Hi,

Would like to know if ABP.IO has any Rule Engine integrated with the framework? If not, is there any plan to integrate rule engine in future roadmap? Please share any support documentation in case you have to integrate Rule Engine with ABP.IO.

Thanks

• ABP Framework version: v4.3.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace:
• We have recently upgraded our project to .Net 5.0 and ABP framework version 4.3.1. During source code scanning by Snyk.IO tool, it is reporting below vulnerability in our projects. There is no direct reference of the package "System.Text.Encodings.Web" in our projects, so not sure if the ABP framework code is using this library and is not updatee. Could you please advise, how it can be resolved - thru ABP version upgrade or something else?

Remote Code Execution (RCE) System.Text.Encodings.Web 5.0.0 CVE-2021-26701 CWE-94

• Also added the Dockerfile content of one of the projects which gets deployed in container

• Use Alpine Base Image

FROM mcr.microsoft.com/dotnet/aspnet:5.0-alpine AS base WORKDIR /app EXPOSE 80 EXPOSE 443

Use Alpine Base Image

FROM mcr.microsoft.com/dotnet/sdk:5.0-alpine AS build WORKDIR /src COPY . . WORKDIR "/src/SCV.Litmus/aspnet-core/microservices/SCV.Litmus.FinanceManagement.HttpApi.Host"

RUN dotnet restore RUN dotnet build -c Release -o /app

FROM build AS publish RUN dotnet publish -c Release -o /app

FROM base AS final

upgrade musl to remove potential vulnerability

RUN apk upgrade musl

WORKDIR /app COPY --from=publish /app .

ENTRYPOINT ["dotnet", "SCV.Litmus.FinanceManagement.HttpApi.Host.dll"]

• ABP Framework version: v4.3.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace:
• Steps to reproduce the issue:"
• Does ABP.IO framework provides integrated Azure AD integration for managing user identities and RBAC?
• If not, is there any plan to integrated Azure AD in future and by when it will be available, please advise.

• ABP Framework version: v4.3
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace:
• Steps to reproduce the issue:" We have a requirement to implement Single Sign-on feature into our application. The users are authenticated into another application which is non ABP.IO and from there they should be able to access our application (built in ABP.IO) using Single Sign-on feature (without login again). How can this be achived in ABP.IO framework, please advise and share solution steps.

• ABP Framework version: v4.3.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace: We have a requirement to capture user last login date and time and dormant users (who have not logged into the system for xx days) status. Does ABP framework provides information out of the box? If not what is the way to capture this information? The information is required as part of Audit and compliance, so your inputs and direction is must to address this issue.
• Is it something you can provide us quickly thru a hotfix release?
• Steps to reproduce the issue:"

• ABP Framework version: v4.3.1
• UI type: Angular
• DB provider: EF Core
• Tiered (MVC) or Identity Server Separated (Angular): yes
• Exception message and stack trace:

McAfee Antivirus reporting Volo.Abp.AuditLogging.HttpApi.Client.dll and Volo.Abp.IdentityServer.HttpApi.Client.dll as virus. Due to this we are not able to compile code. Kindly let us know how to resolve the issue.

ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Separated (Angular): yes

We have custom login page and using AWS SES for sending emails. Steps performed

1. Code added in Login components <a href="/account/forgot-password" class="forgot_pass_cl"> {{ 'AbpAccount::ForgotPassword' | abpLocalization }}</a>

2. When we click on Forgot Password? Its redirected to url http://localhost:4200/account/forgot-password

3. We are entering aws certified email on submit its calling api https://localhost:44359/api/account/send-password-reset-code The response of api is Status Code: 403 Forbidden JSON Response {"error":{"code":null,"message":"Can not find the given email address:Ish***** **@****s.com","details":null,"data":{},"validationErrors":null}}

4. Downloaded latest package Volo.Abp.Identity.AspNetCore package in Lit***.HttpApi project

5. Define this package in the LitHttpApiModule class in the LitName.HttpApi project

6. Added entry in Lit***.HttpApi.Host project appsettings.json "App": { "ClientUrl": "http://localhost:4200", }

7. ConfigureUrls options.Applications["Angular"].RootUrl = configuration["App:ClientUrl"]; options.Applications["Angular"].Urls[AccountUrlNames.PasswordReset] = "account/reset-password"; options.Applications["Angular"].Urls[AccountUrlNames.EmailConfirmation] = "account/email-confirmation";

8. Added ConfigureUrls To ConfigureServices() method in Lit***HttpApiHostModule class

Getting 403 Forbidden error, please advise.

ABP Framework version: 4.1.3 UI type: Angular Tiered (MVC) or Identity Server Seperated (Angular): yes Exception message and stack trace: Steps to reproduce the issue:

Creating a new ticket as the previous ticket is closed - https://support.abp.io/QA/Questions/536/How-to-Restrict-users-multiple-login-session

Steps performed as per recommendation -

1. We are saving latest token at the time of login in database.
2. When user login next time again with new browser we are revoking all existing tokens.
3. The api we are using to revoke token is https://localhost:44350/connect/revocation and its returning 200 OK
4. While testing we have figure out even revoked token is giving results while testing from postman.
5. When we login to new browser existing user is not logging out from the browser it because token still alive

What could be the reason for this behaviour even token is revoked and still we can access api’s?

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

ABP Framework version: v4.3.1 UI type: Angular DB provider: EF Core Tiered (MVC) or Identity Server Separated (Angular): yes

As part of web application assessment, there was an observation on No Session Timeout. The expiration of JWT was set to 365 days. Need to implement a server side approach which expires a user’s session after a predefined interval (15-20 mins) of inactivity. Kindly advise on how to do it with existing ABP code base in our application.

Creating a new ticket to share more details as I cannot update the existing ticket - https://support.abp.io/QA/Questions/1352/Identity-server-token

As part of web application assessment, there was an observation reported about JWT tokens.

The JSON web token (JWT) for your web application was not encrypted, allowing the data within it to be inspected with trivial effort. This revealed the email (username) and expiration date of the token.

Recommendation is to either -

1. Remove sensitive data from the payload if it is not required - Not sure if this is possible and application will work
2. Instead of placing sensitive data in the payload, use an indirect object reference which is resolved on the server side - Not sure if this is possible and application will work
3. Encrypt the JWT payload using the JSON web encryption (JWE) scheme
4. Encrypt sensitive data within the JWT payload using a custom process.

I understand that this is not related to the framework and it is the subject of Identity Server but we don't have much control over it as the Identity server is integrated within the framwework itself. Can you guide us to remediate this issue based on recommendations mentioned above. Need to know what changes will be required in existing application code to handle it.

Thanks