Blazor and jwt problems with Scaffold Identity

[Rick-Anderson]

Moved from #7633 by @sbsw
These pages sometimes say we should use services.AddDefaultIdentity, and sometimes services.AddIdentity. Reading between the lines, AddIdentity exposes additional options for configuring Identity. But there is no coherent description of the difference between these two methods. We really need a section early in this documentation that presents these two registration methods and information about the follow-on fluent methods that are required and/or optional.

Put a link to this comparison in:

• Content: Scaffold Identity in ASP.NET Core projects
• Content Source: aspnetcore/security/authentication/scaffold-identity.md

Per Hao
AddDefaultIdentity is just syntactic sugar for the old code that used to be in startup + AddDefaultUI, whatever you are trying to do,

See AddDefaultIdentity

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: d3ac09f0-74ca-1a5d-4fec-695b84c1ac95
• Version Independent ID: cd2c1f5e-e4f0-d2c3-4737-8ff4f0c176c2
• Content: Configure ASP.NET Core Identity
• Content Source: aspnetcore/security/authentication/identity-configuration.md
• Product: aspnet-core
• GitHub Login: @AdrienTorris
• Microsoft Alias: riande

[Scobiform]

the Scatfolding is a mess too - the whole blazor identity is not very Full Stack friendly right now... suddenly I have empty .js in wwwroot/Identity and such... I guess I will write a own Identity template. But for my project it consumes now time - razor pages was clean and simple this tries to be super nice and timesaving but leads me to problems and stress...

[bernatgy]

I have the same problems as @Scobiform. This "version" of Identity is completely confusing. Even the docs. In my opinion docs SHOULD NOT start with the assumption that everyone wants to start using it with a whole bunch of abstract default settings, Entity Framework, MVC and whatnot. I've only just started researching because I want to implement something super simple, and I've already been reading for 2 hours without knowing anything about how I should start using it and how and what I should override (either types or options).

[iHamzaKhanzada]

One strange problem I am facing with using AddIdentity is your protected pages (which require authentication) gets unprotected, meaning you can call Identity/Account/manage/index.cshtml page without authentication. This led me to debugging of 5 hours and finally I changed my services.AddIdentity to services.AddDefaultIdentity and now the pages are protected again.. I don't know If I have elaborated the issue properly but while using AddIdentity you can even access authorized pages without even login

[zubairkhakwani]

i am using .net core 3.1 web api project and using jwt for authentication with services.AddIdentity<IdentityUser, IdentityRole>() .AddEntityFrameworkStores<ApplicationDbContext>(); but when i use Authorize attribute instead of returning 401 unauthorized or even when i provide the correct token it redirect to login page but it work perfectly fine with services.AddDefaultIdentity(IdentityUser) .AddEntityFrameworkStores<ApplicationDbContext>();

[baratgabor]

i am using .net core 3.1 web api project and using jwt for authentication with services.AddIdentity<IdentityUser, IdentityRole>() .AddEntityFrameworkStores<ApplicationDbContext>(); but when i use Authorize attribute instead of returning 401 unauthorized or even when i provide the correct token it redirect to login page but it work perfectly fine with services.AddDefaultIdentity(IdentityUser) .AddEntityFrameworkStores<ApplicationDbContext>();

I ran into this issue as well. Since AddIdentity() calls services.AddAuthentication() with options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme, it can override the options you provided alongside the AddJwtBearer() call (i.e. options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme). But if you set up the JWT bearer after the AddIdentity() call, it should work.

As for the difference in behavior experienced when using AddDefaultIdentity(), my guess is that this is due to the fact that AddDefaultIdentity() sets DefaultScheme, and not DefaultAuthenticateScheme – so it doesn't override your JWT authentication scheme.

But I also find this all to be confusing, and still trying to wrap my mind around it (authentication already works for me, but I'm yet to successfully derive a user from ClaimsPrincipal via UserManager).

[zubairkhakwani]

i also try setting JWT bearer after the AddIdentity() but still same behaviour, Why are you deriving user from ClaimsPrincipal. if you want to extend your class simply derive it from IdentityUser

…

On Wed, Apr 1, 2020 at 10:55 AM Gabor Barat ***@***.***> wrote: i am using .net core 3.1 web api project and using jwt for authentication with services.AddIdentity<IdentityUser, IdentityRole>() .AddEntityFrameworkStores<ApplicationDbContext>(); but when i use Authorize attribute instead of returning 401 unauthorized or even when i provide the correct token it redirect to login page but it work perfectly fine with services.AddDefaultIdentity(IdentityUser) .AddEntityFrameworkStores<ApplicationDbContext>(); I ran into this issue as well. Since AddIdentity() calls services.AddAuthentication() with options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme, it can override the options you provided alongside the AddJwtBearer() call (i.e. options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme). *But if you set up the JWT bearer after the AddIdentity() call, it should work.* As for the difference in behavior experienced when using AddDefaultIdentity(), my guess is that this is due to the fact that AddDefaultIdentity() sets DefaultScheme, and not DefaultAuthenticateScheme – so it doesn't override your JWT authentication scheme. But I also find this all to be confusing, and still trying to wrap my mind around it (authentication already works for me, but I'm yet to successfully derive a user from ClaimsPrincipal via UserManager). — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#8434 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AJB7VTOW23PA2NIVGRN2ID3RKLJMRANCNFSM4FTVGVJQ> .

[dbrennan]

I ran into the same problem with the Scaffolding Identity docs pages for a Blazor app. The guide and reference docs should really be updated to the correct guidance.

[Rick-Anderson]

@dbrennan we've got good review from MVC and Razor Pages customers. The tutorial isn't geared for jwt for authentication. It probably needs a Blazor section. cc @guardrex

[dbrennan]

Thanks for pushing this in. Agreed, a Bazor section would be great. It looks like the Razor customizations are also needed to work with Blazor? I opened another issue for a different section and started making some updates when I saw your change come through.

[guardrex]

This is a dup of #15651 ... and although that was opened a while ago (11/2019) with follow-up discussion in 2/2020, I've been 🏃😅 on many high priority issues and going as fast as I can.

I've moved the issue to the top of my P2 (Medium Priority) issues; so as soon as I burn thru a few more top priority issues, I can work it. The plan is to address scaffolding in two sections (with auth/without auth) in the Scaffold Identity topic, which is the topic that #15651 is attached to.

[guardrex]

@Rick-Anderson ... I'll close this because I think it was resolved by #16944 and various follow-up PRs. Just to make sure that all is well with that content, I'm going to add a UE pass entry for the scaffolding topic to review/update-as-needed for the Blazor sections there.

UPDATE: Done! I'll make sure that I get to it ... eventually 🏃😅.