damienbod / Blazor.BFF.AzureB2C.Template

Blazor.BFF.AzureB2C.Template, Blazor WASM hosted in ASP.NET Core using Azure B2C BFF (server authentication) and Microsoft Graph
https://www.nuget.org/packages/Blazor.BFF.AzureB2C.Template
MIT License
63 stars 8 forks source link

Template for Blazor WASM not Hosted #29

Open Gareth064 opened 2 years ago

Gareth064 commented 2 years ago

Hi @damienbod Have you ever done this, or got it on the list of things to try for the future? My app architecture is ASPNET BFF Server, and a standalone Blazor WASM app. I have been trying to hack this template so it isn't intertwined with the WASM Hosted approach but I am struggling with it.

hugh-maaskant commented 2 years ago

Hi @Gareth064, As far as I understand it, the BFF solution only works because the Blazor WASM client app is hosted on the same domain as the BFF Server. But I am not a security expert, as may be seen from my own issue on this repo :-), which I have not been able to resolve yet, unfortunately.

It would be great to have a non-hosted solution, as then the Blazor app could e.g. be distributed through a content delivery network. So I'll keep an eye out for any responses.

Cheers, Hugh

Gareth064 commented 2 years ago

When we say the same site, if my WASM app is www.app.mysite.com and my API was www.mysite.com, would that not qualify as same site?

hugh-maaskant commented 2 years ago

Yes, I think it would: see https://web.dev/same-site-same-origin/

damienbod commented 2 years ago

If you use a standalone Blazor WASM standalone, then you would require two auth flows for the APPS, one for the WASM and one for the API. A public client, OpenID Connect code flow with PKCE is used then for the SPA part and the API is protected using OAUTH with either access tokens or reference tokens and introspection.

By hosting the WASM in the backend, only a single auth flow is required and the security is moved to the trusted backend.

Greetings Damien

Gareth064 commented 2 years ago

Hi Damien

I'm a little confused about the needing two auth flows if you have a standalone client (by the way, this is what I have now and want to move away from). From everything I have been reading and watching regarding BFF, one of the biggest advantages is that the Auth always and only happens on the server.

Is having to use Blazor WASM Hosted, to achieve this, a limitation of Blazor WASM itself?

When it comes to the JS based client-side apps that use BFF, do those JS apps have to be hosted from the same Backend Server where the auth is happening as well?

damienbod commented 2 years ago

With BFF, when you host the UI part on the same domain, then you can do the auth on the server with a confidential client. Any js apps hosted on different domains cannot use BFF with cookies protection and server auth.