InvalidOperationException: The registered callback PersistNonce must be associated with a component or define an explicit render mode type during registration

[richardu]

Hi Damien,

Your BlazorWebMeID app looks really great - I can't believe that Entra Auth is missing from the Blazor Web App templates.

I had an issue getting it working though and I can't quite work out how to fix it.

The exception and call stack is as follows:

System.InvalidOperationException: The registered callback PersistNonce must be associated with a component or define an explicit render mode type during registration.
   at Microsoft.AspNetCore.Components.Infrastructure.ComponentStatePersistenceManager.InferRenderModes(Renderer renderer)
   at Microsoft.AspNetCore.Components.Infrastructure.ComponentStatePersistenceManager.<>c__DisplayClass9_0.<<PersistStateAsync>g__PauseAndPersistState|0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Components.Endpoints.EndpointHtmlRenderer.PrerenderPersistedStateAsync(HttpContext httpContext)
   at Microsoft.AspNetCore.Components.Endpoints.RazorComponentEndpointInvoker.RenderComponentCore(HttpContext context)
   at Microsoft.AspNetCore.Components.Endpoints.RazorComponentEndpointInvoker.RenderComponentCore(HttpContext context)
   at Microsoft.AspNetCore.Components.Rendering.RendererSynchronizationContext.<>c.<<InvokeAsync>b__10_0>d.MoveNext()
--- End of stack trace from previous location ---
   at Microsoft.AspNetCore.Authorization.AuthorizationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at NetEscapades.AspNetCore.SecurityHeaders.SecurityHeadersMiddleware.Invoke(HttpContext context) in /_/src/NetEscapades.AspNetCore.SecurityHeaders/SecurityHeadersMiddleware.cs:line 68
   at Microsoft.AspNetCore.Diagnostics.DeveloperExceptionPageMiddlewareImpl.Invoke(HttpContext context)

I noticed you removed the BlazorNonceService registration from Program.cs (although replacing them didn't fix the issue):

builder.Services.TryAddEnumerable(
    ServiceDescriptor.Scoped<CircuitHandler, BlazorNonceService>(sp => sp.GetRequiredService<BlazorNonceService>()));
builder.Services.AddScoped<BlazorNonceService>();

The other nonce-related code is still present.

Please can you help?

Many thanks, Richard

[damienbod]

Hi @richardu

Thanks for your feedback. The project BlazorWebMeID is broken at present. I was hoping MS would provide a solution for the nonce with Blazor WASM mode. At present it is not possible to use Blazor WASM and a nonce and so weak security.

Use HostedBlazorMeID project instead or server rendered mode only. Both of these can use a CSP nonce. The problem is that a nonce cannot be used when WASM is used in the new Blazor. .NET 8 and the new Blazor no longer supports this. You should only use server rendered mode or reduce the security of the application if you want to use the new Blazor with WASM

I would use Blazor server mode if you want to use the "new" Blazor or stay with the old Blazor and then you can use Blazor WASM with a nonce.

Hope this helps.

Example of new Blazor with nonce (server only):

https://github.com/damienbod/BlazorServerOidc/tree/main/BlazorWebFromBlazorServerOidc

Hosted WASM Blazor (old)

https://github.com/damienbod/Hostedblazor8MeID/tree/main/HostedBlazorMeID

If you want to go with the less secure "new" Blazor WASM and weak CSP

https://github.com/damienbod/BlazorServerOidc/tree/main/BlazorServerOidc

Greetings Damien

I will update this project to use server only mode so this bug is removed.

[damienbod]

Deployed a working version with weak security now. I would not use this in prod.

I recommend a Blazor version which supports CSP nonce

[richardu]

Great stuff, thanks very much @damienbod. Let's hope MS fix this issue in .NET 9 if not before...

[richardu]

Hi Damien,

I have another couple of questions relating to these solutions:

• how would one get an access_token in order to use SignalR in the client (in InteractiveAuto mode)? Would it be possible to call the internal API to obtain it or is there a better way?

• When calling the internal API using the HttpClient, it sometimes returns a 302 (to the MS login flow) even though the authentication state in the client appears to be valid. Shouldn't the cookie+auth ensure that this never happens?

Thanks, Richard