AddIdentityApiEndpoints breaks Blazor's RedirectToLogin behavior. #57900
Comments
dotnet-issue-labeler
bot
added
the
area-blazor
javiercn
added
area-identity
|
Thanks for reaching out, @los93sol. Is there a reason you're not using cookie-only authentication? If your scenario is totally browser-based (i.e., there's not a native client), that's what we would recommend. We expect that this will exhibit the behavior you're expecting. See also:
|
MackinnonBuck
added
the
Needs: Author Feedback
|
I’m not using cookies only because there are remote headless workers that need to connect to the hub as well. Per the documentation Bearer is the recommended approach in this scenario. |
dotnet-policy-service
bot
added
Needs: Attention 👋
|
I added .AllowAnonymous(); at the end of MapRazorComponents() and that resolves the unexpected behavior with Blazor when components have Authorize attributes on them and allows Routes.razor to handle those as normal, but that issue seems like a massive oversight in the template and one that cost me 2 days troubleshooting. Now the issue I’m facing is I want the API side, including SignalR to return 404 instead of 403’s and a catch all for everything that’s not a blazor route to return 401 for unauthenticated users as well. The idea here is to prevent information disclosure about endpoints that exist but users do not have access to |
mkArtakMSFT
added
Docs
|
What you're trying to achieve should be doable. I'm going to turn this issue into a Doc item for us to improve the documentation later. In the meantime, hopefully somebody from the community will be able to help you out here. |
|
#9039 is related and discusses how customize If you need more flexibility to select which handler to use for which requests/operations, you might want to use a policy scheme. |
|
I was able to achieve it with the following.... Note here that I can't use the constant to get at it and the lack of an override with an action to configure it directly is what made getting at this unclear in the first place. |
|
The last thing I'm looking at is how an ITicketStore can be used with the BearerToken auth to move the state from the token to the server like how it can be done with Cookies. I see that BearerTokenOptions do not have an option to set it and the BearerTokenHandler does not implement it anyway so I'm looking for some method that this could be achieved as well. |
|
We believe that the question you've raised have been answered. If you still feel a need to continue the discussion, feel free to reopen it and add your comments. |
Is there an existing issue for this?
Describe the bug
I have a Blazor app that uses .NET Identity. The same app has a SignalR hub and I need to support both Bearer and Cookies auth so I started with a template project and configured Identity with builder.Services.AddIdentityApiEndpoints to get both schemes registered and the forward handler. This works for the most part, but it breaks Blazor's RedirectToLogin component. If you navigate to the Index page first, then click the Auth link it works properly and you are redirected to login as you would expect, but if the user has a link straight to the /auth page, they receive a 401 and are not properly routed through Blazor. This seems very unexpected as the guidance previously has been to use Bearer for SignalR, and Cookies for web interface. Is this a known thing or is there an example of how to do this properly.
Expected Behavior
No response
Steps To Reproduce
No response
Exceptions (if any)
No response
.NET Version
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: