Closed SandroRiz closed 11 months ago
guardrex
commented
11 months ago If I recall correctly, they decided not to really push/show it because there are additional security risks and mitigations that have to be dealt with when it comes to using tokens.
@JeremyLikness ... Is that correct? If so, do we want to say anything further on this subject in the doc section at ...
... and do you have any offhand guesses on why @SandroRiz can get registration to work but not login with tokens?
guardrex
commented
11 months ago I get the failure here, too. With only the two items we list to change ("login?useCookies=false" and .AddBearerToken()) along with changing the scheme passed to AddAuthentication() to IdentityConstants.BearerScheme, the backend throws when running the app ...
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action
configureOptions).
Trying to set the default authentication and challenge schemes with AuthenticationOptions fails ... the error is still thrown ...
builder.Services.AddAuthentication(options =>
{
options.DefaultAuthenticateScheme = IdentityConstants.BearerScheme;
options.DefaultChallengeScheme = IdentityConstants.BearerScheme;
}).AddBearerToken();Stand-by, @SandroRiz ... Jeremy probably didn't see the ping from this GH issue. I've sent him an email. If it turns out that he's out on vacation, I'll try pinging Stephen Halter next.
guardrex
commented
11 months ago @SandroRiz ...
I was able to confirm after chatting with Jeremy offline that it's only meant to be for clients that can't handle cookies. This seems to match your scenario, but the article should call out the token risk better. I'm going to work on that on https://github.com/dotnet/AspNetCore.Docs/issues/31194.
... and more importantly ...
He doesn't seem to be aware of this problem :boom: with the guidance failing in the Token authentication section. Therefore, Yes! Please do open an issue for the product unit at ...
https://github.com/dotnet/aspnetcore/issues
Please add ...
cc: @guardrex https://github.com/dotnet/AspNetCore.Docs/issues/31194... to the bottom of your opening comment so that I can follow along. Depending on how it plays out after investigation, I might be updating the docs to call out a gotcha 😈 or perhaps to add some missing guidance that just didn't make it over into the article.
I'll close here, and I'll keep an 👁️ on your PU issue after you open it.
Would be nice to have an example of the Webassembly standalone app that calls the backend API and logins with bearer tokens instead with cookie (like the most mobile apps do)
Like described in the documentation https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-identity?view=aspnetcore-8.0
In the backend I already changed .AddIdentityCookies() with .AddBearerToken();
and in the frontend /login?useCookies=false instead true
But that is not enough and login doesn't work (register do)
Thanks
⚠ Do not edit this section. It is required for issue processing.