Blazor WebAsm 3.2.0 preview, release 2 - broken...

Describe the bug

Handling OIDC from a 3rd party. I believe I have everything setup correctly. When I try to login the app redirects to the Token Server I configured, asks for scope permissions and then redirects back (confirmed in fiddler). However, the \authorization\ page in the WebAsm keeps throwing this error:

https://localhost:5001/Home/Error?message=Method%20not%20found:%20%27Void%20Microsoft.AspNetCore.Authentication.OAuth.OAuthCreatingTicketContext.RunClaimActions(Newtonsoft.Json.Linq.JObject)%27.

Sorry, there's nothing at this address.

Maybe my claims are wrong and that is doing it? 3rd party docs here.

To Reproduce

My code on github

Run project,
Click the login button (top right)
click the Eve Online button in the "Use another service" section
Enter correct login info (I can give you my account but only in a secure channel)
Error occurs upon callback.

Method not found: 'Void Microsoft.AspNetCore.Authentication.OAuth.OAuthCreatingTicketContext.RunClaimActions(Newtonsoft.Json.Linq.JObject)'.

at SC.Dashboard.Shared.Auth.EsiAuthenticationMiddleware.<>c.<b0_0>d.MoveNext() in D:\Repos\Sandbox\SC.Dashboard\src\Shared\Auth\EsiAuthenticationMiddleware.cs:line 69 at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[TStateMachine](TStateMachine& stateMachine) at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[TStateMachine](TStateMachine& stateMachine) at SC.Dashboard.Shared.Auth.EsiAuthenticationMiddleware.<>c.b__0_0(OAuthCreatingTicketContext context) at Microsoft.AspNetCore.Authentication.OAuth.OAuthEvents.CreatingTicket(OAuthCreatingTicketContext context) at Microsoft.AspNetCore.Authentication.OAuth.OAuthHandler`1.d11.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.AspNetCore.Authentication.OAuth.OAuthHandler1.d8.MoveNext() at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at System.Runtime.CompilerServices.TaskAwaiter1.GetResult() at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler1.d12.MoveNext()

Further technical details

ASP.NET Core version 3.1.102
Include the output of dotnet --info C:\Users\keith>dotnet --info .NET Core SDK (reflecting any global.json): Version: 3.1.102 Commit: 573d158fea

Runtime Environment: OS Name: Windows OS Version: 10.0.18363 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\3.1.102\

Host (useful for support): Version: 3.1.2 Commit: 916b5cba26

.NET Core SDKs installed: 1.1.11 [C:\Program Files\dotnet\sdk] 1.1.13 [C:\Program Files\dotnet\sdk] 2.1.202 [C:\Program Files\dotnet\sdk] 2.1.500 [C:\Program Files\dotnet\sdk] 2.1.503 [C:\Program Files\dotnet\sdk] 2.1.505 [C:\Program Files\dotnet\sdk] 2.1.602 [C:\Program Files\dotnet\sdk] 2.1.801 [C:\Program Files\dotnet\sdk] 2.2.103 [C:\Program Files\dotnet\sdk] 2.2.401 [C:\Program Files\dotnet\sdk] 3.0.100-preview4-011223 [C:\Program Files\dotnet\sdk] 3.1.100 [C:\Program Files\dotnet\sdk] 3.1.101 [C:\Program Files\dotnet\sdk] 3.1.102 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed: Microsoft.AspNetCore.All 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.2.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.2.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.All 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All] Microsoft.AspNetCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.9 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.1.15 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.2.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.2.6 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.0.0-preview4-19216-03 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.1 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 1.0.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 1.0.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 1.1.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 1.1.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.0.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.7 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.9 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.1.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.6 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 2.2.8 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.0.0-preview4-27615-11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.1 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.0.0-preview4-27613-28 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.1 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET Core runtimes or SDKs: https://aka.ms/dotnet-download

The IDE (VS / VS Code/ VS4Mac) you're running on, and it's version Microsoft Visual Studio Professional 2019 (2) Version 16.4.5 VisualStudio.16.Release/16.4.5+29806.167 Microsoft .NET Framework Version 4.8.03752

Installed Version: Professional

ADL Tools Service Provider 1.0 This package contains services used by Data Lake tools

ASP.NET and Web Tools 2019 16.4.460.23317 ASP.NET and Web Tools 2019

ASP.NET Web Frameworks and Tools 2019 16.4.460.23317 For additional information, visit https://www.asp.net/

Azure App Service Tools v3.0.0 16.4.460.23317 Azure App Service Tools v3.0.0

Azure Data Lake Node 1.0 This package contains the Data Lake integration nodes for Server Explorer.

Azure Data Lake Tools for Visual Studio 2.4.1000.0 Microsoft Azure Data Lake Tools for Visual Studio

Azure Functions and Web Jobs Tools 16.4.460.23317 Azure Functions and Web Jobs Tools

Azure Stream Analytics Tools for Visual Studio 2.4.1000.0 Microsoft Azure Stream Analytics Tools for Visual Studio

C# Tools 3.4.1-beta4-19614-01+165046097562cfe65b09c2e9a9d8f7cd88526f2c C# components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Common Azure Tools 1.10 Provides common services for use by Azure Mobile Services and Microsoft Azure Tools.

Fabric.DiagnosticEvents 1.0 Fabric Diagnostic Events

IntelliCode Extension 1.0 IntelliCode Visual Studio Extension Detailed Info

Microsoft Azure HDInsight Azure Node 2.4.1000.0 HDInsight Node under Azure Node

Microsoft Azure Hive Query Language Service 2.4.1000.0 Language service for Hive query

Microsoft Azure Service Fabric Tools for Visual Studio 16.0 Microsoft Azure Service Fabric Tools for Visual Studio

Microsoft Azure Stream Analytics Language Service 2.4.1000.0 Language service for Azure Stream Analytics

Microsoft Azure Stream Analytics Node 1.0 Azure Stream Analytics Node under Azure Node

Microsoft Azure Tools 2.9 Microsoft Azure Tools for Microsoft Visual Studio 2019 - v2.9.21016.1

Microsoft Continuous Delivery Tools for Visual Studio 0.4 Simplifying the configuration of Azure DevOps pipelines from within the Visual Studio IDE.

Microsoft JVM Debugger 1.0 Provides support for connecting the Visual Studio debugger to JDWP compatible Java Virtual Machines

Microsoft Library Manager 2.0.87+gbb515bf382 Install client-side libraries easily to any web project

Microsoft MI-Based Debugger 1.0 Provides support for connecting Visual Studio to MI compatible debuggers

Microsoft Visual Studio Tools for Containers 1.1 Develop, run, validate your ASP.NET Core applications in the target environment. F5 your application directly into a container with debugging, or CTRL + F5 to edit & refresh your app without having to rebuild the container.

NuGet Package Manager 5.4.0 NuGet Package Manager in Visual Studio. For more information about NuGet, visit https://docs.nuget.org/

ProjectServicesPackage Extension 1.0 ProjectServicesPackage Visual Studio Extension Detailed Info

SQL Server Data Tools 16.0.62002.03150 Microsoft SQL Server Data Tools

ToolWindowHostedEditor 1.0 Hosting json editor into a tool window

TypeScript Tools 16.0.11031.2001 TypeScript Tools for Microsoft Visual Studio

Visual Basic Tools 3.4.1-beta4-19614-01+165046097562cfe65b09c2e9a9d8f7cd88526f2c Visual Basic components used in the IDE. Depending on your project type and settings, a different version of the compiler may be used.

Visual F# Tools 10.4 for F# 4.6 16.4.0-beta.19556.5+e7597deb7042710a7142bdccabd6f92b0840d354 Microsoft Visual F# Tools 10.4 for F# 4.6

Visual Studio Code Debug Adapter Host Package 1.0 Interop layer for hosting Visual Studio Code debug adapters in Visual Studio

Visual Studio Container Tools Extensions (Preview) 1.0 View, manage, and diagnose containers within Visual Studio.

Visual Studio Tools for Containers 1.0 Visual Studio Tools for Containers

Visual Studio Tools for Kubernetes 1.0 Visual Studio Tools for Kubernetes

Thanks for filing the issue @KeithBarrows.

I think there's an issue in the configuration/definition for your scenario. I'm not entirely sure of the specifics of what you are trying to achieve, so I laid out below the two scenarios I can think of and how to decide what/when to use one or the other.

When authenticating and authorizing a hosted Blazor app with a third party provider, there are several options available for authenticating the user. Which one you choose depends on your specific scenario:

Do you want to authenticate a user to talk to a third party API?

You need to authenticate the user with a client-side oauth flow against the third-party API provider. `` builder.services.AddOidcAuthentication(options => { ... })
The server does not play a role here.
You can't protect APIs on the server in this way.
You can only call protected APIs for the third party resource.

Do you want to allow users to log-in with a third party provider and call protected APIs on your host server and the third party API resources?

You need to configure Identity with a third party login provider, get the tokens you need and store them.
When a user logs-in this way, Identity will collect any access tokens and refresh tokens as part of the authentication process. At that point there are a couple of ways to make API calls to the 3rd party API:
- Create an endpoint in your API and use the access token generated by the server to retrieve the access token to talk to the third party API resource from Identity. While this is doable, this is something that we do not recommend. The reason for this is that you are treating the access token as if it was emitted for a public client (in oauth terms, an app that doens't have a client secret because it can't be trusted to store secrets safely) when it might have been produced for a confidential client (a client that has a secret and that is assumed to be able to safely store secrets).
- The implication of this is that that access token might have been granted additional scopes to perform sensitive operations based on the fact that the server considered it was emitting it for a more trusted client.
- A similar example would be refresh tokens, you wouln't give them to a client you don't trust as that would give the client unlimited access (unless other restrictions are put into place)
- Make API calls from your the client to server API and from there, retrieve the access token for the third party API resource and issue whatever call is necessary.
- While this involves an extra hop through your server to talk to the 3rd party APIs, it ultimately results in a better experience:
  - The server can store refresh tokens and ensure the app doesn't loose access to the third party resources.
  - You don't leak any access token from the server that might contain more sensitive permissions.

Hope that helps. I'll file an issue to improve the docs in this area.

The specific issue you are having is that it looks like you are trying to implement the 2nd scenario, but you are trying to redirect to the Blazor webassembly app callback url instead of the callback url on the server (/signin-oauth or similar I presume).

What's happening is something like this: /authentication/login -> /connect/authorize -> /Identity/Account/Login -> https://login.eveonline.com/oauth/authorize -> /authentication/login-callback (failure)

What should happen is something like What's happening is something like this: /authentication/login -> /connect/authorize -> /Identity/Account/Login -> https://login.eveonline.com/oauth/authorize -> /Identity/Account/External (not sure of the url, check with the identity docs) -> /connect/authorize/ -> /authentication/login-callback

See this doc for details on how to configure identity to do this https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/additional-claims?view=aspnetcore-3.1

And your answers, while great, are where I am having my moment of confusion. i.e.: Every sample I have found tends to jump over the "obvious to you" parts of the setup process. Yes, the 2nd scenario is what I am trying to achieve in a POC. However, the first scenario fits over 95% of my use cases. I only have 2 (right now) actions that require a central server I have control over. That being said, my idea was to use a Client Credential for the 2 calls I want to make to my own server. 1 to upload a file, the other to download a file. Everything else is handled via the eveonline.com REST services.

You said: What's happening is something like this (w/my comments): /authentication/login ==> WebAsm:Authentication(action:='login') -> /connect/authorize ==> ???? (buried in a nuget?) -> /Identity/Account/Login ==> Server: ???? (buried in a nuget?) -> https://login.eveonline.com/oauth/authorize ==> 3rd party OIDC service -> /authentication/login-callback (failure) ==> obviously missing something between the last step and here!)

I have started a new POC using dotnet new blazorwasm -au Individual -o [newProject". This has no server, obviously. And for the life of me, configuring the OIDC is not working at all. Following the help at https://aka.ms/blazor-standalone-auth.

Also note that I am using an OKTA OIDC as all EveOnline URLs are blocked at work.

    public class Program
    {
        public static async Task Main(string[] args)
        {
            var builder = WebAssemblyHostBuilder.CreateDefault(args);
            builder.RootComponents.Add<App>("app");
            builder.Services.AddBaseAddressHttpClient();
            builder.Services.AddOidcAuthentication(options =>
            {
                // Configure your authentication provider options here.
                // For more information, see https://aka.ms/blazor-standalone-auth
                options.ProviderOptions.Authority = "https://dev-712283.okta.com";
                options.ProviderOptions.ClientId = "0oa2yttq55XjCR3AO357";

                // also tried https://localhost:5001/.... for all settings
                options.AuthenticationPaths.LogInCallbackPath = "http://localhost:5000/authentication/login-callback"; 
                options.AuthenticationPaths.LogInFailedPath = "http://localhost:5000/authentication/login-failed";
                options.AuthenticationPaths.LogInPath = "http://localhost:5000/authentication/login";
                options.AuthenticationPaths.LogOutCallbackPath = "http://localhost:5000/authentication/logout-callback";
                options.AuthenticationPaths.LogOutFailedPath = "http://localhost:5000/authentication/logout-failed";
                options.AuthenticationPaths.LogOutPath = "http://localhost:5000/authentication/logout";
                options.AuthenticationPaths.LogOutSucceededPath = "http://localhost:5000/authentication/logged-out";
            });

            await builder.Build().RunAsync();
        }
    }

I run and I see: 2020-03-12_1618

I click the Log In button and see that an error happened: 2020-03-12_1619

I am also seeing this error in F12 tools:

Access to XMLHttpRequest at 'https://dev-712283.okta.com/.well-known/openid-configuration' from origin 'https://localhost:5001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Sorry to be a PITA...

Access to XMLHttpRequest at 'https://dev-712283.okta.com/.well-known/openid-configuration' from origin 'https://localhost:5001' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This clearly indicates to me that their endpoint doesn't support CORS and that as a result the app is failing to even get the metadata document.

That being said, my idea was to use a Client Credential for the 2 calls I want to make to my own server. 1 to upload a file, the other to download a file

Not sure what this means. Client credentials from where to where?

Every sample I have found tends to jump over the "obvious to you" parts of the setup process. Yes, the 2nd scenario is what I am trying to achieve in a POC. However, the first scenario fits over 95% of my use cases.

Here a simple sample with identity server A simple sample with Identity Server demo server. The issues you are having with okta is because it doesn't support cors on the metadata endpoint.

            builder.Services.AddOidcAuthentication(options =>
            {
                options.ProviderOptions.Authority = "https://demo.identityserver.io/";
                options.ProviderOptions.ClientId = "interactive.public";
                options.ProviderOptions.ResponseType = "code";
                options.ProviderOptions.DefaultScopes.Add("api");
            });

You said: What's happening is something like this (w/my comments): /authentication/login ==> WebAsm:Authentication(action:='login') -> /connect/authorize ==> ???? (buried in a nuget?) -> /Identity/Account/Login ==> Server: ???? (buried in a nuget?) -> https://login.eveonline.com/oauth/authorize ==> 3rd party OIDC service -> /authentication/login-callback (failure) ==> obviously missing something between the last step and here!)

/authentication/login ==> WebAsm:Authentication(action:='login') -> /connect/authorize ==> Default identity server authorization path -> /Identity/Account/Login ==> Default Identity UI authentication -> https://login.eveonline.com/oauth/authorize ==> Where you are sent when the user clicks with sign-in with eve online -> /signin-oauth-callback (or something like that, check the security docs) Where you should be sent after the login with your provider -> /Account/Login/External Where the middleware sends you after successfully authenticating you. -> /connect/authorize Where the external login redirects you after you are correctly authenticated -> /authentication/login-callback Where Identity server redirects you after the successful authorization

This clearly indicates to me that their endpoint doesn't support CORS and that as a result the app is failing to even get the metadata document.

Yep, missed a setting in Okta.

Are there plans to add triple slash comments to each of the settings and/or documentation that shows default values (if any) for all of these settings? And does it support PKCE for public clients?

Outside of that we can close this down.

Thanks for your awesome help!

And does it support PKCE for public clients

Yep, that's the default when you are using it in a hosted scenario with our SPA authentication integration and you can configure it by setting the response type to code (I believe it does PKCE by default).

Are there any documents that list the acceptable values for response type as well as the other settings? :)

My biggest concern is not being a security expert I touch these setting once, maybe twice a year. Then I have to remember the various flows, which are for what purposes, the various response types, client definition (in the ID Server) vs client setup (in your app), etc. ;)

Are there any documents that list the acceptable values for response type as well as the other settings? :)

The OIDC spec is the best source for that type of stuff https://openid.net/specs/openid-connect-core-1_0.html#Authentication and with an open id connect compatible provider you can always check all those things in the medatada document, which lives at <<authority>>/.well-known/openid-configuration

For example https://dev-712283.okta.com/.well-known/openid-configuration

I'm closing this issue as the question has been answered.

dotnet / aspnetcore