-
Notifications
You must be signed in to change notification settings - Fork 10.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blazor standalone oidc authorization not requesting prompt #30068
Comments
@esamk thanks for contacting us. info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user The snippet above comes from the default authorization service which is completely unrelated to this package and doesn't have anything to do with What you are likely observing is due to the fact that Blazor will try to silently authenticate the user first if possible and only fallback to a redirect afterwards. We don't offer the ability to log in through a pop up via this package if that's what you are looking for. |
@javiercn "The snippet above comes from the default authorization service " "What you are likely observing is due to the fact that Blazor will try to silently authenticate the user first " Uhhh, AFAIK, that's not how oidc authorization flow is supposed to work. How Blazor (the authorization service that is) could silently authenticate user when it does not yet have any knowledge about the user? I.E no auth cookie, no tokens no nothing. My understanding is, that after fetching the .well-known/openid-configuration, it (the oidc authorizationservice) contacts the authorization endpoint (as the responsetype is set to "code"). And that is exactly what seems to happen. The point is, in that request it should probably have set the prompt parameter to value "login" instead of "none". That's how I understand it. I might be wrong though. That's why I am asking if this is a bug or if its about me misunderstanding something. Please, guessing does not help me at all. If you didn't get enough information from me, please just ask and I'll do my best to describe my problem/question more clearly and/or provide more information. |
There are two packages that we use in Blazor:
There are multiple flows, but this is called silent refresh and essentially, it asks the IdP via a silent iframe if there is already a session established for a user, and silently authorizes him (that's what prompt=none) is for. If there is no user session on the IdP, this obviously fails and a redirect is required. We in our authenticationservice.ts explicitly perform this by calling signinsilent on the UserManager on oidc-client.js and fallback to signinredirect if that doesn't work. I hope this helps clarify things |
@javiercn However, my problem is that the user never sees the login screen. Any idea what could cause that to happen? |
This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes. See our Issue Management Policies for more information. |
@esamk ... I've marked this discussion on my UE ("user experience" ... i.e., total doc overhaul) doc tracking issue. I'll see how the doc can be improved based on this convo when I get to it on that pass. |
@esamk I think it's likely some misconfiguration with your IdP. If you create a new hosted template with individual auth you can run through the login process without issues. |
@javiercn Ok. Thanks for your help. |
Describe the bug
Blazor stdandalone client (with oidc & default authorization service) request includes "prompt: none" when contacting authorization endpoint.
As a consequence, identityserver4 which receives the authorization request does not redirect my client to the login page.
Instead the call returns without authenticated user and the client console reports:
The Identityserver4 documentation says this about the values of prompt field:
This behavior seems to be what happens on the server side when handling the authorization request: The server output says:
That implies to me, that oidc client should include
"prompt": "login"
into the authorization request.I also found some blog posts which seem to suggest that some earlier versions allowed to change the prompt behavior. The current version does not seem to have that option available. At least I did not found one.
My question is, is this how the Blazor oidc authorization service is supposed to work, or is this perhaps a bug? Or have I missed something or understood oidc authorization flow completely wrong.
Other than identityserver docs, I've followed the guidance in the Secure an ASP.NET Core Blazor WebAssembly standalone app with the Authentication library
Here's my config:
Client config (program.cs):
The oidc config in the client appsettings.json:
Exceptions (if any)
Further technical details
dotnet --info output
cc: @guardrex
#21510
The text was updated successfully, but these errors were encountered: