I am new to Blazor and trying to authenticate using oidc. I am trying to use the instructions from Secure an ASP.NET Core Blazor WebAssembly standalone app to set it up.
Here is what I want the app to do (this, I think is a 'normal' app flow):
Start app
Be redirected to a login page (this login page is not within my app)
After login redirect back to app
I must be missing something simple. When I try to run the app I see this error in the Browser Console errors:
Refused to display 'https://xxxx.yyyy.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
In the response headers, I see this:
X-Frame-Options: DENY
X-MS-Forwarded-Status-Code: 500
And in the request headers:
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
I am trying to emulate an existing, working Angular app and in that app headers, I see this in the header
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
I'm not sure if that difference in the header is the difference or not but it's the only thing I see. Looking for advice on how to get this login flow working?
It turns out my scenario - Blazor Webassembly to ADFS is not supported. After days of banging my head, I found this: BLAZOR WASM - ADFS - OIDC - Documentation indicating this is not a supported scenario.
I then found article which pointed me in the correct direction Configure Blazor WASM with ADFS
Turns out the MSAL provider seems to work fine for this scenario:
builder.Services.AddMsalAuthentication(options => {
// Configure your authentication provider options here.
options.ProviderOptions.Authentication.Authority = "https://xxx.yyyy.com/adfs";
options.ProviderOptions.Authentication.ClientId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx";
options.ProviderOptions.Authentication.NavigateToLoginRequestUrl = true;
options.ProviderOptions.LoginMode = "redirect";
});
Related
I’ve just set up my login with Auth0 using Angular. I have created an application in Auth0 and connected it to a MongoDB database, I have tested this connection and it works fine.
When I click ‘Login’ in my angular application, I am presented with the Auth0 login interface. I entered login details to match credentials in my MongoDB database and was asked by Auth0 if my application could access my details, which I granted. After this, an error page appeared stating ‘Unable to issue redirect for OAuth 2.0 transaction’.
I’ve went back to look at my application settings and the allowed callback URLs, logged-out URLs and web origins have all been entered. I have no idea what could be causing this issue.
here is the context data:
“connection”: “MongoDB”,
“error”: {
“message”: “Unable to issue redirect for OAuth 2.0 transaction”,
“oauthError”: “server_error”,
“type”: “oauth-authorization”
I am playing with blazor client hosted tech. I don't know what I did to the app that after successful login then logout, the requests without authorization header still get correct response even in new tab of internet browser. I have to close the browser completely and open it again to see log-out behavior. The controller decorated with [Authorize]. I see in the request header, there is "connection: keep-alive". in the client side app the only http behavior is changed through below code
_httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("bearer", savedToken);
Is there function to force http requests not be persistent?
I writing an ASP.NET Core 1.0 website that uses Windows Authentication. I have implemented Authorization and that is working as expected. Currently, when Authentication fails for a given user, a generic "HTTP 403" error page is shown.
How can I configure ASP.NET Core so that it redirects to my own custom "access denied" page?
I tried the approach outlined in this article, but it didn't work for me (maybe because I'm using Windows Auth instead of Forms Auth?)
How to redirect unauthorized users with ASP.NET MVC 6
Any help would be appreciated.
Use the status code pages middleware.
app.UseStatusCodePages(async context => {
if (context.HttpContext.Response.StatusCode == 403)
{
// your redirect
}
});
You can also choose more generic approach via app.UseStatusCodePagesWithRedirects. The middleware can handle redirects (with either relative or absolute URL paths), passing the status code as part of the URL. For example the following will redirect to ~/errors/403 for 403 error:
app.UseStatusCodePagesWithRedirects("~/errors/{0}");
I'm trying to log in and register with external authentication using MVC5, web api 2 and templates from it.
I don't know how to do it. I read
asp.net web api 2: how to login with external authentication services?.
When I call
GET /api/Account/ExternalLogins?returnUrl=%2F&generateState=true
response is
{
"Name": "Facebook",
"Url": "/api/Account/ExternalLogin?provider=Facebook&
response_type=token&
client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A6685%2F&
state=Yj1...hU1",
"State": "Yj1...hU1"
}
(I don't know what is State for)
Then i can use the Url above (authentication is with cookies) and response is OK html status and some html page (i dont know why)
This call
GET /api/Account/UserInfo
response info with null loginProvider.
I want to register user with FB or Google, so i need token, but i don't know whitch access_token and how can i get it. In example (link above) is this:
POST /api/Account/RegisterExternal
Authorization: Bearer VPcd1RQ4X... (access_token from url)
Content-Type: application/json
{"UserName":"myusername"}
but what is
access_token from url ?
So, my questions are:
How can I external register / login with web api 2 templates?
What is State for? (seems like useless)
External login is Web Api is supported out of the box and can be easily plugged in using the Owin pipeline. Gettting the access token and performing all the oauth related calls are done by the Facebook Owin Provider.
You can find a sample of facebook login with a web site here
I am trying to setup basic auth on my mvc.net web application. I configured my controller using this example: asp mvc 3 ActionFilter for basic authentication
I set a breakpoint where it checks for the Authorization Header, however the header is not present in the HttpRequest. I am accessing the site like this:
http://user1:pass1#localhost/{AppName}/Client/Authorize
If I remove the [BasicAuthorization] attribute from my controller, I am able to access the page.
I am debugging this using IIS 7.0 on a Windows 7 machine.
I think it might have something to do with default authorization settings in IIS. When I throw a HttpUnauthorizedResult() exception, a username/password box pops up in Chrome... I'm not sure how to tell IIS to use my custom code to authenticate the user.
This application won't be accessible by a human user, so the username/password needs to be passed in in the URL like shown above.
I had also found this post: No browser is sending Authorization info in header. I tried sending the request twice after IIS sends the UnauthorizedRequest to the browser, but that's when the username/password dialog pops up. I'm also not sure how to test using that Curl command... Is that through CMD?
I found this post here: SimpleMembership in MVC4 app + WebApi using basic HTTP auth
I was able to refer to the test page used on this tutorial: http://kevin-junghans.blogspot.ca/2013/02/mixing-forms-authentication-basic.html to setup a simple testing page to test that basic authentication was working properly.
I'm not entirely sure on the reason, but I believe that the browser doesn't automatically add an authentication header to the HttpRequest when you try sending the credentials like so:
http://user1:pass1#localhost/{AppName}/Client/Authorize
It must have something to do with the browser requiring a 401 response from the server first before sending the authentication header. I just couldn't figure out how to do it. If anyone knows how to configure IIS/browser properly so you can easily test basic authentication using the above URL format, please let me know.