[Authorize(Roles = "Resource.Read")]

[AidanTfL]

I have an ASP.NET Core React Project. It has 1 controller that is the C# backend API to my React frontend. This project is deployed in to an Azure App Service with EasyAuth enabled.

I've been using the NEasyAuthMiddleware package without the Authorize attribute and it has worked great. NEasyAuthMiddleware has been fantastic for allowing us to mock EasyAuth when dev'ing locally/ running tests, and fetch the /auth/.me in an intuitive way through enabling the use of HttpContext.User.Identity.Name. Great work - thanks for this.

The issue I am experiencing is to do with caching. When the token expires, the browser still attempts to make calls to the backend API from a cached version. All these calls return a 302 redirect. This shows as a CORS error from Microsoft Login Server.

To resolve this, I thought it'd be wise to add in the [Authorize] attribute above my backend API controller class. When I do this, it doesn't seem to integrate with EasyAuth.

Instead, it displays a login popup. Is this behavior as expected?

[dasiths]

• Are you using AzureAD as your IdP? If you're not using the authorize attribute, but hosted behind the EasyAuth service the controller is still protected but you won't be able to give specific users access to certain controllers/methods. In my example I use the authorize attribute to give access only to people who have the "Resource.Read" role. Have a look here if you need a refresher https://github.com/blowdart/AspNetAuthorizationWorkshop

• The popup for credentials is showing up because your auth scheme is being challenged. There are many reason why this would be happening. Host the sample app https://github.com/dasiths/NEasyAuthMiddleware/tree/master/NEasyAuthMiddleware.Sample and if you can replicate the behaviour.

• There are many ways to handle the Token expiry issue. You can request a refresh token as described here https://docs.microsoft.com/en-us/azure/app-service/app-service-authentication-how-to#refresh-identity-provider-tokens. In the past I've had a service trigger every 5 minutes on the front end that calls the refresh endpoint. This way you won't have to worry about expired tokens.

function refreshTokens() {
  let refreshUrl = "/.auth/refresh";
  $.ajax(refreshUrl) .done(function() {
    console.log("Token refresh completed successfully.");
  }) .fail(function() {
    console.log("Token refresh failed. See application logs for details.");
  });
}

• The reason why you're getting a 302 is because EasyAuth detects your token is expired, redirects you to the login page, since it's an API call the browser initiates the CORS check and fails subsequently.