Authentication needs in ASP.NET Core going forward #42105
Comments
javiercn
added
area-mvc
|
Thanks for contacting us. We're moving this issue to the |
|
My scenario is not about Auth but about Auth integration testing with Minimal api. One of the cases of my project is to be sure that all routes, including minimal, are protected with either Authorize or AllowAnonymous attributes. Previously it was possible to loaf all types and search for ControllerBase inheritors and checking their metadata Isn't it better to convert it to discussion? |
mkArtakMSFT
added
the
enhancement
@damienbod Can share a bit more about what you believe is missing for this? Are you looking for a generic OIDC client setup that would work with most OIDC providers, similar to what we have for Blazor WebAssembly? Are there particular OIDC providers that you'd want to ensure this works with? |
|
Hi @danroth27 thanks for asking. These are the projects we create for different clients which I think Microsoft could provide and would help the community developing secure applications. None of the templates are available per default. Individual Accounts
External authentication
I created three Blazor templates to fill this gap but believe Microsoft could do this for the community. The basic template of a Razor Page using an external OIDC server is missing. This would be really simple to support as all the auth middleware is already available. A user would only need to change the OIDC configuration for each different server requirement. A generic OIDC client setup would be great. Here are the Blazor templates I created. These have no auth in the frontend and are simple to extend. The templates have also no third party dependencies either apart from the security headers package. https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template https://github.com/damienbod/Blazor.BFF.AzureAD.Template https://github.com/damienbod/Blazor.BFF.AzureB2C.Template If I need to implement my own identity provider, I use either IdentityServer or OpenIddict with ASP.NET Core Identity using their templates (which are very good) and have no need for any of the Microsoft templates using these packages. So apart from the Microsoft.Identity.Web templates for Razor Pages and APIs, Microsoft provide none of the templates which would be useful to me and probably to others as well. This might be useful for some project as well: Individual Accounts
Greetings Damien |
|
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-8.0 I think with this it should not be that trivial for BFF on blazor wasm apps. |
|
Especially with the fact that https://github.com/IdentityModel/oidc-client-js is no longer maintained |
|
Thanks for contacting us. We're moving this issue to the |
mkArtakMSFT
added
Pillar: Complete Blazor Web
and removed
area-mvc
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
https://twitter.com/davidfowl/status/1534756765597720578
Describe the solution you'd like
I see 4 authentication grouped needs in ASP.NET Core
1- Easy to implement standard client authn (OpenID Connect)
2- Standalone with cookies and ASP.NET Core Identity (IDP solutions as well)
3- Certificate auth
4- AzureAD and Azure B2C client authn
I believe Microsoft should provide templates for just the client authn and docs + links to products about how to use or implement the second and third type. The Azure AD and Azure B2C client templates are already good.
If you have simple authn templates for OIDC clients for an ASP.NET Core API, Razor page, MVC, Blazor (WASM, BFF ASP.NET Core hosted, Server) which are easy to adapt after, then we have a good solution. As part of the solution then, docs about using with different IDPs would help as all IDPs have small differences.
HTTPS should be used with all these templates per default.
Additional context
No response
The text was updated successfully, but these errors were encountered: