Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error retrieving the current token in a Blazor application after successful authentication with Oidc client #41873

Closed
wants to merge 1 commit into from
Closed

Error retrieving the current token in a Blazor application after successful authentication with Oidc client #41873

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/Components/WebAssembly/WebAssembly.Authentication/src/Interop/AuthenticationService.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,9 @@ class OidcAuthorizeService implements AuthorizeService {
const parameters = request && request.scopes ?
{ scope: request.scopes.join(' ') } : undefined;

const newUser = await this._userManager.signinSilent(parameters);
const newUser = await this._userManager.signinSilent(Object.assign({}, {
response_type: 'id_token token'
}, parameters));
Comment on lines +114 to +116
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is the response type id_token in the first place?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if this is really needed at this place.
I'll test it.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After trying, if I remove the id_token from the signIn It will remove the id_token from the session's stored user...
I think this could be an issue...

To not create a side effect, I guess it is better to keep both id_token and access_token in the request ;)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kbeaugrand is there a reason why your response type is not code?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@javiercn , because this method should request for an access token, not an authorization code ...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kbeaugrand this method should request whatever is configured in the settings, it's not up to the library to change the response, changing the response type affects the security characteristics of the app.

id_token, access_token, what they do, is request for the tokens to be delivered by the authorization endpoint (implicit flows).

What tokens you get back is based on the scopes you request. At a minimum an access token to talk to your API, and optionally, in addition to that, an ID token to identify the user.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@javiercn, the issue mentioned, relates that by using the standard documentation, the Authentication is requesting the id_token;

The Blazor WebAssembly template automatically configures default scopes for openid and profile.

The Blazor WebAssembly template doesn't automatically configure the app to request an access token for a secure API. To provision an access token as part of the sign-in flow, add the scope to the default token scopes of the OidcProviderOptions. If adding authentication to an app, manually add the following code and configure the scope URI.

source: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-authentication-library?view=aspnetcore-6.0&tabs=visual-studio#access-token-scopes.

  1. I' would be happy if by setting ProviderOptions.ResponseType to "id_token token" my client goes well to the authentication but this is not the case.

  2. By using the BaseAddressAuthorizationMessageHandler, the program calls the getAccessToken method from AuthenticationService.

As I see in the code, there is condition, if the access token is present and has all the required scopes, it returns the access token. otherwise it will sign in silently.
If the access token is not present (because not requested) and we don't force to request the access token, we never will have that ...

I might not understand correctly the philosophy of this library and the solution might not be this one.

In your opinion, what should be the correct approach ?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@javiercn , nevermind, I got why getting the access token as part of the login doesn't work in my case...
In my case, I'm using OpenID connect with Azure AD B2C as the IdP.

AD B2C doesn't provide the user info endpoint and he oidc client used requires it ;(
It fails to perfom the sign in and validates the login but without any error message...

By changing the settings, I got my flow working (after disabling the loadUserInfo (see: https://github.com/IdentityModel/oidc-client-js/wiki#other-optional-settings)

After, that I can have my access token with the id_token.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I close this PR since it doesn't provide what I expected.

However, the documentation makes me some troubles, do you think this could be an opportunity to documentation that if the access token is required to authenticate to APIs, the developer should also change the reponse_type to add the token request as part of the sign in process ?


return {
status: AccessTokenResultStatus.Success,
Expand Down