Back to Abp

ABP Version 10.5 Migration Guide

docs/en/release-info/migration-guides/abp-10-5.md

10.5.09.5 KB
Original Source
json
//[doc-seo]
{
    "Description": "Upgrade your ABP solutions from v10.4 to v10.5 with this migration guide covering important behavior and integration changes."
}

ABP Version 10.5 Migration Guide

This document is a guide for upgrading ABP v10.4 solutions to ABP v10.5. There are no explicitly marked breaking changes in this release scope, but there are some important changes that may require action in specific application scenarios.

Package Version Changes: Before upgrading, review the Package Version Changes document to see version changes on dependent NuGet and NPM packages and align your project with ABP's internal package versions.

Open-Source (Framework)

This version contains the following changes on the open-source side:

Identity Token Providers Use Single-Active Token Semantics

Who is affected

  • Applications using Identity link-user flows.
  • Applications using password-flow challenge tokens, such as two-factor and password-change challenge flows.
  • Applications that customize or replace ASP.NET Core Identity token providers.
  • Applications that expect multiple previously generated tokens for the same user and purpose to remain valid at the same time.

What changed

  • LinkUserTokenProvider now derives from ABP's single-active token infrastructure.
  • ABP replaces ASP.NET Core Identity's default DataProtectorTokenProvider registered under TokenOptions.DefaultProvider with AbpDefaultTokenProvider.
  • Tokens issued by these providers are single-active per user and purpose. Generating a new token invalidates the previous token for the same user and purpose.
  • The default lifetime for the new providers is 10 minutes and can be configured.

What to do

  • Re-test login, two-factor, forced password change, periodic password change, and link-user flows after upgrading.
  • If your application sends multiple tokens for the same purpose and expects older tokens to remain valid, update that flow to use only the latest token.
  • If your application needs a different lifetime, configure the related provider options:
csharp
Configure<AbpDefaultTokenProviderOptions>(options =>
{
    options.TokenLifespan = TimeSpan.FromMinutes(10);
});

Configure<AbpLinkUserTokenProviderOptions>(options =>
{
    options.TokenLifespan = TimeSpan.FromMinutes(10);
});

See #25450, #25525, and the Identity Token Providers document for details.

OpenIddict Default Scope Fallback Options

Who is affected

  • Applications using OpenIddict with client_credentials, password, or token-exchange grants.
  • Applications that want tokens to use the client application's registered scopes when the request omits the scope parameter.

What changed

  • ABP adds opt-in default scope fallback switches to AbpOpenIddictAspNetCoreOptions.
  • The new behavior is disabled by default, so existing applications keep their current behavior unless they enable these options.

What to do

No action is required if you do not enable the new options.

If you want the fallback behavior, configure the options explicitly:

csharp
Configure<AbpOpenIddictAspNetCoreOptions>(options =>
{
    options.UseDefaultScopesForClientCredentials = true;
    options.UseDefaultScopesForPassword = true;
    options.UseDefaultScopesForTokenExchange = true;
});

After enabling the options, re-test token issuance for the affected grant types and confirm the resulting scopes/resources match your authorization expectations.

See #25356 for details.

Dynamic Background Worker Capability Markers

Who is affected

  • Applications or modules that use IDynamicBackgroundWorkerManager directly.
  • Applications that allow users or administrators to configure dynamic background workers at runtime.
  • Applications that assume cron expressions work with every dynamic background worker provider.

What changed

  • Dynamic background worker managers now expose support through marker interfaces:
    • ISupportsRuntimeRegistration
    • ISupportsCronScheduling
  • Hangfire and Quartz managers implement both markers.
  • The default in-memory manager implements runtime registration support only and rejects cron expressions with a clearer error message.
  • TickerQ's dynamic manager does not expose runtime dynamic scheduling support.

What to do

  • If you build UI or integration logic on top of IDynamicBackgroundWorkerManager, check provider capabilities before showing or accepting runtime registration and cron scheduling options.
  • Use Hangfire or Quartz if your application needs runtime cron scheduling for dynamic background workers.
  • Re-test dynamic worker add/update flows that use CronExpression.

See #25397 for details.

S3-Compatible Blob Storage Provider Configuration

Who is affected

  • Applications using Volo.Abp.BlobStoring.Aws.
  • Applications that want to use S3-compatible providers such as Cloudflare R2, MinIO, Backblaze B2, Wasabi, or DigitalOcean Spaces.

What changed

  • The AWS blob provider now supports ServiceURL for custom S3-compatible endpoints.
  • The provider also supports DisablePayloadSigning for providers that do not support AWS SDK v4 streaming payload signing.

What to do

No action is required for existing AWS S3 configurations.

If you use an S3-compatible provider, configure the provider-specific endpoint and payload-signing behavior:

csharp
Configure<AbpBlobStoringOptions>(options =>
{
    options.Containers.ConfigureDefault(container =>
    {
        container.UseAws(aws =>
        {
            aws.ServiceURL = "https://<account-id>.r2.cloudflarestorage.com";
            aws.DisablePayloadSigning = true;
        });
    });
});

Keep DisablePayloadSigning disabled for providers that support the default AWS SDK signing behavior.

See #22962 for details.

Permission Management MySQL Index Length Fix

Who is affected

  • Applications using the Permission Management module with EF Core and MySQL.
  • Applications that create new migrations including the ResourcePermissionGrant model.

What changed

  • For MySQL only, ABP shortens ResourcePermissionGrant.ResourceName and ResourcePermissionGrant.ResourceKey max lengths to avoid exceeding MySQL's utf8mb4 index key length limit.
  • Other database providers keep the previous length.

What to do

  • If you are creating a new MySQL solution or generating fresh migrations, regenerate/review your migrations after upgrading.
  • If you already have a custom migration for ResourcePermissionGrant, compare it with the updated model and adjust the affected column lengths for MySQL if needed.

See #25495 for details.

Dependency Updates

Who is affected

  • Applications that pin ABP transitive dependencies directly.
  • Applications that use Blazorise, MongoDB.Driver, or CodeMirror directly with fixed versions.

What changed

  • Blazorise packages were upgraded to 2.1.3.
  • MongoDB.Driver was upgraded to 3.9.0.
  • @abp/codemirror was updated to CodeMirror 6.0.2.

What to do

  • Review your direct package references and align them with ABP's package versions where needed.
  • Rebuild and run relevant UI/integration tests if you directly use upgraded packages.
  • If you customize CMS Kit editor resources, re-test editor pages after the CodeMirror update.

Pro

There are no explicitly marked breaking changes on the PRO side in this release scope. However, check the following if they apply to your application.

Account Linking and Shared User Account Flows

Who is affected

  • Applications using Account Pro account-linking flows.
  • Applications using shared user accounts across tenants.

What changed

  • Account linking has been hardened by binding link tokens to source-side consent data.
  • Shared user account administration includes fixes for host admin actions and tenant removal scenarios.

What to do

  • Re-test account linking, linked account switching, tenant user invitation, tenant removal, and host/tenant user administration flows.
  • If you customized account-linking pages or flows, verify they still follow the expected consent and token lifecycle.

LowCode Dynamic Uploads and Admin Console Designer

Who is affected

  • Applications using the LowCode module.
  • Applications using the Admin Console LowCode designer.
  • Applications with LowCode dynamic upload scenarios.

What changed

  • The LowCode designer has been integrated into the Admin Console experience.
  • LowCode dynamic uploads now support IRemoteStreamContent.
  • LowCode React demo/template behavior was aligned with generated template behavior.

What to do

  • Re-test the LowCode designer in Admin Console.
  • Re-test dynamic file upload scenarios generated or managed through LowCode.
  • If you customized generated LowCode templates, compare your customizations with the latest template output.

AI Management Proxy Updates

Who is affected

  • Applications using the AI Management module with generated client proxies.

What changed

  • Missing proxy generations for AI Management were added.

What to do

  • Regenerate/update client proxies after upgrading if your application consumes AI Management APIs from a UI or remote client.
  • Re-test AI Management screens and client integrations that depend on generated proxies.