Service is a gRPC service written in ASP.NET Core 8.0. The service receives tokens from an Angular SPA application that manages all the token obtention logic. We tried to use Microsoft.Identity.Web to fulfill both the Authentication and the Authorization pipelines in the app. The token emitting entity is Azure Active Directory (now Microsoft Entra ID).
The token is valid and successfully retrieved from the front-channel app, but when that token is used to communicate with the gRPC application the entire authentication pipeline succeeds and the token is valid, but the HttpContext.ClaimsPrincipal property is not populated (is marked as IsAuthenticated = false), thus failing with the gRPC error code 16 for not authorized when the [Authorize] decorator is used on the service class.
Reproduction steps
Scaffold a basic gRPC service using dotnet new or the Visual Studio template selector.
Add the code snippets for the files required.
Configure a front-channel app in Azure AD and an api app for the service
Get a token with the front-channel app and use that token with Postman or whatever other service to call the protected API.
Check the empty claims in the debugger
Error message
info: Microsoft.Hosting.Lifetime[14]
Now listening on: https://localhost:7041
info: Microsoft.Hosting.Lifetime[14]
Now listening on: http://localhost:5110
info: Microsoft.Hosting.Lifetime[0]
Application started. Press Ctrl+C to shut down.
info: Microsoft.Hosting.Lifetime[0]
Hosting environment: Development
info: Microsoft.Hosting.Lifetime[0]
Content root path: Z:\Repos\Cafler.Greenfield\Api\Internal\Cafler.Api.Product.Internal
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
Microsoft.IdentityModel Version: 8.0.1.0. Date 07/24/2024 23:15:03. PII logging is OFF. See https://aka.ms/IdentityModel/PII for details.
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10242: Security token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' has a valid signature.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10237: ValidateIssuerSigningKey property on ValidationParameters is set to false. Exiting without validating the issuer signing key.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10239: Lifetime of the token is valid.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10234: Audience Validated.Audience: '1649588b-cd93-42f9-bbb4-d8db8ce706d8'
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21811: Deserializing the string: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' obtained from metadata endpoint into openIdConnectConfiguration object.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21812: Retrieving json web keys from: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX20805: Obtaining information from metadata endpoint: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX21813: Deserializing json web keys: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10806: Deserializing json: '[PII of type 'System.String' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]' into 'Microsoft.IdentityModel.Tokens.JsonWebKeySet'.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10246: ValidateTokenReplay property on ValidationParameters is set to false. Exiting without validating the token replay.
dbug: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10255: TypeValidator property on ValidationParameters is null and ValidTypes is either null or empty. Exiting without validating the token type.
info: Microsoft.IdentityModel.LoggingExtensions.IdentityLoggerAdapter[0]
IDX10245: Creating claims identity from the validated token: '[PII of type 'Microsoft.IdentityModel.JsonWebTokens.JsonWebToken' is hidden. For more details, see https://aka.ms/IdentityModel/PII.]'.
dbug: Grpc.AspNetCore.Server.ServerCallHandler[10]
Reading message.
public static void Main(string[] args)
{
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
builder.Services.AddApplicationInsightsTelemetry(config =>
{
config.ConnectionString = Environment.GetEnvironmentVariable("APPLICATIONINSIGHTS_CONNECTION_STRING");
});
builder.Services.AddGrpc();
//builder.Services.AddHttpContextAccessor();
//builder.Services.AddHttpClient();
// Add services to the container.
// Business services injection removed
services
.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(configuration.GetSection(DirectoryConfigsKeyName));
services.AddAuthorization();
// Mediatr config removed
if (builder.Environment.IsDevelopment())
{
builder.Services.AddGrpcReflection();
}
WebApplication app = builder.Build();
// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())
{
app.UseDeveloperExceptionPage();
app.MapGrpcReflectionService();
}
app.UseRouting();
app.UseAuthentication();
app.UseAuthorization();
// gRPC mappings removed
app.MapGrpcHealthChecksService();
app.Run();
}
### Regression
_No response_
### Expected behavior
We expect the library to fill out the ClaimsIdentity property as intended and demonstrated in the official documentation.
Microsoft.Identity.Web Library
Microsoft.Identity.Web
Microsoft.Identity.Web version
3.0.1
Web app
Sign-in users and call web APIs
Web API
Protected web APIs (validating tokens)
Token cache serialization
Not Applicable
Description
Service is a gRPC service written in ASP.NET Core 8.0. The service receives tokens from an Angular SPA application that manages all the token obtention logic. We tried to use
Microsoft.Identity.Web
to fulfill both the Authentication and the Authorization pipelines in the app. The token emitting entity is Azure Active Directory (now Microsoft Entra ID).The token is valid and successfully retrieved from the front-channel app, but when that token is used to communicate with the gRPC application the entire authentication pipeline succeeds and the token is valid, but the
HttpContext.ClaimsPrincipal
property is not populated (is marked asIsAuthenticated = false
), thus failing with the gRPC error code 16 for not authorized when the[Authorize]
decorator is used on the service class.Reproduction steps
dotnet new
or the Visual Studio template selector.Error message
Id Web logs
No response
Relevant code snippets
Program.cs