search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.5k stars 10.04k forks source link

Blazor Wasm Authentication broken when window.opener is set (from anchor with target) #40610

Open andrew-tevent opened 2 years ago

andrew-tevent commented 2 years ago

Is there an existing issue for this?

Describe the bug

If you follow a link to my Blazor site using an anchor which causes the window.opener to be set, then the authentication will never work in that new browser tab.

e.g. <a href="https://myblazorapp/" target="_new">My Blazor App</a>

In the AuthenticationService.ts there is a piece of logic checking for window.opener which causes the silent signin to never take place.

if (window.parent === window && !window.opener && !window.frameElement && this._userManager.settings.redirect_uri &&
     !location.href.startsWith(this._userManager.settings.redirect_uri)) {
      // If we are not inside a hidden iframe, try authenticating silently.
     await AuthenticationService.instance.trySilentSignIn();
}

This means, on landing on the Blazor app, if you are already authenticated with the issuing provider, it doesn't trigger a silent token fetch.

Equally, if you do then go through the actual Login process, the AuthenticationService still does not request a token from the issuing provider; basically the browser tab you are in is unable to ever authenticate.

Is there a specific reason that the AuthenticationService requires window.opener to NOT be set?

Expected Behavior

We should be able to link to a Blazor App and have that browser tab be able to silently (if already authenticated) or explicitly (if not yet authenticated) get a token!

It's a common scenario - links that are shared with other apps/websites generally open in new tabs (e.g. from email inboxes, calendars, comment links)

Steps To Reproduce

  1. Setup a Blazor App using OIDC Authentication.
  2. Navigate to the Blazor App and authenticate (meaning you have a valid authentication cookie from the issuing provider).
  3. Create an HTML link somewhere to the app, and set the target=_new attribute.
  4. Click the HTML link and observe that you aren't logged in to the Blazor App when you should have been.
  5. Observe that reloading or clicking Log In and going through the login process do not solve the problem either.

OR

  1. Setup a Blazor App using OIDC Authentication.
  2. Create an HTML link somewhere to the app, and set the target=_new attribute.
  3. Click the HTML link and click Log In and going through the login process. Observe that you are not logged in.

Exceptions (if any)

No response

.NET Version

6.0.3

Anything else?

Tested using Auth0 OIDC provider, but probably would occur with any provider.

andrew-tevent commented 2 years ago

There is a potential workaround - but it seems a bit flaky as it is an indirect fix.

Prevent other sites from setting themselves as window.opener with this header:

Cross-Origin-Opener-Policy: same-origin

mkArtakMSFT commented 2 years ago

Thanks for contacting us. For now you can try to add the rel="noopener" attribute to the <a> tag.

ghost commented 2 years ago

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

andrew-tevent commented 2 years ago

Thanks for contacting us. For now you can try to add the rel="noopener" attribute to the <a> tag.

It's really about the cases where other sites are linking to your Blazor App, which you don't have control over.