How can I solve this problem with best practices ?
Subject: Issue with ABP Studio 0.9.1 - Unprompted Window Opening
Hello Support,
I am experiencing an issue with the latest version of ABP Studio (0.9.1). A window keeps opening without reason, asking to open a file. Please see the screenshot below for reference.
Could you provide any advice on how to resolve this issue?
Thank you.
ABP Framework version: v8.3.0 UI Type: Razor MVC Database System: EF Core (PostgreSQL) Tiered (for MVC) microservice
I created an ABP microservice solution, and we are generating CRUD operations and UI interfaces using ABP Suite. The CRUD was generated successfully, but the UI interfaces in the Web Module were not generated. I also tried generating the proxy-client, but the pages were still not generated. Why is this happening? The old version used to allow generating both CRUD operations and UI interfaces.
