Unable to authorize by BFF in Blazor WebAssembly with Duende.IdentityServer in HTTP scheme, not HTTPS
I have two sample projects, one for Duende Identity Server and another for Blazor WebAssembly project, they are both writen by .NET 7 and we are using latest release of Duende Identity server with BFF(Backend For Frontend) protocol.
The problem:
When we use HTTPS for authority and all addresses for both client and server there is no problem! and we can successfully authenticate and authorize in Blazor Client app.
But we have problem when using HTTP:
Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2]
Authorization failed. These requirements were not met:
DenyAnonymousAuthorizationRequirement: Requires an authenticated user.
I know that we have to use HTTPS in production, but now we are in development and we should have been able to do it in development.
Public repository:
You can find the projects in public repository: https://github.com/miladashrafi/binande
Steps to reproduce the problem:
Just clone the repository and run both following projects:
Binande.Identity
Binande.Admin.Server
Steps to see that there is no problem in HTTPS mode:
1- Change urls from HTTP to HTTPS in both projects launchSettings.json
Binande.Admin.Server:
"applicationUrl": "https://localhost:5002"
Binande.Identity:
"applicationUrl": "https://localhost:5001"
2- Change urls of interactive.confidential client in IdentityServerConfig.cs:
Binande.Identity:
RedirectUris = { "https://localhost:5002/signin-oidc" },
PostLogoutRedirectUris = { "https://localhost:5002" },
3- Change the Authority url of Program.cs in Binande.Identity project:
options.Authority = "https://localhost:5001";
Now it's working fine!
Question:
The question is: how to have this in HTTP mode instead of HTTPS in development environment?
Note:
We have options.RequireHttpsMetadata = false; and options.Cookie.SameSite = SameSiteMode.Lax; and options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest; in cookie policies and configuration.
Thank you for any help
I found the problem, your cookie name does not seem to meet its restrictions, after changing it can be authenticated normally.
Chang your cookie name:
options.Cookie.Name = "Host-blazor";
Test Result:
It has some restrictions on __Host- and __Secure- prefixed names. For more details, you can check the Cookie prefixes section in this link.
- ASP.NET Core doesn't create an authentication cookie when SameSite is set to none
- ASP.Net Core Content-Disposition attachment/inline
- How to embed the scoped css bundle file generated by Razor class library?
- Visual Studio ASP.NET Core Debug IIS Express - Site can't be reached
- How to configure Elastic.Serilog.Sinks 8.11 in ASP.NET Core 8 web app?
- How to validate a form using Javascript
- .NET Core Razor - scenario on how to mix C# with html
- How do I make a column in SQL that's an array of data in .NET Core MVC?
- Passing model from Index to _Layout to _Header in ASP.NET Core causes NullReferenceException on get_Model()
- Method not allowed 405 POST ASP.NET CORE 5.0 WEB API
- Odata Global PageSize
- Http 429 is not returnable in status code from C# ASP.NET Core Web API
- How to extract a list from appsettings.json in .net core
- Failing to perform Cookie Authentication: SignInAsync and AuthenticateAsync not successful
- No service for type has been registered
- .NET 8 windows service thinks hosting environment is production when debugging locally
- ASP.NET Core CORS Setup Stops Working After Bicep Deployment
- ASP.NET Core: URL rewriting does not work with a static file
- Could not load file or assembly 'Microsoft.AspNetCore.SpaProxy'?
- Multiple Identities in ASP.NET Core 2.0
- Blazor WASM cannot use Entity Framework Core
- Html number input handling in blazor
- C# Blazor EventCallBack is not set
- Toast Component not working in Razor app C#
- How to change background color of loading page of a WASM app?
- How can I get an ILogger in an exception handler - created in Main()?
- Minimal API Results.Ok Not Returning Full Object
- Blazor A second operation started on this context before a previous operation completed
- C# required property setter for reference type with default value set to null
- Working with DirectoryServices in ASP.NET Core