Open Ponant opened 1 year ago
Hi @Ponant
I set the Azure App registration up like any server rendered application (Web) The auth adds to id_token but a secret, or a certificate is used. If an access token is used, then the code flow is used. This is how MSAL does this.
I have 2 Azure App registrations, one for the API and the user delegated flows and one for the Graph application client which requires a separate secret or certificate. If you do not require MS Graph then you can remove this.
The Microsoft templates sets up two separate applications, one for the frontend and one for the backend. The WASM is a public app and shares the token in the browser which is no longer recommended best practice.
I used the _Host file to add anti-forgery protection because cookies are used to access the server part. If you use the index.html, you cannot do this. You could also use a custom header and then the index.html would work (PWA support). I have an example of how to do this as well.
Let me know is something is unclear and I will improve the docs.
-Do you have one or two app registrations (server and client)? one client for both => server rendered Web app with secret
Greetings Damien
Dear Damien, Thank you for your detailed response. I think it will be of help to others to have this kind of information in the readme. OK, that what I was thinking. Actually, my situation is somewhat different and I am trying to understand if I can use your template or what kind of modifications I can put into it.
My situation is a web app hosted on azure and I use azure b2c. All fine and great. However, the web app is a razor pages with also controllers. B2C returns a token to the app and the app sets a cookie in the browser. Now, I would like to use Blazor components innjected in the Web App. That is possible and I am starting to implementing it. The reason is of course for UX reasons. For example, I have an upload files form and button and I would like to use a Blazor component to avoid refreshing the page. So, I guess, I have to use something along the lines of your template, but yours delivers a full wasm app.
If you have an opinion on that I would surely welcome it as my experience in wasm and spa's in general is fairly limited.
Besised this, it is nice trick you did with the _Host vs index.html. At least I learned you can use a cshtml file to host the blazor app....
A bit like here on github: when we insert a comment, the page does not refresh.
And of course the underlying idea is to have a bff model as I do strongly believe that tokens should not live in the browser neither.
Dear Damien,
I come back after tweaking a bit your template and after reading the Duende team on youtube.
So far your template uses a SameSite.Strict
antiforgery cookie, but the auth cookie is set to Lax.
So I made a quick add
services.Configure<CookieAuthenticationOptions>(CookieAuthenticationDefaults.AuthenticationScheme, options =>
{
options.Cookie.SameSite = SameSiteMode.Strict;
});
and the Asp.NetCore.Cookie gets set to Strict
, but logout returns a Status Code 400
(controller action never hit), and refreshing that logout page gives 404
. Indeed, the account controller ctor is not even hit.
No idea why that is so and how to circumvent it? I think it will be a good improvement, and I am happy to help but I need some guidance I believe.
hello, I think there is an issue with the choice of having a post submit form for the logout for a spa. Going beyond this, it is not clear now how you would submit say an image to the server to hit a controller up there with the cookie. Edit: to support this, I checked out the Duende BFF template, and they have a todo api but only for spa's based on JS, not blazor wasm.
The Logout needs to come from the full page and not a js request, then it works as in the template.
I set the LAX because the redirect comes from the WASM UI, tried to set this to strict at first
It works if we make an Get request
<a href="api/Account/Logout">link logout</a>
and change the logout action to HttpGet
and drop the antiforgery.
But in this case you get an infitie loop login-logout, which probably can be fixed.
However, the bigger issue for me is how to do a simple todo api, where the controller is on the same server. I do not see how and it seems the Duende team did not provide such a template. Perhaps a limitation of blazor? (they have BFF Todo templates for JS spa).
Also you do not need the Microsoft Identity UI (at least not in my case where I did not need the graph and external api calls).
And AddControllers
is suffucient instead of AddControllersWithViews
.
I still hope to fix to be able to set up a simple todo, but the fact that Duende did not provide a sample for balzor wasm makes me think that it might be a limitation of blazor (as of today). Any thought?
Worth noting also is that whenever we log in or log out, there is an extra question mark in the url before redirecting to azure B2C.
api/account/login?
This template has a simple todo API
Can you not just create a new application using the template and post logout and as simple API will work for you?
I have setup all these things (in production as well) and the template should be a good start, simple APIs and everything working. If you need a PWA, it needs some changes.
But you are using Lax for the Asp.NetCore cookie, right? It works with Lax, not Strict for the auth cookie (I did not succeed). If you are confident it should work for strict, I will dig into it.
I think this is to do with the Azure B2C IDP, will look into this
I can help if you want. I have quite a few different custom policies, so if you have some hints on where I can look at, I will gladly do it in parallel to your investigation.
Dear Damien,
It is not clear if BFF requires the auth cookie to be HttpOnly
. If I configure it to false, then I can do a POST with a SameSite.Strict
.
It would seem logical because I do not see how you can use a spa to send a cookie to the server without JS.
Anythought?
Will look at this hopefully this weekend
Dear Damien, Sorry to bother with a perhaps silly question. I am trying to figure out if I am not going to switch and app to use BFF on Azure B2C, so I came accross you template.
-In terms of app registration on the portal, how do you set this up? -Do you have one or two app registrations (server and client)? -It seems the auth is using the implicit flow?
Besides this, I am trying to figure out the difference between your template and the Blazor Wasm Hosted that comes from Microsoft? Why did you put the _Host.cshtml in the server, instead of the index.html in the client that comes from the MS Blazor Hosted Wasm template?
Any further clarifitcation is welcomed. Thank you