bug: Blazor Server setting a Resource will fail authentication

[Json-exe]

Describe the bug

I have a Blazor Server project, where I have added Logto as an Identity Provider. I have created a Traditional Web App in Logto and provided all information for the AddLogotAuthentication call. I tested it and everything worked fine. Than I added a API Resource to Logto and added the ID of it to options.Resource. But after adding that and starting the App, I never get Authenticated again. Always when clicking login, and logging in on logto, I get redirected to my page and it still says Login. Only when I remove the Resource again, my login works fine. I currently tried several Resource IDs:

• https://localhost:port/
• http://localhost:port/
• https://api.domain.de/

I can also reproduce that behaviour in the Blazor Sample App. If you need more information, I am happy to share ^^

Expected behavior

I still get Authenticated correctly on my Application, and can retrieve my Access Token for my WebAPI.

How to reproduce?

Download this repo, open the Blazor Server Project, add the appsettings, add a Traditional Web App to logto and fill the required information in the appsettings. Add a API Resource to logto and add the resource to the appsettings. Try to login.

Context

• [ ] Logto Cloud
• [X] Self-hosted, Logto version = 1.20.0
  • [X] Container (Docker image)
  • [ ] Raw Node.js

Screenshots

Before Sign-in:

After Sign-In:

[Json-exe]

I further investigated the issue and created an account for Logto cloud. When I use the Logto cloud everything works fine when I set a Resource. Eventually it has something todo with Logto selfhosted running on http instead of https or there is a bug in the self hosted version?

[michaelgiraldo]

@Json-exe yes, its' because of the https. Can you configure the local host for HTTPS?

[Json-exe]

I'll see if I can get a reverse proxy to run locally or how I can get logto to run under https on my machine.

[Json-exe]

I set up a Logto Instance on my server and put NGINX in front of it. I issued a certificate from Lets Encrypt and enabled https. But the issue with the Ressource still persists. Also in the example App I dont get Authenticated if I set a resource.

[Json-exe]

I now tried the following on my local machine:

• Create a self signed certificate and install it
• Using this tutorial to add the certificates as env variables to my local docker container to allow https
• Create a new App for the Blazor Server Example and a new API Resource
• Try to sign in

Once again I could not be authenticated although now even localhost had https (I also tried that on my server where nginx is then proxying to https://127.0.0.1:3002 and 3001 but that did not work either).

[Json-exe]

I have made some more tests. I have disabled Cloudflare to check if that was the problem and have created the same configuration I have used in Logto Cloud. My issue sadly still persists. Here are some logs of the Authentication process in case you need it: Blazor Logs:

info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user. info: Microsoft.AspNetCore.Hosting.Diagnostics[1] Request starting HTTP/2 GET https://localhost:44319/SignIn - - - info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0] Executing endpoint 'HTTP: GET /SignIn' info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12] AuthenticationScheme: Logto was challenged. info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1] Executed endpoint 'HTTP: GET /SignIn' info: Microsoft.AspNetCore.Hosting.Diagnostics[2] Request finished HTTP/2 GET https://localhost:44319/SignIn - 302 - - 378.7587ms info: Microsoft.AspNetCore.Hosting.Diagnostics[1] Request starting HTTP/2 POST https://localhost:44319/Callback - application/x-www-form-urlencoded 502 info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[10] AuthenticationScheme: Logto.Cookie signed in. info: Microsoft.AspNetCore.Hosting.Diagnostics[2] Request finished HTTP/2 POST https://localhost:44319/Callback - 302 - - 255.4845ms info: Microsoft.AspNetCore.Hosting.Diagnostics[1] Request starting HTTP/2 GET https://localhost:44319/ - - - info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1] Executed endpoint '/ (/)' info: Microsoft.AspNetCore.Hosting.Diagnostics[2] Request finished HTTP/2 GET https://localhost:44319/ - 200 - text/html;+charset=utf-8 311.7258ms info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[7] Logto.Cookie was not authenticated. Failure message: No principal. info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

My Logto Instance Logs: Interaction started:

{
  "key": "Interaction.Create",
  "result": "Success",
  "ip": "---.---.--.--",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36",
  "userId": "g8jqzitis1fe",
  "applicationId": "rzoeztxfntj0f4us6szbz",
  "sessionId": "kkO1S80zXhouQyjgmkd4h",
  "params": {
    "nonce": "638635631980426641.Mzc4MjBiYjMtZjg3MC00NTE2LTlkNzgtOTQwZTY1NmI1ZThmZDUyZWRiYjEtMWM5Ni00MGVhLThjODctM2M2YjJlY2U1NGRj",
    "scope": "openid offline_access profile",
    "state": "CfDJ8PciJX1BI1tMhWzI08s0l5WsI65ESSIc9_96lYVmgnMetyCl5BGBWccyImGopc8RQOnXJOglvTc1KORX-beSvSCVYAYwrkdDuYoLKdfn1V1rFYb5uvm_k1RnlYHXpYHnFBZs5x0rFW6eY-MhXkI8HSPJyxApVx5aPEjuKotChY-3QkweO-q_cYpKFK37KtQDcWXwzwRxyit3LGmyKglYALRp_lTlBt5n7qGCzbzp-YT_cKJgf8QhQNif3clKW_12XBUvW4cp-TZvy98nnOfUlw0OYCyxaEpyzrAz8fLVIOq8M4NwRy_wa-JrOQBB18SykTgOUoHi1GYO_9yv4pmnAOWDqtLdS0CLutQLajtDr229CLy-48MtQn9ROO7N6z_SsQ",
    "prompt": "consent",
    "resource": "http://localhost:3212/",
    "client_id": "rzoeztxfntj0f4us6szbz",
    "redirect_uri": "https://localhost:44319/Callback",
    "response_mode": "form_post",
    "response_type": "code",
    "code_challenge": "aUW0QhTkN3dSfi0H1Y1OBo-ZBLcQH29rkKiXZLj_Oc8",
    "code_challenge_method": "S256"
  },
  "prompt": {
    "name": "consent",
    "details": {
      "missingOIDCScope": [
        "openid",
        "offline_access",
        "profile"
      ]
    },
    "reasons": [
      "consent_prompt",
      "op_scopes_missing"
    ]
  },
  "interactionId": "aM-nCV2qU0qYnImOhASAB"
}

Exchange:

{
  "key": "ExchangeTokenBy.AuthorizationCode",
  "result": "Success",
  "ip": "---.---.--.--",
  "userAgent": "Microsoft ASP.NET Core OpenIdConnect handler",
  "userId": "g8jqzitis1fe",
  "applicationId": "rzoeztxfntj0f4us6szbz",
  "params": {
    "code": "IFjuozuL37jbMMwT3bu50poMpAGgOpmNa94sxu1zdZo",
    "client_id": "rzoeztxfntj0f4us6szbz",
    "grant_type": "authorization_code",
    "redirect_uri": "https://localhost:44319/Callback",
    "client_secret": "#internal:83N3UwftTlIRqeXKSgMiVFz98Bv1fv8B",
    "code_verifier": "OX4EDW35U5l9wCPY_8Gxzvo004SFjfNzYA6s335UKsE"
  },
  "scope": "openid offline_access profile",
  "tokenTypes": [
    "AccessToken",
    "RefreshToken",
    "IdToken"
  ],
  "applicationSecret": {
    "name": "Default secret"
  }
}

And my browser network logs: localhost.json

Hope that helps.