Blazor WebAssembly with server side Razor page authorize problem

1
votes

I created the Blazor WebAssembly app in Visual Studio 2019 with options ASP.NET Core hosted and authentication (Individual User Accounts, Store user accounts in-app) on IdentityServer4. Program generated from Visual Studio. I did not modify anything. Everything works correctly. I'm able to log in and see the client side pages with [Authorize] attribute.

In the next step I add a new Razor Page to the server side (not on the client side) - Reports.cshtml After starting the program, I can go to the newly created page. It works fine.

Now I'm adding [Authorize] attribute to the server side Reports.cshtml page. After starting the program and loggin in, the attempt to display the Reports.cshtml page ends with an error: 401 Unauthorized

What's wrong with that?

Startup.cs

public void ConfigureServices(IServiceCollection services)
{
    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(
            Configuration.GetConnectionString("DefaultConnection")));

    services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = false)
        .AddEntityFrameworkStores<ApplicationDbContext>();

    services.AddIdentityServer()
        .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

    services.AddAuthentication()
        .AddIdentityServerJwt();

    services.AddControllersWithViews();
    services.AddRazorPages();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
        app.UseDatabaseErrorPage();
        app.UseWebAssemblyDebugging();
    }
    else
    {
        app.UseExceptionHandler("/Error");
        // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
        app.UseHsts();
    }

    app.UseHttpsRedirection();
    app.UseBlazorFrameworkFiles();
    app.UseStaticFiles();

    app.UseRouting();

    app.UseIdentityServer();
    app.UseAuthentication();
    app.UseAuthorization();

    app.UseEndpoints(endpoints =>
    {
        endpoints.MapRazorPages();
        endpoints.MapControllers();
        endpoints.MapFallbackToFile("index.html");
    });
}

appsettings.json

{
  "ConnectionStrings": {
    "DefaultConnection": "Server=(localdb)\\mssqllocaldb;Database=aspnet-BlazorAuthTest1;Trusted_Connection=True;MultipleActiveResultSets=true"
  },
  "Logging": {
      "LogLevel": {
      "Default": "Information",
      "Microsoft": "Warning",
      "Microsoft.Hosting.Lifetime": "Information"
      }
    },
  "IdentityServer": {
    "Clients": {
      "BlazorAuth.Client": {
        "Profile": "IdentityServerSPA"
      }
    }
  },
"AllowedHosts": "*"
}

Thank you for your help!

1
c#blazorrazor-pageswebassemblyauthorize
I am having the same issue and asked this question the day before you stackoverflow.com/questions/64470056/… I think it is to do with the fact that the setup uses a bearer token (which if using the template you can see getting the weather data). After a suggestion I used the NavigateTo function, but to a normal server page it doesnt put the bearer token in by default. I'm debating whether to pursue this or just roll my server pages into the app if I cant solve it. I am sure it is a question of configuring it in the startup code.Brett JB
I'd say there is going to be more of this coming down the pipe so a good case for a tutorial or guide if anyone at Microsoft is watching?Brett JB

1 Answers

4
votes

I have solved my problem, so lets hope it solves yours...

In your startup.cs, change the line

    services.AddAuthentication()
    .AddIdentityServerJwt();

To:

            services.AddAuthentication(options =>
        {
            options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
            options.DefaultChallengeScheme = IdentityConstants.ApplicationScheme;
        })

            .AddIdentityServerJwt();

You may have some side effects in your API controllers if using claims as it changes the naming structure, but that is easily fixed, and if you are used to writing MVC, then it makes it more like it used to be... if that makes sense. Theres more detail about this where I posted the answer to my own question. Link to that is in my comment above.

Hpe that works for you. Let me know. Cheers