Undefined permissions with IdentityServer.Client.ManagePermissions

[colinin]

Abp framework version: 3.0

Recurrence of problems:

    // Interface
    PermissionAppService.CheckProviderPolicy(string providerName);
    // Paramter
    PermissionAppService.CheckProviderPolicy("C");

Source localization:

(

abp/modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/PermissionManagement/IdentityServer/AbpPermissionManagementDomainIdentityServerModule.cs

Line 19 in 42f37c5

options.ProviderPolicies[ClientPermissionValueProvider.ProviderName] = "IdentityServer.Client.ManagePermissions";

)

Defines the permissions: IdentityServer.Client.ManagePermissions,But it is not registered in the permission definition provider

Current solution:

in custom PermissionDefinitionProvider join this permission:

public class MyPermissionDefinitionProvider : PermissionDefinitionProvider
{
    public override void Define(IPermissionDefinitionContext context)
    {
        var myGroup = context.AddGroup("MyGroup", L("Permissions:IdentityServer"), MultiTenancySides.Host);
        myGroup.AddPermission("IdentityServer.Client.ManagePermissions", L("Permissions:ManagePermissions"), MultiTenancySides.Host);
    }
}

Stacktrack:

2020-07-02 16:33:59 [ERR] [Volo.Abp.AspNetCore.Mvc.ExceptionHandling.AbpExceptionFilter] [44020] [112] - No policy found: IdentityServer.Client.ManagePermissions.
System.InvalidOperationException: No policy found: IdentityServer.Client.ManagePermissions.
   at Microsoft.AspNetCore.Authorization.DefaultAuthorizationService.AuthorizeAsync(ClaimsPrincipal user, Object resource, String policyName)
   at Microsoft.AspNetCore.Authorization.AbpAuthorizationServiceExtensions.AuthorizeAsync(IAuthorizationService authorizationService, Object resource, String policyName)
   at Microsoft.AspNetCore.Authorization.AbpAuthorizationServiceExtensions.AuthorizeAsync(IAuthorizationService authorizationService, String policyName)
   at Microsoft.AspNetCore.Authorization.AbpAuthorizationServiceExtensions.IsGrantedAsync(IAuthorizationService authorizationService, String policyName)
   at Microsoft.AspNetCore.Authorization.AbpAuthorizationServiceExtensions.CheckAsync(IAuthorizationService authorizationService, String policyName)
   at Volo.Abp.PermissionManagement.PermissionAppService.CheckProviderPolicy(String providerName)
   at Volo.Abp.PermissionManagement.PermissionAppService.GetAsync(String providerName, String providerKey)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue`1.ProceedAsync()
   at Volo.Abp.Validation.ValidationInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue`1.ProceedAsync()
   at Volo.Abp.Authorization.AuthorizationInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue`1.ProceedAsync()
   at Volo.Abp.Auditing.AuditingInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at Castle.DynamicProxy.AsyncInterceptorBase.ProceedAsynchronous[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo)
   at Volo.Abp.Castle.DynamicProxy.CastleAbpMethodInvocationAdapterWithReturnValue`1.ProceedAsync()
   at Volo.Abp.Uow.UnitOfWorkInterceptor.InterceptAsync(IAbpMethodInvocation invocation)
   at Volo.Abp.Castle.DynamicProxy.CastleAsyncAbpInterceptorAdapter`1.InterceptAsync[TResult](IInvocation invocation, IInvocationProceedInfo proceedInfo, Func`3 proceed)
   at lambda_method(Closure , Object )
   at Microsoft.AspNetCore.Mvc.Infrastructure.ActionMethodExecutor.AwaitableObjectResultExecutor.Execute(IActionResultTypeMapper mapper, ObjectMethodExecutor executor, Object controller, Object[] arguments)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|12_0(ControllerActionInvoker invoker, ValueTask`1 actionResultValueTask)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.g__Awaited|10_0(ControllerActionInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Rethrow(ActionExecutedContextSealed context)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.Next(State& next, Scope& scope, Object& state, Boolean& isCompleted)
   at Microsoft.AspNetCore.Mvc.Infrastructure.ControllerActionInvoker.InvokeInnerFilterAsync()
--- End of stack trace from previous location where exception was thrown ---
   at Microsoft.AspNetCore.Mvc.Infrastructure.ResourceInvoker.g__Awaited|25_0(ResourceInvoker invoker, Task lastTask, State next, Scope scope, Object state, Boolean isCompleted)

[taujiong]

Thanks, your temporary solution works for me. Hope it can be solved later in the framework or at least goes into the document to show us how to enable the "IdentityServer.Client.ManagePermissions" policy.

[maliming]

@hikalkan

we can create a package called Volo.Abp.IdentityServer.Application.Contracts and provide permissions, But this package already belongs to the commercial version.

https://abp.io/package-detail/Volo.Abp.IdentityServer.Application.Contracts

var identityServerGroup = context.AddGroup(AbpIdentityServerPermissions.GroupName, L("Permission:IdentityServer"));
var client = identityServerGroup.AddPermission(AbpIdentityServerPermissions.Client.Default, L("Permission:Clients"), MultiTenancySides.Host);
client.AddChild(AbpIdentityServerPermissions.Client.ManagePermissions, L("Permission:ManagePermissions"), MultiTenancySides.Host);

[hikalkan]

As I understand, this error occurs when you call PermissionAppService.GetAsync method with providerName is C (and a clientId).

I wonder why and how do you call this service like that? This service is called by a UI to manage permissions of a client. For example, we have created such a UI for the ABP Commercial:

Do you have such an UI? If so, you should define the permission yourself as you did.

[hikalkan]

I am closing this since I support there is no bug here (this is by design). If you explain your case more I will re-consider to open & fix it. Thanks.

[colinin]

Yes, In my self-created IdentityServer admin interface, the client permissions had changed, throwing this exception, so I got around this problem by overwriting the name of the permissions in my project