Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug: Blazor Server setting a Resource will fail authentication #29

Open
2 of 4 tasks
Json-exe opened this issue Sep 27, 2024 · 6 comments · May be fixed by #30
Open
2 of 4 tasks

bug: Blazor Server setting a Resource will fail authentication #29

Json-exe opened this issue Sep 27, 2024 · 6 comments · May be fixed by #30
Labels
bug Something isn't working

Comments

@Json-exe
Copy link

Describe the bug

I have a Blazor Server project, where I have added Logto as an Identity Provider. I have created a Traditional Web App in Logto and provided all information for the AddLogotAuthentication call. I tested it and everything worked fine. Than I added a API Resource to Logto and added the ID of it to options.Resource. But after adding that and starting the App, I never get Authenticated again. Always when clicking login, and logging in on logto, I get redirected to my page and it still says Login. Only when I remove the Resource again, my login works fine.
I currently tried several Resource IDs:

I can also reproduce that behaviour in the Blazor Sample App.
If you need more information, I am happy to share ^^

Expected behavior

I still get Authenticated correctly on my Application, and can retrieve my Access Token for my WebAPI.

How to reproduce?

Download this repo, open the Blazor Server Project, add the appsettings, add a Traditional Web App to logto and fill the required information in the appsettings. Add a API Resource to logto and add the resource to the appsettings. Try to login.

Context

  • Logto Cloud
  • Self-hosted, Logto version = 1.20.0
    • Container (Docker image)
    • Raw Node.js

Screenshots

Before Sign-in:
chrome_0J2pJdljw0

After Sign-In:
chrome_DeMH8bzQn3
@Json-exe Json-exe added the bug Something isn't working label Sep 27, 2024
@Json-exe
Copy link
Author

I further investigated the issue and created an account for Logto cloud. When I use the Logto cloud everything works fine when I set a Resource.
Eventually it has something todo with Logto selfhosted running on http instead of https or there is a bug in the self hosted version?

@michaelgiraldo
Copy link

@Json-exe yes, its' because of the https. Can you configure the local host for HTTPS?

@Json-exe
Copy link
Author

I'll see if I can get a reverse proxy to run locally or how I can get logto to run under https on my machine.

@Json-exe
Copy link
Author

I set up a Logto Instance on my server and put NGINX in front of it. I issued a certificate from Lets Encrypt and enabled https. But the issue with the Ressource still persists. Also in the example App I dont get Authenticated if I set a resource.

@Json-exe
Copy link
Author

I now tried the following on my local machine:

  • Create a self signed certificate and install it
  • Using this tutorial to add the certificates as env variables to my local docker container to allow https
  • Create a new App for the Blazor Server Example and a new API Resource
  • Try to sign in

Once again I could not be authenticated although now even localhost had https (I also tried that on my server where nginx is then proxying to https://127.0.0.1:3002 and 3001 but that did not work either).

@Json-exe
Copy link
Author

Json-exe commented Oct 3, 2024

I have made some more tests. I have disabled Cloudflare to check if that was the problem and have created the same configuration I have used in Logto Cloud. My issue sadly still persists.
Here are some logs of the Authentication process in case you need it:
Blazor Logs:

info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/2 GET https://localhost:44319/SignIn - - -
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[0]
Executing endpoint 'HTTP: GET /SignIn'
info: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[12]
AuthenticationScheme: Logto was challenged.
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
Executed endpoint 'HTTP: GET /SignIn'
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished HTTP/2 GET https://localhost:44319/SignIn - 302 - - 378.7587ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/2 POST https://localhost:44319/Callback - application/x-www-form-urlencoded 502
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[10]
AuthenticationScheme: Logto.Cookie signed in.
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished HTTP/2 POST https://localhost:44319/Callback - 302 - - 255.4845ms
info: Microsoft.AspNetCore.Hosting.Diagnostics[1]
Request starting HTTP/2 GET https://localhost:44319/ - - -
info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
Executed endpoint '/ (/)'
info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
Request finished HTTP/2 GET https://localhost:44319/ - 200 - text/html;+charset=utf-8 311.7258ms
info: Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler[7]
Logto.Cookie was not authenticated. Failure message: No principal.
info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

My Logto Instance Logs:
Interaction started:

{
  "key": "Interaction.Create",
  "result": "Success",
  "ip": "---.---.--.--",
  "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36",
  "userId": "g8jqzitis1fe",
  "applicationId": "rzoeztxfntj0f4us6szbz",
  "sessionId": "kkO1S80zXhouQyjgmkd4h",
  "params": {
    "nonce": "638635631980426641.Mzc4MjBiYjMtZjg3MC00NTE2LTlkNzgtOTQwZTY1NmI1ZThmZDUyZWRiYjEtMWM5Ni00MGVhLThjODctM2M2YjJlY2U1NGRj",
    "scope": "openid offline_access profile",
    "state": "CfDJ8PciJX1BI1tMhWzI08s0l5WsI65ESSIc9_96lYVmgnMetyCl5BGBWccyImGopc8RQOnXJOglvTc1KORX-beSvSCVYAYwrkdDuYoLKdfn1V1rFYb5uvm_k1RnlYHXpYHnFBZs5x0rFW6eY-MhXkI8HSPJyxApVx5aPEjuKotChY-3QkweO-q_cYpKFK37KtQDcWXwzwRxyit3LGmyKglYALRp_lTlBt5n7qGCzbzp-YT_cKJgf8QhQNif3clKW_12XBUvW4cp-TZvy98nnOfUlw0OYCyxaEpyzrAz8fLVIOq8M4NwRy_wa-JrOQBB18SykTgOUoHi1GYO_9yv4pmnAOWDqtLdS0CLutQLajtDr229CLy-48MtQn9ROO7N6z_SsQ",
    "prompt": "consent",
    "resource": "http://localhost:3212/",
    "client_id": "rzoeztxfntj0f4us6szbz",
    "redirect_uri": "https://localhost:44319/Callback",
    "response_mode": "form_post",
    "response_type": "code",
    "code_challenge": "aUW0QhTkN3dSfi0H1Y1OBo-ZBLcQH29rkKiXZLj_Oc8",
    "code_challenge_method": "S256"
  },
  "prompt": {
    "name": "consent",
    "details": {
      "missingOIDCScope": [
        "openid",
        "offline_access",
        "profile"
      ]
    },
    "reasons": [
      "consent_prompt",
      "op_scopes_missing"
    ]
  },
  "interactionId": "aM-nCV2qU0qYnImOhASAB"
}

Exchange:

{
  "key": "ExchangeTokenBy.AuthorizationCode",
  "result": "Success",
  "ip": "---.---.--.--",
  "userAgent": "Microsoft ASP.NET Core OpenIdConnect handler",
  "userId": "g8jqzitis1fe",
  "applicationId": "rzoeztxfntj0f4us6szbz",
  "params": {
    "code": "IFjuozuL37jbMMwT3bu50poMpAGgOpmNa94sxu1zdZo",
    "client_id": "rzoeztxfntj0f4us6szbz",
    "grant_type": "authorization_code",
    "redirect_uri": "https://localhost:44319/Callback",
    "client_secret": "#internal:83N3UwftTlIRqeXKSgMiVFz98Bv1fv8B",
    "code_verifier": "OX4EDW35U5l9wCPY_8Gxzvo004SFjfNzYA6s335UKsE"
  },
  "scope": "openid offline_access profile",
  "tokenTypes": [
    "AccessToken",
    "RefreshToken",
    "IdToken"
  ],
  "applicationSecret": {
    "name": "Default secret"
  }
}

And my browser network logs:
localhost.json

Hope that helps.

@Json-exe Json-exe linked a pull request Oct 4, 2024 that will close this issue
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: LogtoCookieContextManager setting double slash in fetch token request uri Json-exe/logtocsharp
2 participants
@michaelgiraldo @Json-exe