search

dotnet / aspnetcore

ASP.NET Core is a cross-platform .NET framework for building modern cloud-based web applications on Windows, Mac, or Linux.
https://asp.net
MIT License
35.37k stars 9.99k forks source link

[Blazor] Auto render mode - can not write cookie inside controller #57102

Closed AlexNek closed 2 months ago

AlexNek commented 2 months ago

Is there an existing issue for this?

Describe the bug

I am working on a .NET 8.0 Blazor project utilizing the "auto" render mode, with cookie-based authentication. Demo repo When I try to call into controller, then nothing happens - no cookie written, no authorization.

await HttpContext.SignInAsync(
    CookieAuthenticationDefaults.AuthenticationScheme,
    new ClaimsPrincipal(claimsIdentity))
 return Redirect("/");

If I move the login logic to the login page, everything works fine server-side, but I can't access the authenticated user from the client side via API calls. Looks like there are different HttpContext on server and within controller. Or is my setup preventing proper synchronization between the two?

Expected Behavior

I want to have the similar way it works with Microsoft Identity. But for user account I need to use existing external API

Steps To Reproduce

Demo repo

Exceptions (if any)

No response

.NET Version

8.0

Anything else?

No response

javiercn commented 2 months ago

@AlexNek thanks for contacting us.

Your Account/Login page is rendered on the server and calls an API on the server (using HttpClient) that's going to set a cookie in the response received by HttpClient, not in your browser.

For the cookie to be set in the browser you need to make the API call from code running in the browser (through WebAssembly) not code running on the server either via SSR or Interactive Server.

It's unclear what you are trying to accomplish here, but if you would take advice, its unnecessarily complex. I would recommend you follow a different approach which would be to mimic what Identity does (just a plain old form, no API calls from the server).

If what you are trying to do is avoid having a redirect, consider using enhanced navigation instead or an iframe (if it's within the same origin) to avoid the page being reloaded.

I do not say this lightly as this type of code is sensitive and can have catastrophic consequences if not handled carefully, so my recommendation would be to fit your experience into one of the well-established patterns if possible before rolling out your own implementation.

AlexNek commented 2 months ago

Thanks for the quick reply.

It's unclear what you are trying to accomplish here

Ultimately, I need the application to behave as if I were using Microsoft Identity. The big difference - I already have external API to manage users. So I want to call such API only from server. I don't really need internal controller, it was only suggestion what I found how to implement CustomAuthentificationStateProvider.

well-established patterns if possible before rolling out your own implementation.

What is your suggestion? Here is only suggestion for Server or Client modeASP.NET Core Blazor authentication and authorization the same as here Secure an ASP.NET Core Blazor Web App with OpenID Connect (OIDC)

dotnet-policy-service[bot] commented 2 months ago

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.