Extra details on how to authenticate with Entra ID #33147
Comments
dotnet-bot
added
⌚ Not Triaged
aspnet-core/svc
blazor-hybrid/subsvc
Source - Docs.ms
|
@guardrex Thanks for all the info. I was able to gather some bits and improve my code. However, the information on how to integrate Entra ID auth into a Blazor Hybrid app is scattered across many places. You can see this by the amount of links you needed to provide and how only a potion of information within them is applicable to Blazor Hybrid. I'd think Microsoft would have a single page dedicated to adding and explaining Blazor Hybrid auth with Entra ID. They're both Microsoft products after all and, ideally for you, I should have minimal trouble guiding myself into a greater dependency on your products. My research tells me I'm not alone in struggling with this specific issue. That said, I do think atm I have enough figured out to be sufficient for a production environment. It just took really long to put the pieces together. Also, I am struggling with mapping the role claim name. I don't have the To be clear, I do appreciate all the help. I understand Blazor Hybrid is new and will take effort and time to improve and provide solid documentation, especially when you have thousands of other people asking you for stuff. |
I'm sure @BethMassi just heard your feedback on that. I'm just a worker 🐝 ... a worker 🦖😄 ... on Blazor docs. I'm an Aquent contractor limited to working on the Blazor docs in this repo, and management ... such as Beth and Dan Roth ... decide how the overall content is organized, especially when the articles span different documentation teams/people. I should explain that docs are more compartmentalized than most people think: Azure, Identity, Graph API, MAUI, and Blazor docs are handled by different doc folks/teams, and that can explain why things might seem a little uncoordinated in these layered technology situations.
It can be accomplished to an extent ... a basic use case ... in a tutorial or in an article that explains how a provided sample app works. However, it's impossible to cover security these days in a single reference article because the technologies are so complex and have so many features covering so many scenarios. When a tutorial (or sample+article) is placed, the author has to make a lot of choices about what scenarios/features to include, and leaving something out, such as roles, does often generate a request for additional coverage. WRT to roles and Blazor Hybrid ... The first part of the coverage is this ... BTW @BethMassi on that lead-in text to the code snippet, readers might fare better with just being given the full class, the full method, or a ... and that refers to making changes in the context of this ... The second piece is in our article here ... ... in spots where the claims identity is created ( I'll see about getting roles via Entra ID working here, and then I'll see if I can get that into this Blazor article. I might be able to work on this today. I just need to see if anything else is pressing at the moment. |
|
I was just reviewing the issues, and a 'please add roles' request came in for the BWA+OIDC sample app, too ... It's quite a common request due to the ubiquity of role use in production .NET apps. Note to self 🦖The prereqs of the third article (my first link in the preceding comment) are ...
BUT ... The first one is Part 3 of the series ☝️ ... and it makes it clear that you must complete Part 2 before that ... BUT AND™ 😄 ... Part 2 relies on Part 1 and the second article ☝️ requires the tenant to have been created in the first place, so it also relies on Part 1. I think what I'll end up floating for the Blazor doc is an ordered reading/cross-link list before/after whatever code sample(s) provided. |
|
Versioning doesn't seem to be in use ...
Because of this approach of setting the app's namespace via project creation ...
... it makes it more challenging to implement the guidance in an existing app. It might be better to just have the user update the namespaces of the added files. NRTs not in use, so static analysis throws quite a bit. There's no Unfortunately, I've run into too many errors that I don't recognize and can't resolve, so I won't be able to adopt an in-place adoption of Identity. I'll try the sample app next. No 🎲🎲 OOB. The sample targets 7.0, which throws unsupported errors. Even updating to target 8.0 and using the 8.0 SDK, it throws ...
Sometimes, my preview VS 💥 during preview, and I don't have access to the "nightly" VS builds. I've tried to set the SDK via a |
|
@BethMassi ... In a couple of hours, I wasn't able to either get an 8.0 app based on the MAUI tutorial or using the sample app up and running. Even if the blocking errors could be resolved for either approach, the NRT static analysis is throwing a fit all over the place with the code provided. There's no |
|
Appreciate all the updates so far. It was definitely quite a challenge to get Blazor Hybrid auth to work on my end. I have a lot going on currently but if I can get to it, I will remake a sample app in my own time and show you how I have it working. Maybe it will give you some ideas. |
|
I've had trouble in prior years with preview VS and preview SDK. I'm documenting 9.0 via the preview SDK these days. Sometimes, my problems here are related to my VS breaking during a transition to a new framework, not the project. However, having the sample app and guidance at 7.0 can be problematic when I'm basing my test app on 8.0, and having NRTs blowing up all over the place isn't helpful either. One thing I might do on my next attempt is go back to the command line ( Yes, if you put up a repro app, I'll pull that down and see if it will compile here. I hope to come back to this issue sometime next week. |
|
@guardrex I can take a look at this next week as well. I don't have an Entra tenant at the moment to test. |
|
I managed to get the sample app running 🎉. However, I'm now stuck on the guidance to place a non-standard entry into the Redirect URLs. What?! That's not a valid URL. The Azure portal doesn't like it. Oh, I see! It's a mobile/desktop thing ...
Ok ... this what happens when you get a web dev in here 🤣. |
🎉Working now! I can take it forward into some roles testing. I'll pick back up with this on Monday. Still tho ... the code is ... mmmmmm ... how can I put it without offending anyone??? ... 🤔 ... the code is ....... very interesting! 😆
|
|
I set up
I think on Monday I'm going to flip back over to the Maui-Blazor app because this auth example has no Blazor in it. I should be able to get the tutorial app up and running with auth now that I can see this auth app working here ... and then I'll take a stab at getting the auth rolled in. |
|
... and the code provided isn't going to fly for multiple roles (or The code is ... var roleClaim = token.Claims.FirstOrDefault(c => c.Type == "roles")?.Value;
if (!string.IsNullOrEmpty(roleClaim))
{
// If the role claim exists, add it to the IdTokenClaims
IdTokenClaims = new List<string> { roleClaim };
}Here's the user with
@BethMassi ... I'll suggest some better code than that when I flesh out the Blazor bits, hopefully on Monday. Ideally, the code will show how to capture ALL of the |
|
Here's the answer on one, so we'll want to hold on to this to add an explanation of what it is ... and I'd like to add a remark on it to the Blazor WASM article, which covers a lot of this stuff ... I can't find out what the |
|
UPDATE (8/1): I was sidetracked for a few days, but I hope to get back to this tomorrow (Friday). |
|
[EDIT by guardrex to add code fencing to a tag]
@guardrex Hey thanks a lot for all the work. I'm just low on personal time for this but still have some time to look at it at work. In the code I quoted, I wonder have you figured out how to set the default role claim for roles? The I suspect the reason is because the claim name it checks is http://schemas.microsoft.com/ws/2008/06/identity/claims/role, while the claim name sent to the app is, as you know, roles. |
|
I haven't made it back here yet. Items came up overnight that I needed to address today.
I don't think that's going to matter because the role claims are already using a type name of "roles" looking at my earlier research☝️. I have "roles," "groups," and "wids" on the Hybrid side. AFAICT at this point, the challenge is getting the Blazor app ( |
|
Made it back for another look 😅. @LapinskasL ... UPDATED: I can't get an @BethMassi ... This issue is likely going to require a PU-provided sample for doc updates, and I assume it would be based on the Hybrid-BWA sample. Even if @LapinskasL's approach based on the (incomplete†) docs is correct, the PU usually makes specific choices about what they want to show/explain that probably aren't going to exactly match what @LapinskasL has. incomplete†: @LapinskasL did well getting as far as he did with this content. Quite a lot is left out from looking at the code he posted relative to the article. I can fix the article based on what you/they want to show. I understand that you'll be OOF soon, so I'll wait until you return if you want to address this later. |
|
@guardrex sorry for the delay! I haven't been able to look at this. Adding @JeremyLikness to this thread to see if he has any suggestions while I'm OOF. |
|
@guardrex I updated that reddit post of mine with more new code. It seems I needed a few changes to the Routes.razor file to make the [Authorize] attribute and The Roles attributes for the attribute and tags still don't function though, but I can use policies in the views which makes the code cleaner. |
|
I'm punting it to the product unit for resolution because I couldn't get the guidance to work myself. BTW ... You must code-fence markup ☝️ to get it to show up in GH comments. |
|
I'm not sure what you're asking me to do in the last sentence. |
|
Use backticks around inline code to get tags to show up in GH comments. I'll edit your post ☝️ to add them. |
🦖 NOTE TO SELF 🦖See discussion 👉 #33851 (comment) |
|
UPDATE (10/24) 📣 ... I failed in my attempt to get Entra auth (MSAL) integrated into the MauiBlazorWeb app 😢. I was stopped cold by this problem and just couldn't get the 😈😈😈 resolved in spite of using latest packages ( |
Description
I've been having severe trouble implementing authentication and authorization in Blazor Hybrid apps.
While the guide has a lot of code, I'm not quite sure how to properly integrate Entra ID into it. I find myself left with a lot of questions.
"What will happen when the token expires?"
"Is it automatically renewed when it expires?"
"How do I reduce token expiration time so I can test it?"
"Why is the AuthorizeView tag working, but not its Roles attribute?"
"Why is the [Authorize] attribute not working?"
It would help if the docs used implementation with Entra ID (or provide a sample with it) and also addressed those questions. Coming from the MVC framework, I can't help but feel like there's missing features and the answers to these questions are hard to find.
I've made a post on reddit too if you want to see how far I got: https://www.reddit.com/r/dotnet/comments/1e05wel/how_to_fully_integrate_entra_id_authorization/
Page URL
https://learn.microsoft.com/en-us/aspnet/core/blazor/hybrid/security/?view=aspnetcore-8.0&pivots=maui
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/blazor/hybrid/security/index.md
Document ID
cb3ca917-28cc-126f-a7ff-3ff00ad30677
Article author
@guardrex
The text was updated successfully, but these errors were encountered: