OC OpenId Authentication, Api, Blazor and Refit

[agriffard]

For one of our company application, with some of my colleagues, we try we setup an application with these requirements:

1. Api and external authentication

• An OC instance used as Authentication Autority, with OpenId module enabled and OpenId Application setup.

• An ASP.NET REST api with authorization using OpenIddict and Code flow (Client Id coming from OC).

• Swagger configured to redirect to login page and obtain authentication.

2. Blazor App with auth

• We want to connect users to the application using OC external login.
• POC has been done based on this: https://github.com/dotnet/blazor-samples/tree/main/8.0/BlazorWebAppOidc

3. Call Api

• Create Refit interface to call api base url + endpoints.
• POC : call to an unauthorized endpoints: OK

Now, we struggle a bit to merge it all in an application that mixes everything.
How does the current User auth is passed to Refit calling the api?

I would have liked some of your insights, if someone already had to do this kind of communications between client and api, passing Access token with Refit and AuthroizationMessageHandler.

I found some interesting docs and articles, but none using Refit:
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc
https://github.com/openiddict/openiddict-samples/tree/dev/samples/Balosar
https://damienbod.com/2024/04/15/implement-a-secure-blazor-web-application-using-openid-connect-and-security-headers/

I also found some discussions on the .NET Discord and the aspnet repo : dotnet/aspnetcore#56779

Thank you for your help.

/cc @kevinchalet

[Piedone]

Refit-using OC API client: https://github.com/Lombiq/Orchard-Core-API-Client. Perhaps you can take some inspiration?