Activities of "tapmui"

I got this solved with this document and some guesses: https://abp.io/docs/latest/guides/synchronous-interservice-communication Point 1: set UseCurrentAccessToken to false

appsettings: "RemoteServices": { "Iot": { "BaseUrl": "https://localhost:44351/", "UseCurrentAccessToken": "false" --> I was missing this. } }, Point 2: define client "IdentityClients": { "Default": { "GrantType": "client_credentials", "ClientId": "IotIntegration", "ClientSecret": "IotIntegration__something", "Authority": "https://localhost:44321", "Scope": "IotCombinedIntegrationAppService" } },

Point 3: Create client and scope for the openIdDict also with proper resource (missing from instructions) that shall used. --> I was missing this.

Point 4: when querying token the scope "IotCombinedIntegrationAppService" needs to be included

[berkansasmaz] said: Hi Tapmui,

You don’t need to apply authorization to Integration Services, because these endpoints are not exposed externally. If a user request is already validated by [Authorize] in your Application Service or Controller, there’s no need to check authorization again for internal calls. Integration Services are only used internally between modules or services, and users cannot directly send requests to these endpoints if it's not intentionally exposed to the outside in your deployment configuration.

See more:

• https://github.com/abpframework/abp/issues/12470
• https://abp.io/docs/latest/framework/api-development/integration-services#exposing-integration-services

Hi BerkansasMaz, thank you for the response. I have to expose the API, due we have modular monolith implementation (or even kind of microservice though not following microservice patterns but logical modules)

• main backend running in own azure appservice
• iot processing running in own azure appservice Now special processing is needed between them to be done in controlled order. Thus Azure service bus is not valid for this case. Due modules are in separate app services, the expose is needed. As per documentation I think I need to expose this integration API and then to protect in the gateway.

Related issue: I also tried to use the dynamic proxy directly via the client API that already exists there. (I would not need to use integration service at all). But I had the same issue with authorization (401). Can you please advice on this. As per my understanding (from documentation) dynamic or static proxy client should use automatically existing token during the call ?

Best regards Tapio

[AI-Bot] said:

• When you access an ABP Integration Service endpoint from another backend service, the request must include a valid authentication token with the required permissions. If the endpoint is protected by [Authorize] or a permission attribute, and the calling service does not forward the user's access token or does not use a valid service-to-service token with the necessary claims, you will get a 401 Unauthorized error.

• Integration Services are not exposed by default and typically do not require authorization, but if you add [Authorize] or permission attributes, you must ensure the caller is authenticated and authorized. When you call the endpoint directly (e.g., via Postman), you provide a valid token, so it works. When called from another backend service, unless you explicitly forward the user's token or use a client credentials flow, the call is unauthenticated.

Solution:

1. Forward the User's Access Token:

   • When backend service A calls the integration service, ensure it forwards the current user's access token in the Authorization header. This way, the integration service can perform authorization checks based on the user's permissions.
   • In ABP, you can use the IAccessTokenProvider or similar mechanism to retrieve and forward the token.

2. Use Client Credentials (Service-to-Service):

   • If the call is not on behalf of a user, configure IdentityServer to allow client credentials for service A, and assign the required permissions to the client. The integration service will then authorize based on the client identity.

3. Check Integration Service Exposure:

   • Make sure you have set AbpAspNetCoreMvcOptions.ExposeIntegrationServices = true in your module configuration to expose integration services.

4. Security Note:

   • If you remove [Authorize], the endpoint is open to anyone, which is a security risk. Always require authentication and proper permissions.

Example: Forwarding the Token

// In backend service A, when calling the integration service: 
var client = _httpClientFactory.CreateClient("IntegrationService"); 
client.DefaultRequestHeaders.Authorization =  
    new AuthenticationHeaderValue("Bearer", userAccessToken); // Forward user's token 

References:

• Integration Services Explained
• Service-to-Service Communication
• Integration Services Documentation

---

This response was generated by AI. If it didn’t solve your problem, feel free to post a new answer — our support team will jump in to help you soon.

Thanks for the fast initial response. Comments to it below. to point 1;2; Based on this document I understood that abp.io is doing the addtion of access token automatically: https://abp.io/docs/latest/framework/api-development/dynamic-csharp-clients --> Authenticates the HTTP Client by adding access token to the HTTP header. to point 3; yes already done. -I have also tried to use the dynamic http API directly without integrationservice model; same result (unauthorized). **To point 4: **that is clear as I already said. I'm a bit worried that this is not highlighed in the abp.io documentation clearly.

Example usage of integration/dynamic proxy:

`

        GetIotCombinedDatasInput combinedDatasInput = new GetIotCombinedDatasInput
        {
            MaxResultCount = 10,
            SkipCount = 0,
            // DeviceTime < 2025-09-29 12:51:35.394
            DeviceTimeMax = DateTime.Parse("2025-09-29T12:51:35.394", null, DateTimeStyles.AdjustToUniversal)
        };
        try
        {
            var ressu = await _iotCombinedDatasAppService.GetListAsync(combinedDatasInput);
        } catch(Exception e)
        {
            _logger.LogWarning("not working...", e.Message);
            throw;
        }

`

Documentation read: https://github.com/abpframework/abp/blob/dev/docs/en/framework/api-development/integration-services.md https://abp.io/community/articles/integration-services-explained-what-they-are-when-to-use-them-and-how-they-behave-lienmsy8#gsc.tab=0 Support notes: https://abp.io/support/questions/8012/Service-to-Service-communication

Problem description:

• backend service A has and endpoint from where the another module integrationservice is accessed. If the the endpoint in integration service is protected by permission it fails on unauthorized exception (401).
• the integration endpoint can be accessed directly ie. with postman, no issues.
• if IotPermissions.IotCombinedDatas.Default permission is removed then this works. But then also this endpoint can be accessed without token. And that is not acceptable.
• if I add [Authorize] at the service level, again same 401 error. I can add permission IotPermissions.IotCombinedDatas.Default in the backend service A endpoint; user can access this nicely--> this validates that he has the permission allowed.

My excpectation is that the same permissions are to be used also when integrationservice is accessed. What might be the reaso for this; and what is the solution to overcome ? Please advice.

Integrationservice example below:

` [Authorize] // If this is removed then access without token possible, fatal security risk. public class IotintegrationAppService: IotAppService, IIotIntegrationApiService { protected IDistributedCache<IotCombinedDataDownloadTokenCacheItem, string> _downloadTokenCache; protected IIotCombinedDataRepository _iotCombinedDataRepository; protected IotCombinedDataManager _iotCombinedDataManager;

    public IotintegrationAppService(IIotCombinedDataRepository iotCombinedDataRepository, IotCombinedDataManager iotCombinedDataManager, IDistributedCache<IotCombinedDataDownloadTokenCacheItem, string> downloadTokenCache)
    {
        _downloadTokenCache = downloadTokenCache;
        _iotCombinedDataRepository = iotCombinedDataRepository;
        _iotCombinedDataManager = iotCombinedDataManager;

    }

    [Authorize(IotPermissions.IotCombinedDatas.Default)] // If this is removed then I can call this API point.
    public virtual async Task<PagedResultDto<IotCombinedDataDto>> GetListAsync(GetIotCombinedDatasInput input)
    {
        var totalCount = await _iotCombinedDataRepository.GetCountAsync(input.FilterText, input.Status, input.StorageTimeMin, input.StorageTimeMax, input.WorkPhaseOn);
        var items = await _iotCombinedDataRepository.GetListAsync(input.FilterText, input.Status, nput.StorageTimeMin, input.StorageTimeMax, input.WorkPhaseOn, input.Sorting, input.MaxResultCount, input.SkipCount);

        return new PagedResultDto<IotCombinedDataDto>
        {
            TotalCount = totalCount,
            Items = ObjectMapper.Map<List<IotCombinedData>, List<IotCombinedDataDto>>(items)
        };
    }
}


[IntegrationService]
public interface IIotIntegrationApiService : IApplicationService
{
    Task<PagedResultDto<IotCombinedDataDto>> GetListAsync(GetIotCombinedDatasInput input);
}

`

Hi,

This is a problem, it seems we haven't updated the download file. I will ask the platform team.

What's your email, I can share it via email for now.

Please send it to this address: tapio.muikku@elisaindustriq.com

Ho Liangshiwei, I downloaded the source code; not on net9 level. Result is as follows: global,json: { "sdk": { "version": "8.0.401", "rollForward": "latestFeature" } } common.props: <Project> <PropertyGroup> <LangVersion>latest</LangVersion> <Version>1.0.0</Version> <NoWarn>$(NoWarn);CS1591</NoWarn> <AbpVersion>8.3.1</AbpVersion> <BlazoriseVersion>1.5.2</BlazoriseVersion> </PropertyGroup> </Project>

..domain.csproj; <Project Sdk="Microsoft.NET.Sdk">

<Import Project="....\common.props" />

<PropertyGroup> <TargetFramework>net8.0</TargetFramework> <RootNamespace>Volo.EasyCrm</RootNamespace> </PropertyGroup> ..

source: trialing https://easycrm.abp.io/ demo

1. application allows you to create account without country even it is a mandatory field on the UI. After this searching the account fails on internal errors; so does the filters as well.
2. Create another account and contact under it. Try to create an order from the UI it fails on error:

Further: source code seems to be on Net8 level; any plans to update to 9 ?

• ABP Framework version: v8.0.2
• UI Type: Angular
• Database System: EF Core (SQL Serve)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes, angular with openidDict
• Exception message and full stack trace:
• Steps to reproduce the issue: Use any generated page. Add enough entity rows so that there are multiple pages. Go to some other than first page. Now set a filter on so that there is no matching row item on the current page. The result to be shown after filtering is on the first page initially. Issue: Result after filtering is that item that should be shown is not visible. To overcome this issue I have clear filter, then go to first page and set the filter again.

Is this issue known, and when planned to be fixed ? My expectation for the wanted behavior is: if filter was changed, page index is reset first then search done with the filter.

Best regards Tapio Muikku

• ABP Framework version: v8.0.2
• UI Type: Angular
• Database System: EF Core (SQL Server)
• Tiered (for MVC) or Auth Server Separated (for Angular): yes
• Exception message and full stack trace: not related
• Steps to reproduce the issue:not related

Background: using of geolocation with abp.io. NetTopologySuite.IO.GeoJSON nuget Spatial Data - EF Core | Microsoft Learn

Question 1: How can I use Location datatype with abp suite entity generator ?

Question 2: Any example how to include NetTopologySuite with abp.io solution ? If you had any advices on this it is very wellcome.

Best regards, Tapio Muikku

• ABP Framework version: 5.2.0-rc.1 (Prerelease)
• UI type: Angular, single layer
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): no
• Exception message and stack trace:
• [2/4] Fetching packages... [3/4] Linking dependencies... warning "@volo/abp.aspnetcore.mvc.ui.theme.lepton > @volo/abp.aspnetcore.mvc.ui.theme.commercial > @abp/aspnetcore.mvc.ui.theme.shared > @abp/bootstrap > bootstrap@5.1.3" has unmet peer dependency "@popperjs/core@^2.10.2". [4/4] Building fresh packages... success Saved lockfile. Done in 47.00s. [10:11:22 ERR] ---------- RemoteServiceErrorInfo ---------- { "code": null, "message": "An internal error occurred during your request!", "details": null, "data": {}, "validationErrors": null }

[10:11:22 ERR] Error getting value from 'DefaultNamespace' on 'Volo.Abp.Suite.Models.Solution'. Newtonsoft.Json.JsonSerializationException: Error getting value from 'DefaultNamespace' on 'Volo.Abp.Suite.Models.Solution'. ---> System.ArgumentNullException: Value cannot be null. (Parameter 'path') at System.IO.Directory.InternalEnumeratePaths(String path, String searchPattern, SearchTarget searchTarget, EnumerationOptions options) at System.IO.Directory.GetFiles(String path, String searchPattern, EnumerationOptions enumerationOptions) at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption) at Volo.Abp.Suite.Models.Solution.get_DefaultNamespace() at Newtonsoft.Json.Serialization.ExpressionValueProvider.GetValue(Object target) --- End of inner exception stack trace --- at Newtonsoft.Json.Serialization.ExpressionValueProvider.GetValue(Object target) at Newtonsoft.Json.Serialization.JsonSerializerInternalWriter.CalculatePropertyValues(JsonWriter writer, Object value, JsonContainerContract contract, JsonProperty member, JsonProperty property, JsonContract& memberContract, Object& memberValue)

• Steps to reproduce the issue:" See the attached picture for project setup on abp.suite.
• Note that I can create the project from the command line successfully. But I cannot attach it in the suite, it is giving the same error. *Example cli command used: abp new Heko -u angular --mobile none -dbms PostgreSQL -t app-nolayers-pro --preview