Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[.NET 8] Using attribute [Authorize] is bugged when refreshing page (shows HTTP ERROR 401 despite being logged in) #52317

Closed
1 task done
DM-98 opened this issue Nov 23, 2023 · 6 comments
Closed
1 task done

[.NET 8] Using attribute [Authorize] is bugged when refreshing page (shows HTTP ERROR 401 despite being logged in) #52317

DM-98 opened this issue Nov 23, 2023 · 6 comments
Labels
area-blazor Includes: Blazor, Razor Components ✔️ Resolution: By Design Resolved because the behavior in this issue is the intended design. Status: Resolved

Comments

@DM-98
Copy link

DM-98 commented Nov 23, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

I'm using Blazor RenderMode InteractiveServer globally and Prerender turned off. I also use JWT authentication (not sure how it behaves with other authentication methods).

When navigating with a href clicks it works fine authenticating the user and showing authorized page. But when the same user refreshes the page with F5, it shows HTTP ERROR 401, like this:

71f6a2805720bc6e30fd8bc27805812a

A minimal reproducable project is made for you to see the issue.

Expected Behavior

I expect the authenticated & authorized user to keep seeing the Authorized content inside the blazor page component after a F5 page refresh.

Steps To Reproduce

  1. Download the repo: Minimalistic project - Github
    or quickly Git Bash this:
    git clone https://github.com/DM-98/BlazorApp2-AuthorizationIssueRepro
  2. Open Package Manager Console and run "Update-Database"
    (which makes a new database called BlazorApp2-AuthorizationBugRepro)
  3. Start with(out) debugging
  4. Register a user and then Login
  5. Navigate to [Authorize]'d page only and press F5

Exceptions (if any)

No response

.NET Version

8.0.100

Anything else?

No response
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-blazor Includes: Blazor, Razor Components label Nov 23, 2023
@surayya-MS
Copy link
Member

Thanks for contacting us, @DM-98 !
The authentication state provider the app defined is only used within Blazor and is not integrated with the ASP.NET Core authentication system. During prerendering, Blazor Web respects the metadata defined on the page and uses the ASP.NET Core authentication system to determine if the user is authenticated. Since you haven't integrated your custom AuthenticationStateProvider with the built-in authentication system, when you navigate from one page to the other, only your auth provider is used, (which works), but when you refresh the page, your provider is not involved in the auth decision, and thats why the page doesn't get rendered.

To address this, it's better if you perform the authentication within the ASP.NET Core auth system and your authentication state provider only takes care of reflecting that state. For an example on how to do this, check the authentication state provider in the Blazor Web template with individual user accounts.

@surayya-MS surayya-MS added the ✔️ Resolution: By Design Resolved because the behavior in this issue is the intended design. label Nov 23, 2023
@ghost ghost added the Status: Resolved label Nov 23, 2023
@rezamohammad
Copy link

Hello, @surayya-MS
if possible, write a sample code for example
Thankful

@rezamohammad
Copy link

hi @DM-98
#52063 (comment)

Well, I found a workaround by:
define following class and register it where server initializes

public class BlazorAuthorizationMiddlewareResultHandler : IAuthorizationMiddlewareResultHandler
{
    public Task HandleAsync(RequestDelegate next, HttpContext context, AuthorizationPolicy policy, PolicyAuthorizationResult authorizeResult)
    {
        return next(context);
    }
}

and handler:

services.AddSingleton<IAuthorizationMiddlewareResultHandler, BlazorAuthorizationMiddlewareResultHandler>();
This class will prevent redirection from the new .net 8 authorization middleware response.
The problem still exists, but we can at least we can use .NET 8 new feature the way we used to in Blazor and .NET 7.

You may need to separate endpoint routing other than blazor routes since it basically renders serverside authorization (via .AddAuthentication(...).AddJwtBearer(...)) ineffective.

hope this helps, enjoy .net 8. while the team fixes the problem.

@dmm-l-mediehus
Copy link

@rezamohammad The workaround works flawlessly, thanks.

@sh-jthorpe sh-jthorpe mentioned this issue Dec 5, 2023
Open
1 task
@sh-jthorpe
Copy link

Thanks for contacting us, @DM-98 ! The authentication state provider the app defined is only used within Blazor and is not integrated with the ASP.NET Core authentication system. During prerendering, Blazor Web respects the metadata defined on the page and uses the ASP.NET Core authentication system to determine if the user is authenticated. Since you haven't integrated your custom AuthenticationStateProvider with the built-in authentication system, when you navigate from one page to the other, only your auth provider is used, (which works), but when you refresh the page, your provider is not involved in the auth decision, and thats why the page doesn't get rendered.

To address this, it's better if you perform the authentication within the ASP.NET Core auth system and your authentication state provider only takes care of reflecting that state. For an example on how to do this, check the authentication state provider in the Blazor Web template with individual user accounts.

Hi @surayya-MS, i've logged #52586 as this issue applies to MS Entra ID auth as well, and in that scenario there's no authentication state provider for us to configure.

@yablos yablos mentioned this issue Jan 2, 2024
Closed
1 task
@Stefan13-13
Copy link

For me the workaround by @rezamohammad does not work.
The error goes away, but now I can view my page with the @attribute [Authorize(Policy = MyPolicy)] while I'm not autorized.

@moshali1 moshali1 mentioned this issue Jan 7, 2024
Closed
1 task
This was referenced Jan 18, 2024
Closed
Merged
@ghost ghost locked as resolved and limited conversation to collaborators Feb 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-blazor Includes: Blazor, Razor Components ✔️ Resolution: By Design Resolved because the behavior in this issue is the intended design. Status: Resolved
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@DM-98 @rezamohammad @sh-jthorpe @surayya-MS @dmm-l-mediehus @Stefan13-13