Explain schemes in Blazor WASM security

[guardrex]

From @YuxuanLin at #19226 (comment) ...

1. What is JS? Javascript?

2. Which is for cookie? And does it mean that validate a cookie containing a jwt?

3. I tested in my code using context.HttpContext.AuthenticateAsync(scheme); in custom attribute. For bearer authentication(bearer jwt in header) those two AzureADDefaults.JwtBearerAuthenticationScheme AzureADDefaults.BearerAuthenticationScheme are interchangeable. In another way both of them works on the jwt bearer header anthentication. So what is exactly the difference between those two?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: f75d9405-19a5-a14b-3a09-a3605b240750
• Version Independent ID: 1247ee64-fbc9-ce29-0710-f6e59380f5ee
• Content: ASP.NET Core Blazor authentication and authorization
• Content Source: aspnetcore/blazor/security/index.md
• Product: aspnet-core
• Technology: aspnetcore-blazor
• GitHub Login: @guardrex
• Microsoft Alias: riande

[YuxuanLin]

Hi @guardrex thank you for helping me escalate my questions.

Just say those questions are actually targeting at Web API instead of Blazor. Answers may apply to Blazor WASM too but I am not sure.

Thanks!

[guardrex]

@YuxuanLin ... Yes, the schemes aren't directly tied to Blazor ... they are general concepts. Blazor does default to a set of security technologies and configurations (i.e., OAuth 2.0 with OIDC and the implicit flow for 3.1, which is soon to be the authorization code flow for Blazor with .NET 5.0). Currently, our best general guidance in this doc set is in the auth schemes topic. There are also API remarks, but there's no detail in the remarks ...

• https://docs.microsoft.com/dotnet/api/microsoft.aspnetcore.authentication.azuread.ui.azureaddefaults.bearerauthenticationscheme
• https://docs.microsoft.com/dotnet/api/microsoft.aspnetcore.authentication.azuread.ui.azureaddefaults.jwtbearerauthenticationscheme

We wish to let MS Identity Platform docs explain the security concepts generally. For example, a good general topic on OIDC and OAuth 2.0 is OAuth 2.0 and OpenID Connect protocols on Microsoft identity platform, especially the Tokens section of that doc. Also, the topic Microsoft identity platform access tokens is good ... keeping in mind that there are some differences between Identity Platform v1.0 and v2.0 in terms of packages, configuration, and API use when looking through the topics. Blazor is moving to v2.0 for .NET 5 later this year. I'll be working on the preview docs shortly when RC1 releases. That work is tracked by #19503.

A default scheme, such as the default AzureADDefaults.BearerAuthenticationScheme, is required for AddAuthentication in the Server app of a hosted Blazor solution. If it's not there without specifying a DefaultChallengeScheme, the app throws ...

No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action configureOptions).

... and there is flexibility in the default scheme provided to AddAuthentication. However, not any scheme will work. I agree with you (based on testing) that AzureADDefaults.BearerAuthenticationScheme (the recommendation per our engineering guidance ... it's in the Blazor template) and AzureADDefaults.JwtBearerAuthenticationScheme (not recommended ... not in the template) will work as the default scheme passed to AddAuthentication.

AzureADDefaults.JwtBearerAuthenticationScheme is the correct scheme for configuring JwtBearerOptions ... say for example to make a Graph API call in the Server app to get the user's security groups, as you can see in the new content for making a Graph API call in OnTokenValidated server-side for web API endpoints that need to confirm the user's AAD security group or built-in Administrator Role ... don't take that as gospel ... it hasn't been reviewed yet, and there are likely updates to that coming when engineering takes a look.

What I don't see in the MS Identity docs yet is an easy-to-understand explanation of the processing differences for the different schemes. I'm not saying that resources aren't there. I might just need to dig around a bit more. I'd also like to inquire with engineering later on these concepts ... after .NET 5 reaches GA later this year. I don't think it's super critical at the moment. The pattern is well established for Blazor apps at this time, and we'll continue to provide the right pattern in these docs until a little more detail can be added to this topic about the schemes in use.

What I recommend in the meantime is that you reach out to security gurus on the usual support channels ...

• Stack Overflow
• ASP.NET Core Slack
• ASP.NET Gitter

If you do spot a doc over there in the MS Identity docs that explains the schemes, please do post the link on this issue so that I can review it when I get back to this issue later this year or early in 2021.

[YuxuanLin]

Thank you @guardrex , this is the most faithful answer I've ever got in Internet in my life 😆

After could we have a doc about the mapping between the registered default schemas and extension methods like AddAzureADBearer and AddAzureAD?

After trialNError I find out the relationship between JwtBearerOptions, OpenIdConnectOptions and CookiePolicyOptions. It would be also appreciated that those connections would be illustrated well in doc too.

Thanks!

[guardrex]

mapping between the registered default schemas and extension methods like AddAzureADBearer and AddAzureAD

Yes, that's probably what will happen, including where Blazor WebAssembly differs from the scenarios covered in https://docs.microsoft.com/aspnet/core/security/authorization/limitingidentitybyscheme. Currently, we're just going off of what the engineers (Javier, in particular) shows us via the authn/z examples and the Blazor templates.

We'll take a look at this issue sometime after .NET 5 releases probably. It could be later this year or early next year. There's a lot of work to do over the next few months ... then the holidays 🎁⛄ hit and many take off for extended breaks. Me, too! 🏖️

[YuxuanLin]

@guardrex sir you are too professional and hardworking obviously. Your responses also is a good testimony for Microsoft's effort on continuous support.

Please take a break and stay safe!

Cheers
Eric