From b7a8b33bf24d79bc0cb37282e4f5d370ddcffa95 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 7 Dec 2023 07:49:31 -0500 Subject: [PATCH 1/7] Token authentication updates --- .../webassembly/standalone-with-identity.md | 22 ++++++++++++------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index cda55c191a60..1b7d8ed7da27 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -54,18 +54,15 @@ builder.Services ## Token authentication -For clients that don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core identity platform) is issued that can be used to authenticate subsequent requests. The token is passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. +For native and mobile scenarios where clients don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core Identity platform) is issued that can be used to authenticate subsequent requests. The token is passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. The tokens are not standard JSON Web Tokens (JWTs). The use of custom tokens is intentional, as the built-in Identity API is meant primarily for simple scenarios. The token option is not intended to be a fully-featured identity service provider or token server, but instead an alternative to the cookie option for clients that can't use cookies. -To use token-based authentication with the login API, set the `useCookies` query string parameter to `false`: +The following guidance begins the process of implementing token-based authentication with the login API. Custom code is required to complete the implementation. -```diff -- /login?useCookies=true -+ /login?useCookies=false -``` +Instead of the backend server API establishing cookie authentication with a call to on the authentication builder, the server API sets up bearer token auth with the extension method. -Instead of the backend server API establishing cookie authentication with a call to on the authentication builder, the server API sets up bearer token auth with the extension method: +In `Backend/Program.cs`: ```csharp builder.Services @@ -73,6 +70,15 @@ builder.Services .AddBearerToken(); ``` +In `BlazorWasmAuth/Identity/CookieAuthenticationStateProvider.cs`, remove the `useCookies` query string parameter in the `LoginAsync` method of the `CookieAuthenticationStateProvider`: + +```diff +- /login?useCookies=true ++ /login +``` + +At this point, you must provide custom code to parse the on the client and manage the access and refresh tokens. + ## Sample apps In this article, sample apps serve as a reference for standalone Blazor WebAssembly apps that access ASP.NET Core Identity through a backend web API. The demonstration includes two apps: @@ -119,7 +125,7 @@ User identity with cookie authentication is added by calling ). The in-memory database provider makes it easy to restart the app and test the registration and login user flows. However, each run starts with a fresh database. If the database is changed to SQLite, users are saved between sessions, but the database must be created through [migrations](/ef/core/managing-schemas/migrations/),as shown in the [EF Core getting started tutorial](/ef/core/get-started/overview/first-app). You can use other relational providers such as SQL Server for your production code. -Configure identity to use the EF Core database and expose the Identity endpoints via the calls to , , and . +Configure Identity to use the EF Core database and expose the Identity endpoints via the calls to , , and . A [Cross-Origin Resource Sharing (CORS)](xref:security/cors) policy is established to permit requests from the frontend and backend apps. Fallback URLs are configured for the CORS policy if app settings don't provide them: From 238eeee84700efa0846dce232f50fc0f3a620440 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Fri, 8 Dec 2023 11:32:49 -0500 Subject: [PATCH 2/7] Updates --- .../webassembly/standalone-with-identity.md | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index 1b7d8ed7da27..b67430349ab9 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -52,13 +52,23 @@ builder.Services .AddIdentityCookies(); ``` +## Additional authentication scenarios + +For additional Identity scenarios provided by the API, see : + +* Secure selected endpoints +* Token authentication +* Two-factor authentication (2FA) +* Recovery codes +* User info management + ## Token authentication For native and mobile scenarios where clients don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core Identity platform) is issued that can be used to authenticate subsequent requests. The token is passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. The tokens are not standard JSON Web Tokens (JWTs). The use of custom tokens is intentional, as the built-in Identity API is meant primarily for simple scenarios. The token option is not intended to be a fully-featured identity service provider or token server, but instead an alternative to the cookie option for clients that can't use cookies. -The following guidance begins the process of implementing token-based authentication with the login API. Custom code is required to complete the implementation. +The following guidance begins the process of implementing token-based authentication with the login API. Custom code is required to complete the implementation. For more information, see . Instead of the backend server API establishing cookie authentication with a call to on the authentication builder, the server API sets up bearer token auth with the extension method. @@ -77,7 +87,7 @@ In `BlazorWasmAuth/Identity/CookieAuthenticationStateProvider.cs`, remove the `u + /login ``` -At this point, you must provide custom code to parse the on the client and manage the access and refresh tokens. +At this point, you must provide custom code to parse the on the client and manage the access and refresh tokens. For more information, see . ## Sample apps From 468a38b131a5e9d3150ff732c87d6bd6bc16a3af Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Fri, 8 Dec 2023 11:33:29 -0500 Subject: [PATCH 3/7] Updates --- .../webassembly/standalone-with-identity.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index b67430349ab9..060a329bc68b 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -52,16 +52,6 @@ builder.Services .AddIdentityCookies(); ``` -## Additional authentication scenarios - -For additional Identity scenarios provided by the API, see : - -* Secure selected endpoints -* Token authentication -* Two-factor authentication (2FA) -* Recovery codes -* User info management - ## Token authentication For native and mobile scenarios where clients don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core Identity platform) is issued that can be used to authenticate subsequent requests. The token is passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. @@ -89,6 +79,16 @@ In `BlazorWasmAuth/Identity/CookieAuthenticationStateProvider.cs`, remove the `u At this point, you must provide custom code to parse the on the client and manage the access and refresh tokens. For more information, see . +## Additional Identity scenarios + +For additional Identity scenarios provided by the API, see : + +* Secure selected endpoints +* Token authentication +* Two-factor authentication (2FA) +* Recovery codes +* User info management + ## Sample apps In this article, sample apps serve as a reference for standalone Blazor WebAssembly apps that access ASP.NET Core Identity through a backend web API. The demonstration includes two apps: From 77f3fbba500d3d0be339694d4b7a898b8048d7e7 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Fri, 8 Dec 2023 13:16:28 -0500 Subject: [PATCH 4/7] Apply suggestions from code review Co-authored-by: Stephen Halter --- .../blazor/security/webassembly/standalone-with-identity.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index 060a329bc68b..d29a875d969e 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -54,7 +54,7 @@ builder.Services ## Token authentication -For native and mobile scenarios where clients don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core Identity platform) is issued that can be used to authenticate subsequent requests. The token is passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. +For native and mobile scenarios where some clients don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core Identity platform) is issued that can be used to authenticate subsequent requests. The token is passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. The tokens are not standard JSON Web Tokens (JWTs). The use of custom tokens is intentional, as the built-in Identity API is meant primarily for simple scenarios. The token option is not intended to be a fully-featured identity service provider or token server, but instead an alternative to the cookie option for clients that can't use cookies. @@ -66,8 +66,8 @@ In `Backend/Program.cs`: ```csharp builder.Services - .AddAuthentication(IdentityConstants.ApplicationScheme) - .AddBearerToken(); + .AddAuthentication() + .AddBearerToken(IdentityConstants.BearerScheme); ``` In `BlazorWasmAuth/Identity/CookieAuthenticationStateProvider.cs`, remove the `useCookies` query string parameter in the `LoginAsync` method of the `CookieAuthenticationStateProvider`: From 8d6f5f75f1cbd221770085f6d03d635f383fb915 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Fri, 8 Dec 2023 13:17:16 -0500 Subject: [PATCH 5/7] "The token is passed ..." to "The token should be passed ..." --- .../blazor/security/webassembly/standalone-with-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index d29a875d969e..4bc113593a1d 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -54,7 +54,7 @@ builder.Services ## Token authentication -For native and mobile scenarios where some clients don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core Identity platform) is issued that can be used to authenticate subsequent requests. The token is passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. +For native and mobile scenarios where some clients don't support cookies, the login API provides a parameter to request tokens. A custom token (one that is proprietary to the ASP.NET Core Identity platform) is issued that can be used to authenticate subsequent requests. The token should be passed in the `Authorization` header as a bearer token. A refresh token is also provided. This token allows the app to request a new token when the old one expires without forcing the user to log in again. The tokens are not standard JSON Web Tokens (JWTs). The use of custom tokens is intentional, as the built-in Identity API is meant primarily for simple scenarios. The token option is not intended to be a fully-featured identity service provider or token server, but instead an alternative to the cookie option for clients that can't use cookies. From f042b86686cf5a792169bb4d7137a7bae069cd1e Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Fri, 8 Dec 2023 13:20:58 -0500 Subject: [PATCH 6/7] Updates --- .../blazor/security/webassembly/standalone-with-identity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index 4bc113593a1d..9647f58433b3 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -60,9 +60,9 @@ The tokens are not standard JSON Web Tokens (JWTs). The use of custom tokens is The following guidance begins the process of implementing token-based authentication with the login API. Custom code is required to complete the implementation. For more information, see . -Instead of the backend server API establishing cookie authentication with a call to on the authentication builder, the server API sets up bearer token auth with the extension method. +Instead of the backend server API establishing cookie authentication with a call to on the authentication builder, the server API sets up bearer token auth with the extension method. Specify the scheme for bearer authentication tokens with . -In `Backend/Program.cs`: +In `Backend/Program.cs`: ```csharp builder.Services From d6593e9b437329f558cb1614f18a396a5289a172 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Fri, 8 Dec 2023 13:22:11 -0500 Subject: [PATCH 7/7] Updates --- .../blazor/security/webassembly/standalone-with-identity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md index 9647f58433b3..8ed47feb1257 100644 --- a/aspnetcore/blazor/security/webassembly/standalone-with-identity.md +++ b/aspnetcore/blazor/security/webassembly/standalone-with-identity.md @@ -62,7 +62,7 @@ The following guidance begins the process of implementing token-based authentica Instead of the backend server API establishing cookie authentication with a call to on the authentication builder, the server API sets up bearer token auth with the extension method. Specify the scheme for bearer authentication tokens with . -In `Backend/Program.cs`: +In `Backend/Program.cs`, change the authentication services and configuration to the following: ```csharp builder.Services