Merge pull request #24515 from abpframework/ClientResourcePermission

Add ClientResourcePermissionValueProvider implementation

framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/AbpAuthorizationModule.cs

@@ -47,6 +47,7 @@ public class AbpAuthorizationModule : AbpModule
 
             options.ResourceValueProviders.Add<UserResourcePermissionValueProvider>();
             options.ResourceValueProviders.Add<RoleResourcePermissionValueProvider>();
+            options.ResourceValueProviders.Add<ClientResourcePermissionValueProvider>();
         });
 
         Configure<AbpVirtualFileSystemOptions>(options =>

framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/Permissions/ClientPermissionValueProvider.cs

@@ -44,7 +44,7 @@ public class ClientPermissionValueProvider : PermissionValueProvider
         var clientId = context.Principal?.FindFirst(AbpClaimTypes.ClientId)?.Value;
         if (clientId == null)
         {
-            return new MultiplePermissionGrantResult(permissionNames); ;
+            return new MultiplePermissionGrantResult(permissionNames);
         }
 
         using (CurrentTenant.Change(null))

framework/src/Volo.Abp.Authorization/Volo/Abp/Authorization/Permissions/Resources/ClientResourcePermissionValueProvider.cs

@@ -0,0 +1,55 @@
+using System.Linq;
+using System.Threading.Tasks;
+using Volo.Abp.MultiTenancy;
+using Volo.Abp.Security.Claims;
+
+namespace Volo.Abp.Authorization.Permissions.Resources;
+
+public class ClientResourcePermissionValueProvider : ResourcePermissionValueProvider
+{
+    public const string ProviderName = "C";
+
+    public override string Name => ProviderName;
+
+    protected ICurrentTenant CurrentTenant { get; }
+
+    public ClientResourcePermissionValueProvider(IResourcePermissionStore resourcePermissionStore, ICurrentTenant currentTenant)
+        : base(resourcePermissionStore)
+    {
+        CurrentTenant = currentTenant;
+    }
+
+    public override async Task<PermissionGrantResult> CheckAsync(ResourcePermissionValueCheckContext context)
+    {
+        var clientId = context.Principal?.FindFirst(AbpClaimTypes.ClientId)?.Value;
+
+        if (clientId == null)
+        {
+            return PermissionGrantResult.Undefined;
+        }
+
+        using (CurrentTenant.Change(null))
+        {
+            return await ResourcePermissionStore.IsGrantedAsync(context.Permission.Name, context.ResourceName, context.ResourceKey, Name, clientId)
+                ? PermissionGrantResult.Granted
+                : PermissionGrantResult.Undefined;
+        }
+    }
+
+    public override async Task<MultiplePermissionGrantResult> CheckAsync(ResourcePermissionValuesCheckContext context)
+    {
+        var permissionNames = context.Permissions.Select(x => x.Name).Distinct().ToArray();
+        Check.NotNullOrEmpty(permissionNames, nameof(permissionNames));
+
+        var clientId = context.Principal?.FindFirst(AbpClaimTypes.ClientId)?.Value;
+        if (clientId == null)
+        {
+            return new MultiplePermissionGrantResult(permissionNames);
+        }
+
+        using (CurrentTenant.Change(null))
+        {
+            return await ResourcePermissionStore.IsGrantedAsync(permissionNames, context.ResourceName, context.ResourceKey, Name, clientId);
+        }
+    }
+}

modules/identity/src/Volo.Abp.Identity.Domain/Volo/Abp/Identity/UserRoleFinder.cs

@@ -35,10 +35,10 @@ public class UserRoleFinder : IUserRoleFinder, ITransientDependency
         {
             page = page < 1 ? 1 : page;
             var users = await IdentityUserRepository.GetListAsync(filter: filter, skipCount: (page - 1) * 10, maxResultCount: 10);
-            return users.Select(user => new UserFinderResult
+            return users.Select(x => new UserFinderResult
             {
-                Id = user.Id,
-                UserName = user.UserName
+                Id = x.Id,
+                UserName = x.UserName
             }).ToList();
         }
     }
@@ -49,10 +49,10 @@ public class UserRoleFinder : IUserRoleFinder, ITransientDependency
         {
             page = page < 1 ? 1 : page;
             var roles = await IdentityRoleRepository.GetListAsync(filter: filter, skipCount: (page - 1) * 10, maxResultCount: 10);
-            return roles.Select(user => new RoleFinderResult
+            return roles.Select(x => new RoleFinderResult
             {
-                Id = user.Id,
-                RoleName = user.Name
+                Id = x.Id,
+                RoleName = x.Name
             }).ToList();
         }
     }
@@ -62,10 +62,10 @@ public class UserRoleFinder : IUserRoleFinder, ITransientDependency
         using (IdentityUserRepository.DisableTracking())
         {
             var users = await IdentityUserRepository.GetListByIdsAsync(ids);
-            return users.Select(user => new UserFinderResult
+            return users.Select(x => new UserFinderResult
             {
-                Id = user.Id,
-                UserName = user.UserName
+                Id = x.Id,
+                UserName = x.UserName
             }).ToList();
         }
     }
@@ -75,10 +75,10 @@ public class UserRoleFinder : IUserRoleFinder, ITransientDependency
         using (IdentityUserRepository.DisableTracking())
         {
             var roles = await IdentityRoleRepository.GetListAsync(names);
-            return roles.Select(user => new RoleFinderResult
+            return roles.Select(x => new RoleFinderResult
             {
-                Id = user.Id,
-                RoleName = user.Name
+                Id = x.Id,
+                RoleName = x.Name
             }).ToList();
         }
     }

modules/identity/src/Volo.Abp.PermissionManagement.Domain.Identity/Volo/Abp/PermissionManagement/Identity/RoleResourcePermissionProviderKeyLookupService.cs

@@ -30,9 +30,9 @@ public class RoleResourcePermissionProviderKeyLookupService : IResourcePermissio
         return roles.Select(r => new ResourcePermissionProviderKeyInfo(r.RoleName, r.RoleName)).ToList();
     }
 
-    public virtual async Task<List<ResourcePermissionProviderKeyInfo>> SearchAsync(string[] keys, CancellationToken cancellationToken = default)
+    public virtual Task<List<ResourcePermissionProviderKeyInfo>> SearchAsync(string[] keys, CancellationToken cancellationToken = default)
     {
-        var roles = await UserRoleFinder.SearchRoleByNamesAsync(keys.Distinct().ToArray());
-        return roles.Select(r => new ResourcePermissionProviderKeyInfo(r.RoleName, r.RoleName)).ToList();
+        // Keys are role names
+        return Task.FromResult(keys.Select(x => new ResourcePermissionProviderKeyInfo(x, x)).ToList());
     }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Clients/ClientFinderResult.cs

@@ -0,0 +1,10 @@
+using System;
+
+namespace Volo.Abp.IdentityServer.Clients;
+
+public class ClientFinderResult
+{
+    public Guid Id { get; set; }
+
+    public string ClientId { get; set; }
+}

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Clients/IClientFinder.cs

@@ -0,0 +1,9 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+namespace Volo.Abp.IdentityServer.Clients;
+
+public interface IClientFinder
+{
+    Task<List<ClientFinderResult>> SearchAsync(string filter, int page = 1);
+}

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/FR.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Nom d'utilisateur ou mot de passe invalide!",
     "InvalidAuthenticatorCode": "Code d'authentification invalide !",
     "InvalidRecoveryCode": "Code de récupération invalide !",
-    "TheTargetUserIsNotLinkedToYou": "L'utilisateur cible n'est pas lié à vous!"
+    "TheTargetUserIsNotLinkedToYou": "L'utilisateur cible n'est pas lié à vous!",
+    "ClientResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/ar.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "اسم المستخدم أو كلمة المرور غير صالحة!",
     "InvalidAuthenticatorCode": "كود المصدق غير صالح!",
     "InvalidRecoveryCode": "رمز الاسترداد غير صالح!",
-    "TheTargetUserIsNotLinkedToYou": "المستخدم المستهدف غير مرتبط بك!"
+    "TheTargetUserIsNotLinkedToYou": "المستخدم المستهدف غير مرتبط بك!",
+    "ClientResourcePermissionProviderKeyLookupService": "العميل"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/cs.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Neplatné uživatelské jméno či heslo!",
     "InvalidAuthenticatorCode": "Neplatný ověřovací kód!",
     "InvalidRecoveryCode": "Neplatný kód pro obnovení!",
-    "TheTargetUserIsNotLinkedToYou": "Cílový uživatel s vámi není spojen!"
+    "TheTargetUserIsNotLinkedToYou": "Cílový uživatel s vámi není spojen!",
+    "ClientResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/de.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Ungültiger Benutzername oder Passwort!",
     "InvalidAuthenticatorCode": "Ungültiger Authentifizierungscode!",
     "InvalidRecoveryCode": "Ungültiger Wiederherstellungscode!",
-    "TheTargetUserIsNotLinkedToYou": "Der Zielbenutzer ist nicht mit Ihnen verknüpft!"
+    "TheTargetUserIsNotLinkedToYou": "Der Zielbenutzer ist nicht mit Ihnen verknüpft!",
+    "ClientResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/el.json

@@ -10,6 +10,7 @@
     "LoginIsNotAllowed": "Δεν επιτρέπεται να συνδεθείτε! Ο λογαριασμός σας είναι ανενεργός ή χρειάζεται να επιβεβαιώσετε το email/τον αριθμό τηλεφώνου σας.",
     "InvalidUsername": "Μη έγκυρο όνομα ή κωδικός!",
     "InvalidAuthenticatorCode": "Μη έγκυρος κωδικός ελέγχου ταυτότητας!",
-    "TheTargetUserIsNotLinkedToYou": "Ο χρήστης-στόχος δεν είναι συνδεδεμένος με εσάς!"
+    "TheTargetUserIsNotLinkedToYou": "Ο χρήστης-στόχος δεν είναι συνδεδεμένος με εσάς!",
+    "ClientResourcePermissionProviderKeyLookupService": "Πελάτης"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/en-GB.json

@@ -9,6 +9,7 @@
     "InvalidUserNameOrPassword": "Invalid username or password!",
     "LoginIsNotAllowed": "You are not allowed to login! Your account is inactive or needs to confirm your email/phone number.",
     "InvalidUsername": "Invalid username or password!",
-    "TheTargetUserIsNotLinkedToYou": "The target user is not linked to you!"
+    "TheTargetUserIsNotLinkedToYou": "The target user is not linked to you!",
+    "ClientResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/en.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Invalid username or password!",
     "InvalidAuthenticatorCode": "Invalid authenticator code!",
     "InvalidRecoveryCode": "Invalid recovery code!",
-    "TheTargetUserIsNotLinkedToYou": "The target user is not linked to you!"
+    "TheTargetUserIsNotLinkedToYou": "The target user is not linked to you!",
+    "ClientResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/es.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Nombre de usuario icorrecto",
     "InvalidAuthenticatorCode": "¡Código de autenticador no válido!",
     "InvalidRecoveryCode": "¡Código de recuperación no válido!",
-    "TheTargetUserIsNotLinkedToYou": "El usuario de destino no está asociado a usted."
+    "TheTargetUserIsNotLinkedToYou": "El usuario de destino no está asociado a usted.",
+    "ClientResourcePermissionProviderKeyLookupService": "Cliente"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/fa.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "نام کاربری یا رمز عبور نامعتبر!",
     "InvalidAuthenticatorCode": "کد احراز هویت نامعتبر!",
     "InvalidRecoveryCode": "کد بازیابی نامعتبر!",
-    "TheTargetUserIsNotLinkedToYou": "کاربر هدف به شما پیوند داده نشده است!"
+    "TheTargetUserIsNotLinkedToYou": "کاربر هدف به شما پیوند داده نشده است!",
+    "ClientResourcePermissionProviderKeyLookupService": "کلاینت"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/fi.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Väärä käyttäjänimi tai salasana!",
     "InvalidAuthenticatorCode": "Virheellinen todennuskoodi!",
     "InvalidRecoveryCode": "Virheellinen palautuskoodi!",
-    "TheTargetUserIsNotLinkedToYou": "Kohdekäyttäjä ei ole linkitetty sinuun!"
+    "TheTargetUserIsNotLinkedToYou": "Kohdekäyttäjä ei ole linkitetty sinuun!",
+    "ClientResourcePermissionProviderKeyLookupService": "Asiakas"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/hi.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "अमान्य उपयोगकर्ता नाम या पासवर्ड!",
     "InvalidAuthenticatorCode": "अमान्य प्रमाणक कोड!",
     "InvalidRecoveryCode": "अमान्य पुनर्प्राप्ति कोड!",
-    "TheTargetUserIsNotLinkedToYou": "लक्ष्य उपयोगकर्ता आपसे जुड़ा नहीं है!"
+    "TheTargetUserIsNotLinkedToYou": "लक्ष्य उपयोगकर्ता आपसे जुड़ा नहीं है!",
+    "ClientResourcePermissionProviderKeyLookupService": "क्लाइंट"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/hr.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Neispravno korisničko ime ili lozinka!",
     "InvalidAuthenticatorCode": "Nevažeći kod autentifikatora!",
     "InvalidRecoveryCode": "Nevažeći kod za oporavak!",
-    "TheTargetUserIsNotLinkedToYou": "Ciljani korisnik nije povezan s vama!"
+    "TheTargetUserIsNotLinkedToYou": "Ciljani korisnik nije povezan s vama!",
+    "ClientResourcePermissionProviderKeyLookupService": "Klijent"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/hu.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Érvénytelen felhasználónév vagy jelszó!",
     "InvalidAuthenticatorCode": "Érvénytelen hitelesítő kód!",
     "InvalidRecoveryCode": "Érvénytelen helyreállítási kód!",
-    "TheTargetUserIsNotLinkedToYou": "A célfelhasználó nincs hozzád kapcsolódva!"
+    "TheTargetUserIsNotLinkedToYou": "A célfelhasználó nincs hozzád kapcsolódva!",
+    "ClientResourcePermissionProviderKeyLookupService": "Kliens"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/is.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Ógilt notendanafn eða lykilorð!",
     "InvalidAuthenticatorCode": "Ógildur auðkenningarkóði!",
     "InvalidRecoveryCode": "Ógildur endurheimtarkóði!",
-    "TheTargetUserIsNotLinkedToYou": "Marknotandinn er ekki tengdur þér!"
+    "TheTargetUserIsNotLinkedToYou": "Marknotandinn er ekki tengdur þér!",
+    "ClientResourcePermissionProviderKeyLookupService": "Biðlari"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/it.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Username o password non validi!",
     "InvalidAuthenticatorCode": "Codice autenticatore non valido!",
     "InvalidRecoveryCode": "Codice di ripristino non valido!",
-    "TheTargetUserIsNotLinkedToYou": "L'utente indicato non è collegato a te!"
+    "TheTargetUserIsNotLinkedToYou": "L'utente indicato non è collegato a te!",
+    "ClientResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/nl.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Ongeldige gebruikersnaam of wachtwoord!",
     "InvalidAuthenticatorCode": "Ongeldige authenticatiecode!",
     "InvalidRecoveryCode": "Ongeldige herstelcode!",
-    "TheTargetUserIsNotLinkedToYou": "De beoogde gebruiker is niet aan jou gekoppeld!"
+    "TheTargetUserIsNotLinkedToYou": "De beoogde gebruiker is niet aan jou gekoppeld!",
+    "ClientResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/pl-PL.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Nieprawidłowa nazwa użytkownika lub hasło!",
     "InvalidAuthenticatorCode": "Nieprawidłowy kod uwierzytelniający!",
     "InvalidRecoveryCode": "Nieprawidłowy kod odzyskiwania!",
-    "TheTargetUserIsNotLinkedToYou": "Docelowy użytkownik nie jest z Tobą powiązany!"
+    "TheTargetUserIsNotLinkedToYou": "Docelowy użytkownik nie jest z Tobą powiązany!",
+    "ClientResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/pt-BR.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Nome de usuário ou senha inválidos!",
     "InvalidAuthenticatorCode": "Código de autenticador inválido!",
     "InvalidRecoveryCode": "Código de recuperação inválido!",
-    "TheTargetUserIsNotLinkedToYou": "O usuário-alvo não está vinculado a você!"
+    "TheTargetUserIsNotLinkedToYou": "O usuário-alvo não está vinculado a você!",
+    "ClientResourcePermissionProviderKeyLookupService": "Cliente"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/ro-RO.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Nume de utilizator sau parolă invalidă!",
     "InvalidAuthenticatorCode": "Cod de autentificare invalid!",
     "InvalidRecoveryCode": "Cod de recuperare nevalid!",
-    "TheTargetUserIsNotLinkedToYou": "Utilizatorul ţintă nu este conectat la dumneavoastră!"
+    "TheTargetUserIsNotLinkedToYou": "Utilizatorul ţintă nu este conectat la dumneavoastră!",
+    "ClientResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/ru.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Неверное имя пользователя или пароль!",
     "InvalidAuthenticatorCode": "Неверный код аутентификатора!",
     "InvalidRecoveryCode": "Неверный код восстановления!",
-    "TheTargetUserIsNotLinkedToYou": "Целевой пользователь не связан с вами!"
+    "TheTargetUserIsNotLinkedToYou": "Целевой пользователь не связан с вами!",
+    "ClientResourcePermissionProviderKeyLookupService": "Клиент"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/sk.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Nesprávne používateľské meno alebo heslo!",
     "InvalidAuthenticatorCode": "Neplatný overovací kód!",
     "InvalidRecoveryCode": "Neplatný kód na obnovenie!",
-    "TheTargetUserIsNotLinkedToYou": "Cieľový používateľ nie je s vami prepojený!"
+    "TheTargetUserIsNotLinkedToYou": "Cieľový používateľ nie je s vami prepojený!",
+    "ClientResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/sl.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Napačno uporabniško ime ali geslo!",
     "InvalidAuthenticatorCode": "Neveljavna koda za preverjanje pristnosti!",
     "InvalidRecoveryCode": "Neveljavna obnovitvena koda!",
-    "TheTargetUserIsNotLinkedToYou": "Ciljni uporabnik ni povezan z vami!"
+    "TheTargetUserIsNotLinkedToYou": "Ciljni uporabnik ni povezan z vami!",
+    "ClientResourcePermissionProviderKeyLookupService": "Odjemalec"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/sv.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Ogiltigt användarnamn eller lösenord!",
     "InvalidAuthenticatorCode": "Ogiltig autentiseringskod!",
     "InvalidRecoveryCode": "Ogiltig återställningskod!",
-    "TheTargetUserIsNotLinkedToYou": "Målanvändaren är inte kopplad till dig!"
+    "TheTargetUserIsNotLinkedToYou": "Målanvändaren är inte kopplad till dig!",
+    "ClientResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/tr.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Kullanıcı adı ya da şifre geçersiz!",
     "InvalidAuthenticatorCode": "Geçersiz kimlik doğrulama kodu!",
     "InvalidRecoveryCode": "Geçersiz kurtarma kodu!",
-    "TheTargetUserIsNotLinkedToYou": "Hedef kullanıcı sizinle bağlantılı değil!"
+    "TheTargetUserIsNotLinkedToYou": "Hedef kullanıcı sizinle bağlantılı değil!",
+    "ClientResourcePermissionProviderKeyLookupService": "İstemci"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/vi.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "Sai username hoặc password!",
     "InvalidAuthenticatorCode": "Mã xác thực không hợp lệ!",
     "InvalidRecoveryCode": "Mã khôi phục không hợp lệ!",
-    "TheTargetUserIsNotLinkedToYou": "Người dùng mục tiêu không được liên kết với bạn!"
+    "TheTargetUserIsNotLinkedToYou": "Người dùng mục tiêu không được liên kết với bạn!",
+    "ClientResourcePermissionProviderKeyLookupService": "Máy khách"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/zh-Hans.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "用户名或密码错误！",
     "InvalidAuthenticatorCode": "验证码无效！",
     "InvalidRecoveryCode": "恢复代码无效！",
-    "TheTargetUserIsNotLinkedToYou": "目标用户与您没有关联！"
+    "TheTargetUserIsNotLinkedToYou": "目标用户与您没有关联！",
+    "ClientResourcePermissionProviderKeyLookupService": "客户端"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain.Shared/Volo/Abp/IdentityServer/Localization/Resources/zh-Hant.json

@@ -11,6 +11,7 @@
     "InvalidUsername": "用戶名或密碼錯誤!",
     "InvalidAuthenticatorCode": "驗證碼無效！",
     "InvalidRecoveryCode": "恢復碼無效！",
-    "TheTargetUserIsNotLinkedToYou": "目標用戶與您無關！"
+    "TheTargetUserIsNotLinkedToYou": "目標用戶與您無關！",
+    "ClientResourcePermissionProviderKeyLookupService": "用戶端"
   }
 }

modules/identityserver/src/Volo.Abp.IdentityServer.Domain/Volo/Abp/IdentityServer/Clients/ClientFinder.cs

@@ -0,0 +1,31 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.Domain.Repositories;
+
+namespace Volo.Abp.IdentityServer.Clients;
+
+public class ClientFinder : IClientFinder, ITransientDependency
+{
+    protected IClientRepository ClientRepository { get; }
+
+    public ClientFinder(IClientRepository clientRepository)
+    {
+        ClientRepository = clientRepository;
+    }
+
+    public virtual async Task<List<ClientFinderResult>> SearchAsync(string filter, int page = 1)
+    {
+        using (ClientRepository.DisableTracking())
+        {
+            page = page < 1 ? 1 : page;
+            var clients = await ClientRepository.GetListAsync(nameof(Client.ClientName), filter: filter, skipCount: (page - 1) * 10, maxResultCount: 10);
+            return clients.Select(x => new ClientFinderResult
+            {
+                Id = x.Id,
+                ClientId = x.ClientId
+            }).ToList();
+        }
+    }
+}

modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/ClientResourcePermissionManagerExtensions.cs

@@ -0,0 +1,31 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using JetBrains.Annotations;
+using Volo.Abp.Authorization.Permissions;
+
+namespace Volo.Abp.PermissionManagement;
+
+public static class ClientResourcePermissionManagerExtensions
+{
+    public static Task<PermissionWithGrantedProviders> GetForClientAsync([NotNull] this IResourcePermissionManager resourcePermissionManager, string resourceName, string resourceKey, string clientId, string permissionName)
+    {
+        Check.NotNull(resourcePermissionManager, nameof(resourcePermissionManager));
+
+        return resourcePermissionManager.GetAsync(permissionName, resourceName, resourceKey, ClientPermissionValueProvider.ProviderName, clientId);
+    }
+
+    public static Task<List<PermissionWithGrantedProviders>> GetAllForClientAsync([NotNull] this IResourcePermissionManager resourcePermissionManager, string resourceName, string resourceKey, string clientId)
+    {
+        Check.NotNull(resourcePermissionManager, nameof(resourcePermissionManager));
+
+        return resourcePermissionManager.GetAllAsync(resourceName, resourceKey, ClientPermissionValueProvider.ProviderName, clientId);
+    }
+
+    public static Task SetForClientAsync([NotNull] this IResourcePermissionManager resourcePermissionManager, string resourceName, string resourceKey, string clientId, [NotNull] string permissionName, bool isGranted)
+    {
+        Check.NotNull(resourcePermissionManager, nameof(resourcePermissionManager));
+
+        return resourcePermissionManager.SetAsync(permissionName, resourceName, resourceKey, ClientPermissionValueProvider.ProviderName, clientId, isGranted);
+    }
+}

modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/PermissionManagement/IdentityServer/AbpPermissionManagementDomainIdentityServerModule.cs

@@ -1,5 +1,8 @@
-using Volo.Abp.Authorization.Permissions;
+using System;
+using Microsoft.Extensions.DependencyInjection;
+using Volo.Abp.Authorization.Permissions;
 using Volo.Abp.IdentityServer;
+using Volo.Abp.IdentityServer.Clients;
 using Volo.Abp.Modularity;
 
 namespace Volo.Abp.PermissionManagement.IdentityServer;
@@ -18,5 +21,17 @@ public class AbpPermissionManagementDomainIdentityServerModule : AbpModule
 
             options.ProviderPolicies[ClientPermissionValueProvider.ProviderName] = "IdentityServer.Client.ManagePermissions";
         });
+
+        context.Services.AddAbpOptions<PermissionManagementOptions>().PostConfigure<IServiceProvider>((options, serviceProvider) =>
+        {
+            // The IClientFinder implementation in identity Server Pro module for tiered application.
+            if (serviceProvider.GetService<IClientFinder>() == null)
+            {
+                return;
+            }
+
+            options.ResourceManagementProviders.Add<ClientResourcePermissionManagementProvider>();
+            options.ResourcePermissionProviderKeyLookupServices.Add<ClientResourcePermissionProviderKeyLookupService>();
+        });
     }
 }

modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/PermissionManagement/IdentityServer/ClientDeletedEventHandler.cs

@@ -0,0 +1,31 @@
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions;
+using Volo.Abp.Authorization.Permissions.Resources;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.Domain.Entities.Events.Distributed;
+using Volo.Abp.EventBus.Distributed;
+using Volo.Abp.IdentityServer.Clients;
+using Volo.Abp.Uow;
+
+namespace Volo.Abp.PermissionManagement.IdentityServer;
+
+public class ClientDeletedEventHandler :
+    IDistributedEventHandler<EntityDeletedEto<ClientEto>>,
+    ITransientDependency
+{
+    protected IPermissionManager PermissionManager { get; }
+    protected IResourcePermissionManager ResourcePermissionManager { get; }
+
+    public ClientDeletedEventHandler(IPermissionManager permissionManager, IResourcePermissionManager resourcePermissionManager)
+    {
+        PermissionManager = permissionManager;
+        ResourcePermissionManager = resourcePermissionManager;
+    }
+
+    [UnitOfWork]
+    public virtual async Task HandleEventAsync(EntityDeletedEto<ClientEto> eventData)
+    {
+        await PermissionManager.DeleteAsync(ClientPermissionValueProvider.ProviderName, eventData.Entity.ClientId);
+        await ResourcePermissionManager.DeleteAsync(ClientResourcePermissionValueProvider.ProviderName, eventData.Entity.ClientId);
+    }
+}

modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/PermissionManagement/IdentityServer/ClientPermissionManagementProvider.cs

@@ -18,7 +18,6 @@ public class ClientPermissionManagementProvider : PermissionManagementProvider
             guidGenerator,
             currentTenant)
     {
-
     }
 
     public override Task<PermissionValueProviderGrantInfo> CheckAsync(string name, string providerName, string providerKey)
@@ -29,6 +28,14 @@ public class ClientPermissionManagementProvider : PermissionManagementProvider
         }
     }
 
+    public override Task<MultiplePermissionValueProviderGrantInfo> CheckAsync(string[] names, string providerName, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.CheckAsync(names, providerName, providerKey);
+        }
+    }
+
     protected override Task GrantAsync(string name, string providerKey)
     {
         using (CurrentTenant.Change(null))

modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/PermissionManagement/IdentityServer/ClientResourcePermissionManagementProvider.cs

@@ -0,0 +1,62 @@
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions.Resources;
+using Volo.Abp.Guids;
+using Volo.Abp.MultiTenancy;
+
+namespace Volo.Abp.PermissionManagement.IdentityServer;
+
+public class ClientResourcePermissionManagementProvider : ResourcePermissionManagementProvider
+{
+    public override string Name => ClientResourcePermissionValueProvider.ProviderName;
+
+    public ClientResourcePermissionManagementProvider(
+        IResourcePermissionGrantRepository permissionGrantRepository,
+        IGuidGenerator guidGenerator,
+        ICurrentTenant currentTenant)
+        : base(
+            permissionGrantRepository,
+            guidGenerator,
+            currentTenant)
+    {
+    }
+
+    public override Task<ResourcePermissionValueProviderGrantInfo> CheckAsync(string name, string resourceName, string resourceKey, string providerName, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.CheckAsync(name, resourceName, resourceKey, providerName, providerKey);
+        }
+    }
+
+    public override Task<MultipleResourcePermissionValueProviderGrantInfo> CheckAsync(string[] names, string resourceName, string resourceKey, string providerName, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.CheckAsync(names, resourceName, resourceKey, providerName, providerKey);
+        }
+    }
+
+    public override Task SetAsync(string name,  string resourceName, string resourceKey, string providerKey, bool isGranted)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.SetAsync(name, resourceName, resourceKey, providerKey, isGranted);
+        }
+    }
+
+    protected override async Task GrantAsync(string name, string resourceName, string resourceKey, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            await base.GrantAsync(name, resourceName, resourceKey, providerKey);
+        }
+    }
+
+    protected override Task RevokeAsync(string name, string resourceName, string resourceKey, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.RevokeAsync(name, resourceName, resourceKey, providerKey);
+        }
+    }
+}

modules/identityserver/src/Volo.Abp.PermissionManagement.Domain.IdentityServer/Volo/Abp/PermissionManagement/IdentityServer/ClientResourcePermissionProviderKeyLookupService.cs

@@ -0,0 +1,39 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions.Resources;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.IdentityServer.Clients;
+using Volo.Abp.IdentityServer.Localization;
+using Volo.Abp.Localization;
+
+namespace Volo.Abp.PermissionManagement.IdentityServer;
+
+public class ClientResourcePermissionProviderKeyLookupService : IResourcePermissionProviderKeyLookupService, ITransientDependency
+{
+    public string Name => ClientResourcePermissionValueProvider.ProviderName;
+
+    public ILocalizableString DisplayName { get; }
+
+    protected IClientFinder ClientFinder { get; }
+
+    public ClientResourcePermissionProviderKeyLookupService(IClientFinder clientFinder)
+    {
+        ClientFinder = clientFinder;
+        DisplayName = LocalizableString.Create<AbpIdentityServerResource>(nameof(ClientResourcePermissionProviderKeyLookupService));
+    }
+
+    public virtual async Task<List<ResourcePermissionProviderKeyInfo>> SearchAsync(string filter = null, int page = 1, CancellationToken cancellationToken = default)
+    {
+        var clients = await ClientFinder.SearchAsync(filter, page);
+        return clients.Select(x => new ResourcePermissionProviderKeyInfo(x.ClientId, x.ClientId)).ToList();
+    }
+
+    public virtual Task<List<ResourcePermissionProviderKeyInfo>> SearchAsync(string[] keys, CancellationToken cancellationToken = default)
+    {
+        // Keys are ClientIds
+        return Task.FromResult(keys.Select(x => new ResourcePermissionProviderKeyInfo(x, x)).ToList());
+    }
+}

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Applications/ApplicationFinderResult.cs

@@ -0,0 +1,10 @@
+using System;
+
+namespace Volo.Abp.OpenIddict.Applications;
+
+public class ApplicationFinderResult
+{
+    public Guid Id { get; set; }
+
+    public string ClientId { get; set; }
+}

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Applications/IApplicationFinder.cs

@@ -0,0 +1,9 @@
+using System.Collections.Generic;
+using System.Threading.Tasks;
+
+namespace Volo.Abp.OpenIddict.Applications;
+
+public interface IApplicationFinder
+{
+    Task<List<ApplicationFinderResult>> SearchAsync(string filter, int page = 1);
+}

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Applications/OpenIddictApplicationClientIdChangedEto.cs

@@ -0,0 +1,13 @@
+using System;
+
+namespace Volo.Abp.OpenIddict.Applications;
+
+[Serializable]
+public class OpenIddictApplicationClientIdChangedEto
+{
+    public Guid Id { get; set; }
+
+    public string ClientId { get; set; }
+
+    public string OldClientId { get; set; }
+}

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Applications/OpenIddictApplicationEto.cs

@@ -0,0 +1,43 @@
+using System;
+
+namespace Volo.Abp.OpenIddict.Applications;
+
+[Serializable]
+public class OpenIddictApplicationEto
+{
+    public Guid Id { get; set; }
+
+    public string ApplicationType { get; set; }
+
+    public string ClientId { get; set; }
+
+    public string ClientSecret { get; set; }
+
+    public string ClientType { get; set; }
+
+    public string ConsentType { get; set; }
+
+    public string DisplayName { get; set; }
+
+    public string DisplayNames { get; set; }
+
+    public string JsonWebKeySet { get; set; }
+
+    public string Permissions { get; set; }
+
+    public string PostLogoutRedirectUris { get; set; }
+
+    public string Properties { get; set; }
+
+    public string RedirectUris { get; set; }
+
+    public string Requirements { get; set; }
+
+    public string Settings { get; set; }
+
+    public string FrontChannelLogoutUri { get; set; }
+
+    public string ClientUri { get; set; }
+
+    public string LogoUri { get; set; }
+}

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/ar.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "هل تريد منح {0} حق الوصول إلى بياناتك؟",
     "ScopesRequested": "النطاقات المطلوبة",
     "Accept": "قبول",
-    "Deny": "رفض"
+    "Deny": "رفض",
+    "ApplicationResourcePermissionProviderKeyLookupService": "العميل"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/cs.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Chcete uživateli {0} udělit přístup ke svým datům?",
     "ScopesRequested": "Požadované rozsahy",
     "Accept": "Akceptovat",
-    "Deny": "Odmítnout"
+    "Deny": "Odmítnout",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/de.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Möchten Sie {0} Zugriff auf Ihre Daten gewähren?",
     "ScopesRequested": "Umfänge angefordert",
     "Accept": "Akzeptieren",
-    "Deny": "Leugnen"
+    "Deny": "Leugnen",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/el.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Θέλετε να παραχωρήσετε στον χρήστη {0} πρόσβαση στα δεδομένα σας;",
     "ScopesRequested": "Ζητούνται πεδία εφαρμογής",
     "Accept": "Αποδοχή",
-    "Deny": "Άρνηση"
+    "Deny": "Άρνηση",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Πελάτης"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/en.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Do you want to grant {0} access to your data?",
     "ScopesRequested": "Scopes requested",
     "Accept": "Accept",
-    "Deny": "Deny"
+    "Deny": "Deny",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/es.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "¿Quieres otorgarle a {0} acceso a tus datos?",
     "ScopesRequested": "Alcances solicitados",
     "Accept": "Aceptar",
-    "Deny": "Denegar"
+    "Deny": "Denegar",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Cliente"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/fa.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "آیا می خواهید به {0} اجازه دسترسی به داده های خود را بدهید؟",
     "ScopesRequested": "محدوده های درخواستی",
     "Accept": "پذیرش",
-    "Deny": "رد"
+    "Deny": "رد",
+    "ApplicationResourcePermissionProviderKeyLookupService": "کلاینت"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/fi.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Haluatko myöntää käyttäjälle {0} pääsyn tietoihisi?",
     "ScopesRequested": "Laajuudet pyydetty",
     "Accept": "Hyväksy",
-    "Deny": "Kiellä"
+    "Deny": "Kiellä",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Asiakas"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/fr.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Voulez-vous accorder à {0} l'accès à vos données ?",
     "ScopesRequested": "Périmètres demandés",
     "Accept": "Accepter",
-    "Deny": "Refuser"
+    "Deny": "Refuser",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/hi.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "क्या आप {0} को अपने डेटा तक पहुंच प्रदान करना चाहते हैं?",
     "ScopesRequested": "दायरे का अनुरोध किया गया",
     "Accept": "स्वीकार करना",
-    "Deny": "अस्वीकार करना"
+    "Deny": "अस्वीकार करना",
+    "ApplicationResourcePermissionProviderKeyLookupService": "क्लाइंट"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/hr.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Želite li {0} odobriti pristup vašim podacima?",
     "ScopesRequested": "Traženi dometi",
     "Accept": "Prihvatiti",
-    "Deny": "poreći"
+    "Deny": "poreći",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Klijent"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/hu.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Hozzáférést szeretne adni a(z) {0} számára az adataihoz?",
     "ScopesRequested": "Kért hatókörök",
     "Accept": "Elfogad",
-    "Deny": "Tiltás"
+    "Deny": "Tiltás",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Kliens"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/is.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Viltu veita {0} aðgang að gögnunum þínum?",
     "ScopesRequested": "Umfang óskað",
     "Accept": "Samþykkja",
-    "Deny": "Neita"
+    "Deny": "Neita",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Biðlari"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/it.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Vuoi concedere a {0} l'accesso ai tuoi dati?",
     "ScopesRequested": "Ambiti richiesti",
     "Accept": "Accettare",
-    "Deny": "Negare"
+    "Deny": "Negare",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Cliente"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/nl.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Wilt u {0} toegang verlenen tot uw gegevens?",
     "ScopesRequested": "Scopes gevraagd",
     "Accept": "Aanvaarden",
-    "Deny": "Ontkennen"
+    "Deny": "Ontkennen",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/pl-PL.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Czy chcesz przyznać firmie {0} dostęp do swoich danych?",
     "ScopesRequested": "Poproszono o zakresy",
     "Accept": "Zaakceptować",
-    "Deny": "Zaprzeczyć"
+    "Deny": "Zaprzeczyć",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/pt-BR.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Deseja permitir {0} acessar seus dados?",
     "ScopesRequested": "Escopo solicitado",
     "Accept": "Aceitar",
-    "Deny": "Negar"
+    "Deny": "Negar",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Cliente"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/ro-RO.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Doriți să acordați acces {0} la datele dvs.?",
     "ScopesRequested": "Domenii de aplicare solicitate",
     "Accept": "Accept",
-    "Deny": "Negați"
+    "Deny": "Negați",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Client"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/ru.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Вы хотите предоставить пользователю {0} доступ к вашим данным?",
     "ScopesRequested": "Запрошенные объемы",
     "Accept": "Принимать",
-    "Deny": "Отрицать"
+    "Deny": "Отрицать",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Клиент"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/sk.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Chcete používateľovi {0} udeliť prístup k svojim údajom?",
     "ScopesRequested": "Požadované rozsahy",
     "Accept": "súhlasiť",
-    "Deny": "Odmietnuť"
+    "Deny": "Odmietnuť",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/sl.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Ali želite aplikaciji {0} omogočiti dostop do vaših podatkov?",
     "ScopesRequested": "Zahtevani obsegi",
     "Accept": "Sprejmi",
-    "Deny": "Zanikati"
+    "Deny": "Zanikati",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Odjemalec"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/sv.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Vill du ge {0} tillgång till dina data?",
     "ScopesRequested": "Begärda omfattningar",
     "Accept": "Acceptera",
-    "Deny": "Förneka"
+    "Deny": "Förneka",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Klient"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/tr.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Do you want to grant {0} access to your data?",
     "ScopesRequested": "İstenen kapsamlar",
     "Accept": "Kabul etmek",
-    "Deny": "Reddetmek"
+    "Deny": "Reddetmek",
+    "ApplicationResourcePermissionProviderKeyLookupService": "İstemci"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/vi.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "Bạn có muốn cấp cho {0} quyền truy cập vào dữ liệu của mình không?",
     "ScopesRequested": "Phạm vi được yêu cầu",
     "Accept": "Chấp nhận",
-    "Deny": "Từ chối"
+    "Deny": "Từ chối",
+    "ApplicationResourcePermissionProviderKeyLookupService": "Máy khách"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/zh-Hans.json

@@ -10,6 +10,7 @@
     "DoYouWantToGrantAccessToYourData": "是否要授予 {0} 访问你的数据的权限？",
     "ScopesRequested": "要求的Scope",
     "Accept": "接受",
-    "Deny": "拒绝"
+    "Deny": "拒绝",
+    "ApplicationResourcePermissionProviderKeyLookupService": "客户端"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain.Shared/Volo/Abp/OpenIddict/Localization/OpenIddict/zh-Hant.json

@@ -11,6 +11,7 @@
     "DoYouWantToGrantAccessToYourData": "是否要授予 {0} 訪問你的數據的權限?",
     "ScopesRequested": "要求的Scope",
     "Accept": "接受",
-    "Deny": "拒絕"
+    "Deny": "拒絕",
+    "ApplicationResourcePermissionProviderKeyLookupService": "客戶端"
   }
 }

modules/openiddict/src/Volo.Abp.OpenIddict.Domain/Volo/Abp/OpenIddict/AbpOpenIddictDomainMappers.cs

@@ -0,0 +1,13 @@
+using Riok.Mapperly.Abstractions;
+using Volo.Abp.Mapperly;
+using Volo.Abp.OpenIddict.Applications;
+
+namespace Volo.Abp.OpenIddict;
+
+[Mapper(RequiredMappingStrategy = RequiredMappingStrategy.Target)]
+public partial class OpenIddictApplicationToOpenIddictApplicationEtoMapper : MapperBase<OpenIddictApplication, OpenIddictApplicationEto>
+{
+    public override partial OpenIddictApplicationEto Map(OpenIddictApplication source);
+
+    public override partial void Map(OpenIddictApplication source, OpenIddictApplicationEto destination);
+}

modules/openiddict/src/Volo.Abp.OpenIddict.Domain/Volo/Abp/OpenIddict/AbpOpenIddictDomainModule.cs

@@ -8,6 +8,7 @@ using Volo.Abp.BackgroundWorkers;
 using Volo.Abp.Caching;
 using Volo.Abp.DistributedLocking;
 using Volo.Abp.Domain;
+using Volo.Abp.Domain.Entities.Events.Distributed;
 using Volo.Abp.Guids;
 using Volo.Abp.Identity;
 using Volo.Abp.Modularity;
@@ -18,6 +19,7 @@ using Volo.Abp.OpenIddict.Authorizations;
 using Volo.Abp.OpenIddict.Scopes;
 using Volo.Abp.OpenIddict.Tokens;
 using Volo.Abp.Threading;
+using Volo.Abp.Users;
 
 namespace Volo.Abp.OpenIddict;
 
@@ -36,6 +38,15 @@ public class AbpOpenIddictDomainModule : AbpModule
     public override void ConfigureServices(ServiceConfigurationContext context)
     {
         AddOpenIddictCore(context.Services);
+
+        context.Services.AddMapperlyObjectMapper<AbpOpenIddictDomainModule>();
+
+        Configure<AbpDistributedEntityEventOptions>(options =>
+        {
+            options.EtoMappings.Add<OpenIddictApplication, OpenIddictApplicationEto>(typeof(AbpOpenIddictDomainModule));
+
+            options.AutoEventSelectors.Add<OpenIddictApplication>();
+        });
     }
 
     public override void OnApplicationInitialization(ApplicationInitializationContext context)

modules/openiddict/src/Volo.Abp.OpenIddict.Domain/Volo/Abp/OpenIddict/Applications/AbpApplicationFinder.cs

@@ -0,0 +1,31 @@
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.Domain.Repositories;
+
+namespace Volo.Abp.OpenIddict.Applications;
+
+public class AbpApplicationFinder : IApplicationFinder, ITransientDependency
+{
+    protected IOpenIddictApplicationRepository ApplicationRepository { get; }
+
+    public AbpApplicationFinder(IOpenIddictApplicationRepository applicationRepository)
+    {
+        ApplicationRepository = applicationRepository;
+    }
+
+    public virtual async Task<List<ApplicationFinderResult>> SearchAsync(string filter, int page = 1)
+    {
+        using (ApplicationRepository.DisableTracking())
+        {
+            page = page < 1 ? 1 : page;
+            var applications = await ApplicationRepository.GetListAsync(nameof(OpenIddictApplication.CreationTime), filter: filter, skipCount: (page - 1) * 10, maxResultCount: 10);
+            return applications.Select(x => new ApplicationFinderResult
+            {
+                Id = x.Id,
+                ClientId = x.ClientId
+            }).ToList();
+        }
+    }
+}

modules/openiddict/src/Volo.Abp.OpenIddict.Domain/Volo/Abp/OpenIddict/Applications/AbpApplicationManager.cs

@@ -6,29 +6,35 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using OpenIddict.Abstractions;
 using OpenIddict.Core;
+using Volo.Abp.EventBus.Distributed;
 
 namespace Volo.Abp.OpenIddict.Applications;
 
 public class AbpApplicationManager : OpenIddictApplicationManager<OpenIddictApplicationModel>, IAbpApplicationManager
 {
     protected AbpOpenIddictIdentifierConverter IdentifierConverter { get; }
+    protected IDistributedEventBus DistributedEventBus { get; }
 
     public AbpApplicationManager(
         [NotNull] IOpenIddictApplicationCache<OpenIddictApplicationModel> cache,
         [NotNull] ILogger<AbpApplicationManager> logger,
         [NotNull] IOptionsMonitor<OpenIddictCoreOptions> options,
         [NotNull] IOpenIddictApplicationStore<OpenIddictApplicationModel> resolver,
-        AbpOpenIddictIdentifierConverter identifierConverter)
+        AbpOpenIddictIdentifierConverter identifierConverter,
+        IDistributedEventBus distributedEventBus)
         : base(cache, logger, options, resolver)
     {
         IdentifierConverter = identifierConverter;
+        DistributedEventBus = distributedEventBus;
     }
 
-    public async override ValueTask UpdateAsync(OpenIddictApplicationModel application, CancellationToken cancellationToken = default)
+    public override async ValueTask UpdateAsync(OpenIddictApplicationModel application, CancellationToken cancellationToken = default)
     {
+        var entity = await Store.FindByIdAsync(IdentifierConverter.ToString(application.Id), cancellationToken);
+        var oldClientId = entity?.ClientId;
+
         if (!Options.CurrentValue.DisableEntityCaching)
         {
-            var entity = await Store.FindByIdAsync(IdentifierConverter.ToString(application.Id), cancellationToken);
             if (entity != null)
             {
                 await Cache.RemoveAsync(entity, cancellationToken);
@@ -36,9 +42,21 @@ public class AbpApplicationManager : OpenIddictApplicationManager<OpenIddictAppl
         }
 
         await base.UpdateAsync(application, cancellationToken);
+
+        if (oldClientId != null &&
+            application.ClientId != null &&
+            oldClientId != application.ClientId)
+        {
+            await DistributedEventBus.PublishAsync(new OpenIddictApplicationClientIdChangedEto
+            {
+                Id = application.Id,
+                OldClientId = oldClientId,
+                ClientId = application.ClientId
+            });
+        }
     }
 
-    public async override ValueTask PopulateAsync(OpenIddictApplicationDescriptor descriptor, OpenIddictApplicationModel application, CancellationToken cancellationToken = default)
+    public override async ValueTask PopulateAsync(OpenIddictApplicationDescriptor descriptor, OpenIddictApplicationModel application, CancellationToken cancellationToken = default)
     {
         await base.PopulateAsync(descriptor, application, cancellationToken);
 
@@ -60,7 +78,7 @@ public class AbpApplicationManager : OpenIddictApplicationManager<OpenIddictAppl
         }
     }
 
-    public async override ValueTask PopulateAsync(OpenIddictApplicationModel application, OpenIddictApplicationDescriptor descriptor, CancellationToken cancellationToken = default)
+    public override async ValueTask PopulateAsync(OpenIddictApplicationModel application, OpenIddictApplicationDescriptor descriptor, CancellationToken cancellationToken = default)
     {
         await base.PopulateAsync(application, descriptor, cancellationToken);
 

modules/openiddict/src/Volo.Abp.OpenIddict.Domain/Volo/Abp/OpenIddict/Applications/IOpenIddictApplicationRepository.cs

@@ -11,7 +11,7 @@ public interface IOpenIddictApplicationRepository : IBasicRepository<OpenIddictA
     Task<List<OpenIddictApplication>> GetListAsync(string sorting, int skipCount, int maxResultCount, string filter = null, CancellationToken cancellationToken = default);
 
     Task<long> GetCountAsync(string filter = null, CancellationToken cancellationToken = default);
-    
+
     Task<OpenIddictApplication> FindByClientIdAsync(string clientId, CancellationToken cancellationToken = default);
 
     Task<List<OpenIddictApplication>> FindByPostLogoutRedirectUriAsync(string address, CancellationToken cancellationToken = default);

modules/openiddict/src/Volo.Abp.OpenIddict.MongoDB/Volo/Abp/OpenIddict/Applications/MongoOpenIddictApplicationRepository.cs

@@ -17,7 +17,7 @@ public class MongoOpenIddictApplicationRepository : MongoDbRepository<OpenIddict
     public MongoOpenIddictApplicationRepository(IMongoDbContextProvider<OpenIddictMongoDbContext> dbContextProvider) : base(dbContextProvider)
     {
     }
-    
+
     public virtual async Task<List<OpenIddictApplication>> GetListAsync(string sorting, int skipCount, int maxResultCount, string filter = null,
         CancellationToken cancellationToken = default)
     {

modules/openiddict/src/Volo.Abp.PermissionManagement.Domain.OpenIddict/Volo/Abp/PermissionManagement/ClientResourcePermissionManagerExtensions.cs

@@ -0,0 +1,31 @@
+using System;
+using System.Collections.Generic;
+using System.Threading.Tasks;
+using JetBrains.Annotations;
+using Volo.Abp.Authorization.Permissions;
+
+namespace Volo.Abp.PermissionManagement;
+
+public static class ClientResourcePermissionManagerExtensions
+{
+    public static Task<PermissionWithGrantedProviders> GetForClientAsync([NotNull] this IResourcePermissionManager resourcePermissionManager, string resourceName, string resourceKey, string clientId, string permissionName)
+    {
+        Check.NotNull(resourcePermissionManager, nameof(resourcePermissionManager));
+
+        return resourcePermissionManager.GetAsync(permissionName, resourceName, resourceKey, ClientPermissionValueProvider.ProviderName, clientId);
+    }
+
+    public static Task<List<PermissionWithGrantedProviders>> GetAllForClientAsync([NotNull] this IResourcePermissionManager resourcePermissionManager, string resourceName, string resourceKey, string clientId)
+    {
+        Check.NotNull(resourcePermissionManager, nameof(resourcePermissionManager));
+
+        return resourcePermissionManager.GetAllAsync(resourceName, resourceKey, ClientPermissionValueProvider.ProviderName, clientId);
+    }
+
+    public static Task SetForClientAsync([NotNull] this IResourcePermissionManager resourcePermissionManager, string resourceName, string resourceKey, string clientId, [NotNull] string permissionName, bool isGranted)
+    {
+        Check.NotNull(resourcePermissionManager, nameof(resourcePermissionManager));
+
+        return resourcePermissionManager.SetAsync(permissionName, resourceName, resourceKey, ClientPermissionValueProvider.ProviderName, clientId, isGranted);
+    }
+}

modules/openiddict/src/Volo.Abp.PermissionManagement.Domain.OpenIddict/Volo/Abp/PermissionManagement/OpenIddict/AbpPermissionManagementDomainOpenIddictModule.cs

@@ -1,6 +1,9 @@
-using Volo.Abp.Authorization.Permissions;
+using System;
+using Microsoft.Extensions.DependencyInjection;
+using Volo.Abp.Authorization.Permissions;
 using Volo.Abp.Modularity;
 using Volo.Abp.OpenIddict;
+using Volo.Abp.OpenIddict.Applications;
 
 namespace Volo.Abp.PermissionManagement.OpenIddict;
 
@@ -17,5 +20,17 @@ public class AbpPermissionManagementDomainOpenIddictModule : AbpModule
             options.ManagementProviders.Add<ApplicationPermissionManagementProvider>();
             options.ProviderPolicies[ClientPermissionValueProvider.ProviderName] = "OpenIddictPro.Application.ManagePermissions";
         });
+
+        context.Services.AddAbpOptions<PermissionManagementOptions>().PostConfigure<IServiceProvider>((options, serviceProvider) =>
+        {
+            // The IApplicationFinder implementation in OpenIddict Pro module for tiered application.
+            if (serviceProvider.GetService<IApplicationFinder>() == null)
+            {
+                return;
+            }
+
+            options.ResourceManagementProviders.Add<ApplicationResourcePermissionManagementProvider>();
+            options.ResourcePermissionProviderKeyLookupServices.Add<ApplicationResourcePermissionProviderKeyLookupService>();
+        });
     }
 }

modules/openiddict/src/Volo.Abp.PermissionManagement.Domain.OpenIddict/Volo/Abp/PermissionManagement/OpenIddict/ApplicationPermissionManagementProvider.cs

@@ -18,7 +18,6 @@ public class ApplicationPermissionManagementProvider : PermissionManagementProvi
             guidGenerator,
             currentTenant)
     {
-
     }
 
     public override Task<PermissionValueProviderGrantInfo> CheckAsync(string name, string providerName, string providerKey)
@@ -29,6 +28,14 @@ public class ApplicationPermissionManagementProvider : PermissionManagementProvi
         }
     }
 
+    public override Task<MultiplePermissionValueProviderGrantInfo> CheckAsync(string[] names, string providerName, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.CheckAsync(names, providerName, providerKey);
+        }
+    }
+
     protected override Task GrantAsync(string name, string providerKey)
     {
         using (CurrentTenant.Change(null))

modules/openiddict/src/Volo.Abp.PermissionManagement.Domain.OpenIddict/Volo/Abp/PermissionManagement/OpenIddict/ApplicationResourcePermissionManagementProvider.cs

@@ -0,0 +1,59 @@
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions.Resources;
+using Volo.Abp.Guids;
+using Volo.Abp.MultiTenancy;
+
+namespace Volo.Abp.PermissionManagement.OpenIddict;
+
+public class ApplicationResourcePermissionManagementProvider : ResourcePermissionManagementProvider
+{
+    public override string Name => ClientResourcePermissionValueProvider.ProviderName;
+
+    public ApplicationResourcePermissionManagementProvider(
+        IResourcePermissionGrantRepository resourcePermissionGrantRepository,
+        IGuidGenerator guidGenerator,
+        ICurrentTenant currentTenant)
+        : base(resourcePermissionGrantRepository, guidGenerator, currentTenant)
+    {
+    }
+
+    public override Task<ResourcePermissionValueProviderGrantInfo> CheckAsync(string name, string resourceName, string resourceKey, string providerName, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.CheckAsync(name, resourceName, resourceKey, providerName, providerKey);
+        }
+    }
+
+    public override Task<MultipleResourcePermissionValueProviderGrantInfo> CheckAsync(string[] names, string resourceName, string resourceKey, string providerName, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.CheckAsync(names, resourceName, resourceKey, providerName, providerKey);
+        }
+    }
+
+    public override Task SetAsync(string name,  string resourceName, string resourceKey, string providerKey, bool isGranted)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.SetAsync(name, resourceName, resourceKey, providerKey, isGranted);
+        }
+    }
+
+    protected override async Task GrantAsync(string name, string resourceName, string resourceKey, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            await base.GrantAsync(name, resourceName, resourceKey, providerKey);
+        }
+    }
+
+    protected override Task RevokeAsync(string name, string resourceName, string resourceKey, string providerKey)
+    {
+        using (CurrentTenant.Change(null))
+        {
+            return base.RevokeAsync(name, resourceName, resourceKey, providerKey);
+        }
+    }
+}

modules/openiddict/src/Volo.Abp.PermissionManagement.Domain.OpenIddict/Volo/Abp/PermissionManagement/OpenIddict/ApplicationResourcePermissionProviderKeyLookupService.cs

@@ -0,0 +1,39 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading;
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions.Resources;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.Localization;
+using Volo.Abp.OpenIddict.Applications;
+using Volo.Abp.OpenIddict.Localization;
+
+namespace Volo.Abp.PermissionManagement.OpenIddict;
+
+public class ApplicationResourcePermissionProviderKeyLookupService : IResourcePermissionProviderKeyLookupService, ITransientDependency
+{
+    public string Name => ClientResourcePermissionValueProvider.ProviderName;
+
+    public ILocalizableString DisplayName { get; }
+
+    protected IApplicationFinder ApplicationFinder { get; }
+
+    public ApplicationResourcePermissionProviderKeyLookupService(IApplicationFinder applicationFinder)
+    {
+        ApplicationFinder = applicationFinder;
+        DisplayName = LocalizableString.Create<AbpOpenIddictResource>(nameof(ApplicationResourcePermissionProviderKeyLookupService));
+    }
+
+    public virtual async Task<List<ResourcePermissionProviderKeyInfo>> SearchAsync(string filter = null, int page = 1, CancellationToken cancellationToken = default)
+    {
+        var applications = await ApplicationFinder.SearchAsync(filter, page);
+        return applications.Select(x => new ResourcePermissionProviderKeyInfo(x.ClientId, x.ClientId)).ToList();
+    }
+
+    public virtual Task<List<ResourcePermissionProviderKeyInfo>> SearchAsync(string[] keys, CancellationToken cancellationToken = default)
+    {
+        // Keys are ClientIds
+        return Task.FromResult(keys.Select(x => new ResourcePermissionProviderKeyInfo(x, x)).ToList());
+    }
+}

modules/openiddict/src/Volo.Abp.PermissionManagement.Domain.OpenIddict/Volo/Abp/PermissionManagement/OpenIddict/OpenIddictApplicationClientIdChangedHandler.cs

@@ -0,0 +1,45 @@
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions;
+using Volo.Abp.Authorization.Permissions.Resources;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.EventBus.Distributed;
+using Volo.Abp.OpenIddict.Applications;
+
+namespace Volo.Abp.PermissionManagement.OpenIddict;
+
+public class OpenIddictApplicationClientIdChangedHandler :
+    IDistributedEventHandler<OpenIddictApplicationClientIdChangedEto>,
+    ITransientDependency
+{
+    protected IPermissionManager PermissionManager { get; }
+    protected IPermissionGrantRepository PermissionGrantRepository { get; }
+    protected IResourcePermissionManager ResourcePermissionManager { get; }
+    protected IResourcePermissionGrantRepository ResourcePermissionGrantRepository { get; }
+
+    public OpenIddictApplicationClientIdChangedHandler(
+        IPermissionManager permissionManager,
+        IPermissionGrantRepository permissionGrantRepository,
+        IResourcePermissionManager resourcePermissionManager,
+        IResourcePermissionGrantRepository resourcePermissionGrantRepository)
+    {
+        PermissionManager = permissionManager;
+        PermissionGrantRepository = permissionGrantRepository;
+        ResourcePermissionManager = resourcePermissionManager;
+        ResourcePermissionGrantRepository = resourcePermissionGrantRepository;
+    }
+
+    public async Task HandleEventAsync(OpenIddictApplicationClientIdChangedEto eventData)
+    {
+        var permissionGrantsInRole = await PermissionGrantRepository.GetListAsync(ClientPermissionValueProvider.ProviderName, eventData.OldClientId);
+        foreach (var permissionGrant in permissionGrantsInRole)
+        {
+            await PermissionManager.UpdateProviderKeyAsync(permissionGrant, eventData.ClientId);
+        }
+
+        var resourcePermissionGrantsInRole = await ResourcePermissionGrantRepository.GetListAsync(ClientResourcePermissionValueProvider.ProviderName, eventData.OldClientId);
+        foreach (var resourcePermissionGrant in resourcePermissionGrantsInRole)
+        {
+            await ResourcePermissionManager.UpdateProviderKeyAsync(resourcePermissionGrant, eventData.ClientId);
+        }
+    }
+}

modules/openiddict/src/Volo.Abp.PermissionManagement.Domain.OpenIddict/Volo/Abp/PermissionManagement/OpenIddict/OpenIddictApplicationDeletedEventHandler.cs

@@ -0,0 +1,31 @@
+using System.Threading.Tasks;
+using Volo.Abp.Authorization.Permissions;
+using Volo.Abp.Authorization.Permissions.Resources;
+using Volo.Abp.DependencyInjection;
+using Volo.Abp.Domain.Entities.Events.Distributed;
+using Volo.Abp.EventBus.Distributed;
+using Volo.Abp.OpenIddict.Applications;
+using Volo.Abp.Uow;
+
+namespace Volo.Abp.PermissionManagement.OpenIddict;
+
+public class OpenIddictApplicationDeletedEventHandler :
+    IDistributedEventHandler<EntityDeletedEto<OpenIddictApplicationEto>>,
+    ITransientDependency
+{
+    protected IPermissionManager PermissionManager { get; }
+    protected IResourcePermissionManager ResourcePermissionManager { get; }
+
+    public OpenIddictApplicationDeletedEventHandler(IPermissionManager permissionManager, IResourcePermissionManager resourcePermissionManager)
+    {
+        PermissionManager = permissionManager;
+        ResourcePermissionManager = resourcePermissionManager;
+    }
+
+    [UnitOfWork]
+    public virtual async Task HandleEventAsync(EntityDeletedEto<OpenIddictApplicationEto> eventData)
+    {
+        await PermissionManager.DeleteAsync(ClientPermissionValueProvider.ProviderName, eventData.Entity.ClientId);
+        await ResourcePermissionManager.DeleteAsync(ClientResourcePermissionValueProvider.ProviderName, eventData.Entity.ClientId);
+    }
+}

modules/permission-management/src/Volo.Abp.PermissionManagement.Domain/Volo/Abp/PermissionManagement/ResourcePermissionManagementProvider.cs

@@ -26,7 +26,7 @@ public abstract class ResourcePermissionManagementProvider : IResourcePermission
         CurrentTenant = currentTenant;
     }
 
-    public virtual async Task<ResourcePermissionValueProviderGrantInfo> CheckAsync(string name, string resourceName,string resourceKey, string providerName, string providerKey)
+    public virtual async Task<ResourcePermissionValueProviderGrantInfo> CheckAsync(string name, string resourceName, string resourceKey, string providerName, string providerKey)
     {
         var multiplePermissionValueProviderGrantInfo = await CheckAsync(new[] { name }, resourceName, resourceKey, providerName, providerKey);
 
@@ -55,7 +55,7 @@ public abstract class ResourcePermissionManagementProvider : IResourcePermission
         }
     }
 
-    public virtual Task SetAsync(string name,  string resourceName,string resourceKey, string providerKey, bool isGranted)
+    public virtual Task SetAsync(string name,  string resourceName, string resourceKey, string providerKey, bool isGranted)
     {
         return isGranted
             ? GrantAsync(name, resourceName, resourceKey, providerKey)