Automatically Attaching Identity Cookie to HTTP Client in Blazor wasm

I am working on a blazor application where I used my API project as Identity

Provider. Everything is working fine but the issue is that the access token

issued by my API is not validated by the API. It turns out the API is expecting a

cookie header. I took a closer look at blazor hosted application and found out

the cookie is being sent along with each request but it’s same-origin.

My Blazor WASM project does not automatically attach this cookie in the request

header, just the access token.

Is there a way I can make the Http handler attach this cookie on each request?

or make the API validate the access token instead of the identity cookie.

This is my startup class in the API Project

       public static void AddIdentityServer(IServiceCollection services,IConfiguration configuration)
        {
            services.AddIdentityServer(options =>
            {
                options.UserInteraction.LoginUrl = "/Identity/Account/Login";
                options.UserInteraction.LogoutUrl = "/Identity/Account/Logout";
            }).AddProfileService<LocalProfileService>()
             .AddApiAuthorization<ApplicationUser, ApplicationDbContext>(option =>
             {
                 option.Clients.Add(new Client
                 {
                     ClientId = "blazor",
                     AllowedGrantTypes = GrantTypes.Code,
                     RequirePkce = true,
                     RequireClientSecret = false,
                     AllowedCorsOrigins = { "https://localhost:5001" },
                     AllowedScopes = { "openid", "profile", "email","id" },
                     RedirectUris = { "https://localhost:5001/authentication/login-callback" },
                     PostLogoutRedirectUris = { "https://localhost:5001/" },
                     Enabled = true,
                     RequireConsent = false,  
                 });
                 option.IdentityResources.AddEmail();
                 option.IdentityResources["openid"].UserClaims.Add("name");
                 option.ApiResources.Single().UserClaims.Add("name");
                 option.IdentityResources["openid"].UserClaims.Add("role");
                 option.ApiResources.Single().UserClaims.Add("role");

                 option.IdentityResources.Add(new IdentityResource("id",new string[] {"id" }));
                 option.ApiResources.Single().UserClaims.Add("id");
                 

             });

            services.AddAuthentication()
                .AddGoogle("Google", options =>
                {
                    options.ClientId = configuration["ExternalLoginApiKey:GoogleClientId"];
                    options.ClientSecret = configuration["ExternalLoginApiKey:GoogleClientSecret"];
                })
                .AddFacebook("Facebook", options =>
                {
                    options.AppId = configuration["ExternalLoginApiKey:FacebookAppId"];
                    options.AppSecret = configuration["ExternalLoginApiKey:FacebookAppSecret"];
                })
               .AddIdentityServerJwt();

          
        }

Program class in the Blazor Project
        public static async Task Main(string[] args)
        {
            var builder = WebAssemblyHostBuilder.CreateDefault(args);
            builder.RootComponents.Add<App>("app");

            builder.Services.AddOidcAuthentication(options =>
            {
                builder.Configuration.Bind("oidc", options.ProviderOptions);
                options.UserOptions.RoleClaim = "role";
            }).AddAccountClaimsPrincipalFactory<CustomUserFactory>();

            builder.Services.AddHttpClient<IAuthorizedRestService, AuthorizedRestService>(
               client => client.BaseAddress = new Uri("https://localhost:5002/api/mart/v1/"))
                 .AddHttpMessageHandler(sp => sp.GetRequiredService<AuthorizationMessageHandler>()
            .ConfigureHandler(authorizedUrls: new[] { "https://localhost:5002" }));


            builder.Services.AddHttpClient("noauth", option => option.BaseAddress = new 
              Uri("https://localhost:5002/api/mart/v1/"));

            builder.Services.AddScoped<IRestService, RestService>();

            await builder.Build().RunAsync();
        }

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I have found the Solution.

It happens that there is already a JWT handler provided by IdentityServer4 for APIs that double as Authorization Server

 .AddIdentityServerJwt();

So what I did was to configure it
      services.Configure<JwtBearerOptions> 
       (IdentityServerJwtConstants.IdentityServerJwtBearerScheme,
                options =>
                {
                    options.Authority = "https://localhost:5002";
                    options.Audience = "mart";
                    options.SaveToken = true;
                });

Then specify the Authentication scheme to use
    [Authorize(AuthenticationSchemes = IdentityServerJwtConstants.IdentityServerJwtBearerScheme)]

You can also add it globally in the start up class
 var authorizationPolicy = new AuthorizationPolicyBuilder(IdentityServerJwtConstants.IdentityServerJwtBearerScheme)
                .RequireAuthenticatedUser().Build();
                options.Filters.Add(new AuthorizeFilter(authorizationPolicy));

You can read more using these links

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-3.1

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.1


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x