[Bug] Blazor wasm --hosted --auth SingleOrg. .NET 5 RC1

[Henkolicious]

Which version of Microsoft Identity Web are you using?

Microsoft.Identity.Web 0.4.0-preview Microsoft.Identity.Web.UI 0.4.0-preview

Where is the issue?

• Web app
  • [ ] Sign-in users
  • [ ] Sign-in users and call web APIs
• Web API
  • [x] Protected web APIs (validating tokens)
  • [ ] Protected web APIs (validating scopes)
  • [ ] Protected web APIs call downstream web APIs
• Token cache serialization
  • [ ] In-memory caches
  • [ ] Session caches
  • [ ] Distributed caches
• Other (please describe)

Repro

CLI dotnet new wasm --hosted --auth SingleOrg -n demo

SDK Microsoft.NETCore.App 5.0.0-rc.1.20451.14

Server.csproj

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <TargetFramework>net5.0</TargetFramework>
    <UserSecretsId>demo.Server-AB22CB38-9EB2-4625-AF20-EF6D5FB0B3E0</UserSecretsId>
    <WebProject_DirectoryAccessLevelKey>0</WebProject_DirectoryAccessLevelKey>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="5.0.0-rc.1.*" />
  </ItemGroup>

  <ItemGroup>
    <ProjectReference Include="..\Client\demo.Client.csproj" />
    <ProjectReference Include="..\Shared\demo.Shared.csproj" />
  </ItemGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.Identity.Web" Version="0.4.0-preview" />
    <PackageReference Include="Microsoft.Identity.Web.UI" Version="0.4.0-preview" />
  </ItemGroup>

</Project>

Server appsettings

  "AzureAd": {
    "Instance": "https://login.microsoftonline.com/",
    "Domain": "",
    "TenantId": "<guid>",
    "ClientId": "<guid>",
    "CallbackPath": "/login-callback"
  },

server validation

using Microsoft.Identity.Web;
...
services
  .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
  .AddMicrosoftIdentityWebApi(Configuration.GetSection("AzureAd"));

Client.csproj

<Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">

  <PropertyGroup>
    <TargetFramework>net5.0</TargetFramework>
  </PropertyGroup>

  <ItemGroup>
    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="5.0.0-rc.1.*" />
    <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="5.0.0-rc.1.*" PrivateAssets="all" />
    <PackageReference Include="Microsoft.Authentication.WebAssembly.Msal" Version="5.0.0-rc.1.*" />
    <PackageReference Include="Microsoft.Extensions.Http" Version="5.0.0-rc.1.*" />
    <PackageReference Include="System.Net.Http.Json" Version="5.0.0-rc.1.*" />
  </ItemGroup>

  <ItemGroup>
    <ProjectReference Include="..\Shared\demo.Shared.csproj" />
  </ItemGroup>

</Project>

Client appsettings

 "AzureAd": {
    "Authority": "https://login.microsoftonline.com/<guid>",
    "ClientId": "<guid>",
    "ValidateAuthority": true
  }

Client program.cs

namespace demo.Client
{
    public class Program
    {
        public static async Task Main(string[] args)
        {
            var builder = WebAssemblyHostBuilder.CreateDefault(args);
            builder.RootComponents.Add<App>("#app");

            builder.Services.AddHttpClient("demo.ServerAPI", client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
                .AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();

            // Supply HttpClient instances that include access tokens when making requests to the server project
            builder.Services.AddScoped(sp => sp.GetRequiredService<IHttpClientFactory>().CreateClient("demo.ServerAPI"));

            builder.Services.AddMsalAuthentication(options =>
            {
                builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
                options.ProviderOptions.DefaultAccessTokenScopes.Add("profile");
                options.ProviderOptions.DefaultAccessTokenScopes.Add("user.read");
            });

            await builder.Build().RunAsync();
        }
    }
}

Client call

forecasts = await Http.GetFromJsonAsync<WeatherForecast[]>("WeatherForecast");

Expected behavior Web-client get's authenticated. Server validates the JWT against AAD.

Actual behavior Web-client get's authenticated. However, the server does not accept the JWT. www-authenticate: Bearer error="invalid_token", error_description="The signature is invalid"

Additional context / logs / screenshots Just wanted to let you know, but you probably already know this. Hope this is the right repo to report to, or that I did not miss something obvious.

Kind regards, Henrik

[jennyf19]

@Henkolicious I think in the client program.cs, you need to have the scope for your blazorwasm server because that's what your trying to get access to, for example:

  options.ProviderOptions.DefaultAccessTokenScopes.Add("api://a4c2469b-cf84-4145-8f5f-cb7bacf814bc/access_as_user");

and remove the other two lines:

   options.ProviderOptions.DefaultAccessTokenScopes.Add("profile");
   options.ProviderOptions.DefaultAccessTokenScopes.Add("user.read");

[jennyf19]

@Henkolicious did the above work for you?

[Henkolicious]

@Henkolicious did the above work for you?

@jennyf19 Have not gotten around to it yet, I'll try to test it sometime this week and I'll get back to you. Thanks 👍

[jmprieur]

@Henkolicious : we tested Microsoft.Identity.Web with .NET 5 RC2, and RTM. Proposing to close this issue, but feel free to reopen if this does not work for you