search

dotnet / AspNetCore.Docs

Documentation for ASP.NET Core
https://docs.microsoft.com/aspnet/core
Creative Commons Attribution 4.0 International
12.63k stars 25.29k forks source link

Deal with VS/template vs. .NET CLI/template in upcoming BWA+MIE/B2C articles #30387

Closed jumulr closed 7 months ago

jumulr commented 1 year ago

I am getting the PKCE error when following this how-to: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-7.0

Already tried that but didn't work https://github.com/MicrosoftDocs/azure-docs/issues/90850

To reproduce: create a vanilla Blazor WASM project using the latest Visual Studio and Net 7, follow the tutorial. It doesn’t work.

Please let me know if this is enough. By the way, what was the resolution for the previous issue if any?

Can you help me please? Thanks a lot!

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

guardrex commented 1 year ago

In response to https://github.com/MicrosoftDocs/azure-docs/issues/114778#issuecomment-1722804416 ...

automatically generated

By what? That's not the correct configuration for an app generated by following the article's guidance.

The article shows examples of the configuration files ...

You'll need to follow the guidance exactly. The config is very finicky. If one little thing is misconfigured, an app will usually 💥 and not work correctly.

jumulr commented 1 year ago

Generated by VS wizard. It matches what is shown in the article actually.

guardrex commented 1 year ago

As a side-note, VS used to have trouble getting the config correct, and I do expect that those problems have been sorted out by now. The article uses the .NET CLI; and although it should generate the same solution with the same config 🤞🍀, I would need to look and validate it. I can use this issue to check on it, including for the other security articles that we maintain. However, we're really under the gun right now on the .NET 8 release work. I'm booked solid right through release, probably right through the EOY. I'll get to it eventually 😅. We'll be replacing our hosted WASM B2C article with a Blazor Web App B2C article, but it will also rely upon the .NET CLI approach, initially anyway. Ideally, I would like to have both .NET CLI and VS approaches explained.

Anyway, what you showed on the other issue doesn't match. That config has a "ServerAPI" section that doesn't match what the topic shows. If VS placed that, then we know that there's some kind of config delta between the article and VS's behavior that I'll need to investigate further. That delta in config might not be the cause of the problem, but I can only attest to the guidance as written following the steps exactly, including the use of the .NET CLI to generate the app.

Alternatively, the Azure registration also has to match the article's guidance ... exactly. Any deviation on the Azure side also tends to 💥 an app 😈. That's something that I can't look at. I'm not permitted to directly inspect AAD/B2C configs. That part is up to the dev to confirm (or perhaps through a MS Support agreement with a MS Support tech).

To proceed here, you'll need to put up a minimal repro project that demonstrates the problem. If it looks good on a visual inspection, I'll place my Azure test registration config into the repro app to see if it runs here. If the app breaks and I can't figure out why, I'll ask one of the product unit engineers to step in and help. If it runs here, then the problem is almost certainly on the Azure registration side.

jumulr commented 1 year ago

I invited you to a private repo.

Thanks a lot!

guardrex commented 1 year ago

Per my company's third-party access guidelines, I'm only allowed to access public repos.

jumulr commented 1 year ago

But it contains my tenant etc… How can we proceed ?

Julien Muller

From: Luke Latham @.> Sent: Tuesday, September 19, 2023 12:03:24 PM To: dotnet/AspNetCore.Docs @.> Cc: Julien Muller @.>; Author @.> Subject: Re: [dotnet/AspNetCore.Docs] Blazor Wasm Azure B2C Microsoft Account - Proof Key for Code Exchange is required for cross-origin authorization code redemption (Issue #30387)

Per my company's third-party access guidelines, I'm only allowed to access public repos.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/30387#issuecomment-1725200434, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFOT2JD32PR67GQKJUFVYH3X3FUWZANCNFSM6AAAAAA44GGJRA. You are receiving this because you authored the thread.Message ID: @.***>

guardrex commented 1 year ago

Just delete your config values. I'm going place my values in the files, which match what the topic shows in it's config examples.

guardrex commented 1 year ago

contains my tenant

That's why we have the rule. We don't want to see anything private to your company or personal resources, Azure subscription details, or anything of a sensitive nature. It's a security risk that we don't want responsibility for.

jumulr commented 1 year ago

Ok, done.

Julien Muller

From: Luke Latham @.> Sent: Tuesday, September 19, 2023 12:10:39 PM To: dotnet/AspNetCore.Docs @.> Cc: Julien Muller @.>; Author @.> Subject: Re: [dotnet/AspNetCore.Docs] Blazor Wasm Azure B2C Microsoft Account - Proof Key for Code Exchange is required for cross-origin authorization code redemption (Issue #30387)

contains my tenant

That's why we have the rule. We don't want to see anything private to your company or personal resources, Azure subscription details, or anything of a sensitive nature. It's a security risk that we don't want responsibility for.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/30387#issuecomment-1725215139, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFOT2JDUJDMEII6RW2QYIUDX3FVR7ANCNFSM6AAAAAA44GGJRA. You are receiving this because you authored the thread.Message ID: @.***>

guardrex commented 1 year ago

Thanks ... I'll take a look now and get back to you shortly.

guardrex commented 1 year ago

No problem here ...

image

... BUT using the article's recommended configuration. Namely ...

"AzureAd": {
  "Instance": "https://XXXXXXXX.b2clogin.com/",
  "Domain": "XXXXXXXX.onmicrosoft.com",
  "ClientId": "3e6d ... a26",
  "Scopes": "API.Access",
  "SignUpSignInPolicyId": "B2C_1_signupsignin1"
},

... and for the client (noting that I'm using the article's recommendation for the signup/signin user flow) ...

{
  "AzureAd": {
    "ClientId": "96fb ... c4e",
    "Authority": "https://XXXXXXXX.b2clogin.com/XXXXXXXX.onmicrosoft.com/B2C_1_signupsignin1",
    "ValidateAuthority": false
  },
  "ServerApi": {
    "Scopes": "https://XXXXXXXX.onmicrosoft.com/3e6d ... a26/API.Access"
  }
}

I recommend adopting the article's recommended config. Note in passing that for any of our tutorials that they must be followed exactly for the best experience. This one is .NET CLI based. For VS, all bets are off 🎲🎲. 😆 I know and agree on there being parity between these approaches. In a perfect world, that's what we'd have. We don't have it. There are differences, and those differences can 💥 an app.

If that approach works, cool ... I suggest going forward with it. If that fails, then I suspect the Azure registration isn't correct. You'd need to carefully run back down the article's Azure config and check everything.

While you're working on the app and Azure config, note that every app change and every Azure registration change no matter how insignificant requires you to both re-run the app AND use a new incognito/in-private browser (as our guidance calls for) because lingering cookies can 💥 the sign-on. We have guidance on it in the article at ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-7.0#cookies-and-site-data

Even if you get it working with the article's config, leave this issue open. I plan to use this issue to deal with the discrepancies between the article's config, which is based on using the .NET CLI and project template, and what VS sets up. However, I might only be working on this for new Blazor Web Apps for 8.0 or later. I don't think it's important to update for VS in old guidance in the hosted WASM case. That template is being dropped for SDK 8.0 or later. Devs are going to need to know about CLI/template versus VS/template deltas for Blazor Web Apps going forward. I'd like to keep this issue open as a reminder for that work. I'll probably close this when I set up the new BWA issues tho, which should happen just before or after RC2 releases next month.

jumulr commented 1 year ago

From scratch, using the CLI : exactly the same error.

Julien Muller

De : Luke @.> Envoyé le :mardi 19 septembre 2023 13:13 À : @.> Cc : Julien @.>; @.> Objet :Re: [dotnet/AspNetCore.Docs] Blazor Wasm Azure B2C Microsoft Account - Proof Key for Code Exchange is required for cross-origin authorization code redemption (Issue #30387)

No problem here ...

[image]https://user-images.githubusercontent.com/1622880/268931362-20e47c95-b070-4ae4-943a-4ef37f5cca15.png

... BUT using the article's recommended configuration. Namely ...

"AzureAd": {

"Instance": "https://XXXXXXXX.b2clogin.com/",

"Domain": "XXXXXXXX.onmicrosoft.com",

"ClientId": "3e6d ... a26",

"Scopes": "API.Access",

"SignUpSignInPolicyId": "B2C_1_signupsignin1"

},

... and for the client (noting that I'm using the article's recommendation for the signup/signin user flow) ...

{

"AzureAd": {

"ClientId": "96fb ... c4e",

"Authority": "https://XXXXXXXX.b2clogin.com/XXXXXXXX.onmicrosoft.com/B2C_1_signupsignin1",

"ValidateAuthority": false

},

"ServerApi": {

"Scopes": "https://XXXXXXXX.onmicrosoft.com/3e6d ... a26/API.Access"

}

}

I recommend adopting the article's recommended config. Note in passing that for any of our tutorials that they must be followed exactly for the best experience. This one is .NET CLI based. For VS, all bets are off 🎲🎲. 😆 I know and agree on there being parity between these approaches. In a perfect world, that's what we'd have. We don't have it. There are differences, and those differences can 💥 an app.

If that approach works, cool ... I suggest going forward with it. If that fails, then I suspect the Azure registration isn't correct. You'd need to carefully run back down the article's Azure config and check everything.

While you're working on the app and Azure config, note that every app change and every Azure registration change no matter how insignificant requires you to both re-run the app AND use a new incognito/in-private browser (as our guidance calls for) because lingering cookies can 💥 the sign-on. We have guidance on it in the article at ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-7.0#cookies-and-site-data

Even if you get it working with the article's config, leave this issue open. I plan to use this issue to deal with the discrepancies between the article's config, which is based on using the .NET CLI and project template, and what VS sets up. However, I might only be working on this for new Blazor Web Apps for 8.0 or later. I don't think it's important to update for VS in old guidance in the hosted WASM case. That template is being dropped for SDK 8.0 or later. Devs are going to need to know about CLI/template versus VS/template deltas for Blazor Web Apps going forward. I'd like to keep this issue open as a reminder for that work. I'll probably close this when I set up the new BWA issues tho, which should just before or after RC2 releases next month.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/30387#issuecomment-1725299313, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFOT2JF65HMKYXW3EGJL24LX3F44RANCNFSM6AAAAAA44GGJRA. You are receiving this because you authored the thread.Message ID: @.***>

jumulr commented 1 year ago

Also note the « Run user flow » command in Azure AD B2C gives the same.

Julien Muller

De : Luke @.> Envoyé le :mardi 19 septembre 2023 13:13 À : @.> Cc : Julien @.>; @.> Objet :Re: [dotnet/AspNetCore.Docs] Blazor Wasm Azure B2C Microsoft Account - Proof Key for Code Exchange is required for cross-origin authorization code redemption (Issue #30387)

No problem here ...

[image]https://user-images.githubusercontent.com/1622880/268931362-20e47c95-b070-4ae4-943a-4ef37f5cca15.png

... BUT using the article's recommended configuration. Namely ...

"AzureAd": {

"Instance": "https://XXXXXXXX.b2clogin.com/",

"Domain": "XXXXXXXX.onmicrosoft.com",

"ClientId": "3e6d ... a26",

"Scopes": "API.Access",

"SignUpSignInPolicyId": "B2C_1_signupsignin1"

},

... and for the client (noting that I'm using the article's recommendation for the signup/signin user flow) ...

{

"AzureAd": {

"ClientId": "96fb ... c4e",

"Authority": "https://XXXXXXXX.b2clogin.com/XXXXXXXX.onmicrosoft.com/B2C_1_signupsignin1",

"ValidateAuthority": false

},

"ServerApi": {

"Scopes": "https://XXXXXXXX.onmicrosoft.com/3e6d ... a26/API.Access"

}

}

I recommend adopting the article's recommended config. Note in passing that for any of our tutorials that they must be followed exactly for the best experience. This one is .NET CLI based. For VS, all bets are off 🎲🎲. 😆 I know and agree on there being parity between these approaches. In a perfect world, that's what we'd have. We don't have it. There are differences, and those differences can 💥 an app.

If that approach works, cool ... I suggest going forward with it. If that fails, then I suspect the Azure registration isn't correct. You'd need to carefully run back down the article's Azure config and check everything.

While you're working on the app and Azure config, note that every app change and every Azure registration change no matter how insignificant requires you to both re-run the app AND use a new incognito/in-private browser (as our guidance calls for) because lingering cookies can 💥 the sign-on. We have guidance on it in the article at ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory-b2c?view=aspnetcore-7.0#cookies-and-site-data

Even if you get it working with the article's config, leave this issue open. I plan to use this issue to deal with the discrepancies between the article's config, which is based on using the .NET CLI and project template, and what VS sets up. However, I might only be working on this for new Blazor Web Apps for 8.0 or later. I don't think it's important to update for VS in old guidance in the hosted WASM case. That template is being dropped for SDK 8.0 or later. Devs are going to need to know about CLI/template versus VS/template deltas for Blazor Web Apps going forward. I'd like to keep this issue open as a reminder for that work. I'll probably close this when I set up the new BWA issues tho, which should just before or after RC2 releases next month.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/30387#issuecomment-1725299313, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFOT2JF65HMKYXW3EGJL24LX3F44RANCNFSM6AAAAAA44GGJRA. You are receiving this because you authored the thread.Message ID: @.***>

guardrex commented 1 year ago

I left a message on the other issue that they should say what they did offline to resolve it.

Did you search on this online? I see remarks, such as ...

The error "AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption" indicates that the authorization code was sent from a different origin than the redirect URI specified in the initial authorization request. This is a security feature designed to prevent unauthorized access to the user's access tokens.

To fix this issue, you need to ensure that the redirect URI specified in your initial authorization request matches the redirect URI specified in the Azure AD application registration. You also need to ensure that the same redirect URI is used in both the initial authorization request and the subsequent token request.

Please refer the below links which could solve this problem

Cross-ref: https://learn.microsoft.com/en-us/answers/questions/1194524/how-to-fix-aadsts9002325-proof-key-for-code-exchan

BUT .... I recommend being very careful about following guidance in links haphazardly because it can lead to an unsafe configuration. Whatever they're discussing in those links has to be carefully checked, especially non-Microsoft links.

However, my guess is that your Azure config doesn't match our guidance in some way.

jumulr commented 1 year ago

Ok, finally it works :

  1. The Microsoft Identity provider App Registration has to be set up in the non B2C Tenant
  2. This App Registration auth has to be Web and not SPA

Thanks a lot four your help and time !

De : Luke @.> Envoyé le :lundi 25 septembre 2023 13:36 À : @.> Cc : Julien @.>; @.> Objet :Re: [dotnet/AspNetCore.Docs] Deal with VS/template vs. .NET CLI/template in upcoming BWA+MIE/B2C articles (Issue #30387)

I left a message on the other issue that they should say what they did offline to resolve it.

Did you search on this online? I see remarks, such as ...

The error "AADSTS9002325: Proof Key for Code Exchange is required for cross-origin authorization code redemption" indicates that the authorization code was sent from a different origin than the redirect URI specified in the initial authorization request. This is a security feature designed to prevent unauthorized access to the user's access tokens.

To fix this issue, you need to ensure that the redirect URI specified in your initial authorization request matches the redirect URI specified in the Azure AD application registration. You also need to ensure that the same redirect URI is used in both the initial authorization request and the subsequent token request.

Please refer the below links which could solve this problem

Cross-ref: https://learn.microsoft.com/en-us/answers/questions/1194524/how-to-fix-aadsts9002325-proof-key-for-code-exchan

BUT .... I recommend being very careful about following guidance in links haphazardly because it can lead to an unsafe configuration. Whatever they're discussing in those links has to be carefully checked itself before just following their advice, especially non-Microsoft links.

However, my guess is that your Azure config doesn't match our guidance in some way.

— Reply to this email directly, view it on GitHubhttps://github.com/dotnet/AspNetCore.Docs/issues/30387#issuecomment-1733489814, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFOT2JECCUBBE35RG3EAOWLX4FUCJANCNFSM6AAAAAA44GGJRA. You are receiving this because you authored the thread.Message ID: @.***>

guardrex commented 1 year ago

Ok ... glad to hear that it's working now.

IIRC, that sounds familiar for a B2C app that isn't registered in a B2C tenant. I had a remark about that scenario in an earlier version of this article, but I removed it because I don't want to complicate an already complex configuration. Besides, a B2C tenant for a B2C app is what the Azure docs do, so align with their recommendation.

Leave this issue open. I'll try to get our guidance to include a VS experience SxS with the .NET CLI experience. Not sure when I'll reach it ... probably 24H1.

guardrex commented 7 months ago

I finally reached this for a look 😅 ... it's been a very busy period for docs with the .NET/BWA guidance rollout this release.

We don't maintain this guidance any longer for hosted WASM. The hosted WASM template is gone now (>=8.0).

I also just generated an app using the Visual Studio built-in "dotnet msidentity tool" and discovered that it doesn't produce the correct app settings and configuration for a standalone WASM app that uses MS personal accounts. [I just tried the MS Accounts article procedure first. We maintain three articles where describing the tool's use might have come in handy.] The best approach is still to create the app from the .NET CLI and set the app settings/config by hand.

I also followed their link next to the tool in the VS wizard, and that link only takes you to the landing page for MS Identity Platform ...

https://learn.microsoft.com/en-us/entra/identity-platform/

... and I can't find any article in their doc set dedicated to this built-in tool/wizard ...

https://www.google.com/search?client=firefox-b-1-d&q=site%3Alearn.microsoft.com+%22dotnet+msidentity+tool%22#ip=1

Therefore, I have nothing to link to for how it works and how to use it.

For the preceding reasons, we're going to stick with our .NET CLI approach. Closing this now as a won't fix, but thanks for the issue and discussion. I'm glad that you were able to get your app running when we chatted on this subject 🎉.