Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there sample for getting aadb2c Access Token for Blazor Server side? #17578

Closed
Alienroid opened this issue Apr 2, 2020 — with docs.microsoft.com · 35 comments
Closed

Is there sample for getting aadb2c Access Token for Blazor Server side? #17578

Alienroid opened this issue Apr 2, 2020 — with docs.microsoft.com · 35 comments
Assignees
@guardrex
Labels
Blazor doc-enhancement Pri1 High priority, do before Pri2 and Pri3 Source - Docs.ms Docs Customer feedback via GitHub Issue
Projects
Blazor.Docs
Milestone
2020 Q2 ends Jun 30

Comments

@Alienroid docs.microsoft.com
Copy link

Pass tokens to a Blazor Server app section is for AAD. Is there some reference on how to get azure ad b2c access token? Thanks.

Document Details

Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
@dotnet-bot dotnet-bot added ⌚ Not Triaged Blazor Source - Docs.ms Docs Customer feedback via GitHub Issue labels Apr 2, 2020
@guardrex guardrex self-assigned this Apr 2, 2020
@guardrex guardrex added this to Triage in Blazor.Docs via automation Apr 2, 2020
@guardrex guardrex added this to the 2020 Q2 ends Jun 30 milestone Apr 2, 2020
@guardrex
Copy link
Collaborator

guardrex commented Apr 2, 2020

@Alienroid ... Were you able to configure the OpenIdConnectOptions for AAD B2C? ... did you give it a shot to see if you could get the app to authenticate against the provider?

@Alienroid
Copy link
Author

Alienroid commented Apr 2, 2020 via email

@Alienroid
Copy link
Author

Alienroid commented Apr 2, 2020 via email

@guardrex
Copy link
Collaborator

guardrex commented Apr 2, 2020
edited

Ah ... I see. I'm just getting into these configurations myself. I'll repro the setup here, get it working, and then enhance that section for B2C.

@guardrex guardrex added the Pri1 High priority, do before Pri2 and Pri3 label Apr 2, 2020
@guardrex guardrex moved this from Triage to P0/P1 - High Priority in Blazor.Docs Apr 2, 2020
@Alienroid
Copy link
Author

Alienroid commented Apr 2, 2020 via email

@Alienroid
Copy link
Author

Alienroid commented Apr 2, 2020 via email

@Alienroid
Copy link
Author

Alienroid commented Apr 2, 2020 via email

@guardrex
Copy link
Collaborator

guardrex commented Apr 6, 2020

Ugh! I threw together a quick new Blazor Server app using the VS new project process to take a quick 🏃 look at this issue, and the app failed to fire up. I must have configured it incorrectly somehow. I'll return to this issue shortly ... in a day or two. I'm working on something else right now: I'm working out the scenarios for using AD roles and groups in the hosted scenario. I'll get back to this as soon as I can. 🏃😅

@Alienroid
Copy link
Author

Alienroid commented Apr 6, 2020 via email

@guardrex
Copy link
Collaborator

guardrex commented Apr 6, 2020

kick back

Sorry ... At MS, that's Not a Thing!™️ 😄

@Alienroid
Copy link
Author

Alienroid commented Apr 6, 2020 via email

@kristiangronli
Copy link

I've been struggling with this for a while too.

For me it looks like the problem is in startup - configureServices

services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
            {
                options.ResponseType = "code";
                options.SaveTokens = true;
                options.Scope.Add("offline_access");
                options.Scope.Add("{SCOPE}");
                options.Resource = "{RESOURCE}";
            });

I haven't figured out how to even debug this yet, but if this is in my startup as the documentation says I get an error page.
If I remove the code, my accesstoken is empty.

@guardrex
Copy link
Collaborator

guardrex commented Apr 6, 2020
edited

Best bet is to open this scenario with engineering @Alienroid ... and then @kristiangronli can add a 👍 to it.

https://github.com/dotnet/aspnetcore/issues

Add a "cc: @guardrex" to your opening comment, cross-reference this issue, and leave this issue open.

@bdnts docs.microsoft.com
Copy link

bdnts commented Apr 8, 2020

Hi Folks, Very timely thread.

  1. This article is VASTLY improved over what it was just a month ago. Thank you. There are some "null exceptions" in the article flow that lead nowhere (like this thread seeks to address) but it is going in the "write" direction.
  2. I got Blazor and AAD connected pretty much straight out of the box. Imagine my surprise!
  3. I've got B2C working up to actually receiving tokens in my test Blazor app. Pretty sure the problem is in Startup.cs and/or appsettings.json.
  4. B2C (and to lesser extent just AAD) require a combination of work in Azure (building and configuring Tenant) and building and configuring Blazor App. I started with this tutorial https://docs.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c?view=aspnetcore-3.1#finish-the-b2c-app-registration (one of the null objects this article could reference). Then I moved on to this tutorial https://docs.microsoft.com/en-us/azure/active-directory-b2c/tutorial-create-tenant. Both are 1.25 years old, and could use a refresh.
  5. This topic (and similar ones) need a holistic approach that encompasses all the parts, not just a scattering of the pieces for the reader to string together. I started at with VS project creation --> Azure B2C --> Testing --> User Flow Creation --> Testing --> VS project configuration --> Testing (my testing in this last phase is where I'm currently at, and failing the tests.)
  6. Troubleshooting. I made A LOT of mistakes at each step, only to realize sometime later my results didn't fit the tutorial expected results. Troubleshooting guides are helpful "If you get this, then go look at that, that, and that."
  7. The tutorials need to address both greenfield projects, and existing projects. I have to solve for both, ASAP.
  8. I take copious notes when doing experiments to to make sure they are repeatable. I'll put these into a series of projects on GitHub for all to see, comment, (and yes, please) help make better. lol.

I'll update as results are available.

@guardrex
Copy link
Collaborator

guardrex commented Apr 8, 2020

Thanks for your work in this area. Your notes will be a 🐘 HUGE 🐘 help as I work thru a lot of the same things. I was busy with other priority issues; but now, I'm back to focusing on security. Blazor WASM topics are receiving an update today, and I'll get to Blazor Server shortly. I'll probably take a look at this ... your notes @bdnts ... and another look at Javier's notes at https://gist.github.com/javiercn/62044bab948e42cc9e4e695e4aaee7b8#considerations-with-the-app-id-uri. I need to work out how well or poorly scaffolding is going, and I see the concerns about everything working except SignInManager, which isn't supported in components.

@bdnts docs.microsoft.com
Copy link

bdnts commented Apr 9, 2020

Quick note, I succeeded in getting Blazor Server connected to AAD B2C. I revisited this page, reapplied everything in Pass tokens to a Blazor Server App--which works fine for AAD. But then found https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C, and set services as
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
services.Configure(Configuration.GetSection("AzureAdB2C"));

It worked! OMG it worked! This was definitely The Thing.

Another note, also added;
Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;
to get comprehensive error messages instead of System.IO.IOException: IDX20807: Unable to retrieve document from: '[PII is hidden. With ShowPII=true, I was able to identify some configuration mistakes in appsetting.json. More tomorrow.

@Alienroid
Copy link
Author

Alienroid commented Apr 9, 2020 via email

@Alienroid
Copy link
Author

Alienroid commented Apr 9, 2020 via email

@javiercn
Copy link
Member

javiercn commented Apr 9, 2020

See https://github.com/javiercn/blazor-server-aad-sample for details on how to do this. It is the same for Azure ADB2C.

@guardrex Is there a separate issue tracking this doc? (I believe I filed one) if not, either repurpose this with the provided content or close this and point to the other one.

@Alienroid
Copy link
Author

Alienroid commented Apr 9, 2020 via email

@bdnts
Copy link

bdnts commented Apr 9, 2020

Gee whiz, you guys work crazy hours like I do. I'm in PDT about ready to call it a night.

Answers to some of the questions above: I'm building an end-to-end vertical stack of AAD, B2C, Blazor, Email sign-in. Once I can get that done and working, then I'll see about going horizontal with the other identity connectors.

For @javiercn I actually found some differences AAD and AADB2C. There is a treasure map doc I found (see below) that tackles B2C, and I mashed that work up with this document. That is how I got my first project working.

I just checked in all my work to date on BlazorADB2C in GitHuB, for you guys to look at (and laugh at) since you're awake. I think I have a corruption in the key store, because this version is not working right, but is identical to my working project. Azure configs is matching original also. But I wanted to give you visibility to help you along. I'll get the Readme.Md and notes in tomorrow.

Here is the material I've been using to pull all this together:

Start with the Aure Active Directory B2C docs.
If you want to explore code, go to the treasure map, and Sample 1-5, https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/1-WebApp-OIDC/1-5-B2C Is the nearest I could find for Blazor.

Laters

@Alienroid
Copy link
Author

Alienroid commented Apr 9, 2020 via email

@Alienroid
Copy link
Author

Alienroid commented Apr 9, 2020 via email

@guardrex
Copy link
Collaborator

guardrex commented Apr 9, 2020

@javiercn ... Yes, you did at #17221, and it was worked on #17420. The content is here 👉 https://docs.microsoft.com/en-us/aspnet/core/security/blazor/server?view=aspnetcore-3.1&tabs=visual-studio#pass-tokens-to-a-blazor-server-app

... I simply haven't had time to try it myself. If there's nothing else to say, I'll close this when I check it out.

We obviously don't need full topics to cover different provider scenarios, but we might need different provider sections in the Blazor Server topic if there's anything specific to say about the scenarios.

@kristiangronli
Copy link

kristiangronli commented Apr 9, 2020
edited

I'm still struggling with errors on this.
Following the instructions from @javiercn and following @Alienroid I end up with:

``

services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
.AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));

services.Configure(AzureADB2CDefaults.OpenIdScheme, options =>
{
options.ResponseType = "code";
options.SaveTokens = true;
options.Scope.Add("offline_access");
options.Scope.Add("https://******.onmicrosoft.com/api/read");
});

Running this code I end up with: Error.
An error occurred while processing your request

if I comment out //options.ResponseType = "code";
I can still sign in as usual, but my token and TokenProvider object is still null?

I've uploaded my work in progress here: https://github.com/kristiangronli/AppsConfiguredWithB2C

@Alienroid
Copy link
Author

Alienroid commented Apr 9, 2020 via email

@kristiangronli
Copy link

@Alienroid Thank you - I still get the same error message even if I changed the options.ResponseType = “code id_token”.
Can you possibly take a quick look at my code and see if it it different from yours?
https://github.com/kristiangronli/AppsConfiguredWithB2C/blob/master/BlazorServerApp/Startup.cs

@Alienroid
Copy link
Author

Alienroid commented Apr 9, 2020 via email

@bdnts
Copy link

bdnts commented Apr 10, 2020

Howdy. So found a post by Steve Sanderson, July, 2019, says the Blazor template works "out of the box" with ADB2C. Well, he's right! I re-worked my BlazorAdB2C project from scratch, and it works just fine. Still have a LOT of testing to do, questions work out, but it is a stepping stone. I've put my notes into the Readme.md, in which GitHub stripped supposedly legal html, so formatting is off.
Otherwise, Cheers

@guardrex
Copy link
Collaborator

guardrex commented Apr 20, 2020
edited

This will be for tomorrow ... Tuesday ... or Wednesday ... we'll see. I've been working on other issues and still have two more things to resolve before hitting an inevitable CoreBrainFry!™️ 🧠🔥😵🚒.

EDIT Yes, perhaps Wednesday .... maybe .... if possible.

EDIT TODAY! ... I'll be working on this today, Wednesday, 4/22.

@guardrex guardrex mentioned this issue Apr 28, 2020
Closed
@guardrex
Copy link
Collaborator

@Alienroid In your work with this scenario (B2C with signin and access token), did you ever hit ...

OpenIdConnectProtocolException: IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the message.

If so, how did you address it?

@Alienroid
Copy link
Author

Alienroid commented Apr 29, 2020 via email

@Alienroid
Copy link
Author

Alienroid commented Apr 29, 2020 via email

@guardrex
Copy link
Collaborator

I think I have most of that covered. I'm trying to perform a Graph API call. I have it working for AAD, and I have the topic updates ready for that scenario. I'm just stuck with my AAD B2C config for the same setup.

AFAIK, Resource goes away with v2.0 endpoints. Resource is literally just that ... the resource that must match what the token is being used to get. In my case (in the AAD sample) it's the Graph API URI of https://graph.microsoft.com; but in the AAD B2C app with v2.0 endpoints, I've removed that line.

My config goes like this (fake data shown) ...

"AzureAdB2C": {
  "Instance": "https://contoso.b2clogin.com/tfp/",
  "ClientId": "797a0993-aa8d-45f0-960a-e38e7b9a7a92",
  "CallbackPath": "/signin-oidc",
  "Domain": "contoso.onmicrosoft.com",
  "SignUpSignInPolicyId": "B2C_1_signupsignin1",
  "ResetPasswordPolicyId": "B2C_1_passwordreset1",
  "EditProfilePolicyId": "B2C_1_EditProfile",
  "ClientSecret": "hDj8v.vgb1A4S.8z]-=BOtyG8XmMtQ6L"
},
services.AddAuthentication(AzureADB2CDefaults.AuthenticationScheme)
    .AddAzureADB2C(options => Configuration.Bind("AzureAdB2C", options));
            
services.Configure<OpenIdConnectOptions>(AzureADB2CDefaults.OpenIdScheme, options =>
{
    options.ResponseType = OpenIdConnectResponseType.CodeIdToken;
    options.SaveTokens = true;
    options.Scope.Add("https://graph.microsoft.com/offline_access");
    options.Scope.Add("https://graph.microsoft.com/openid");
    options.Scope.Add("https://graph.microsoft.com/Organization.Read.All");
});

... and that's very similar to my working AAD use case. It barfs up that error tho. If I change the ResponseType to just id_token (OpenIdConnectResponseType.IdToken) or delete it (that's the default), then the app fires right up and logs the user in. Of course, I don't get an access token that way ... it needs the code flow.

The working 🎉 AAD use case goes like this (again, fake data here that will be used in the topic later) ...

"AzureAd": {
  "Instance": "https://login.microsoftonline.com/",
  "Domain": "contoso.onmicrosoft.com",
  "TenantId": "0bb2b57d-ced6-4486-a27e-97ae1e890343",
  "ClientId": "ebf968f8-b368-401d-8efe-c11feebb686b",
  "CallbackPath": "/signin-oidc",
  "ClientSecret": "hDj8v.vgb1A4S.8z]-=BOtyG8XmMtQ6L"
}
services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
    .AddAzureAD(options => Configuration.Bind("AzureAd", options));

services.Configure<OpenIdConnectOptions>(AzureADDefaults.OpenIdScheme, options =>
{
    options.ResponseType = OpenIdConnectResponseType.Code;
    options.SaveTokens = true;

    options.Scope.Add("https://graph.microsoft.com/Organization.Read.All");
    options.Scope.Add("https://graph.microsoft.com/offline_access");
    options.Resource = "https://graph.microsoft.com";
});

... note the Resource is present here because this uses the v1.0 endpoints. If you add a /v2.0 segment to the end of the Authority, you can drop the Resource.

... and that ✨ Just Works!™️ ✨, so I think my B2C app isn't too far off.

@guardrex guardrex moved this from P0/P1 - High Priority to In progress in Blazor.Docs Apr 30, 2020
@guardrex guardrex mentioned this issue May 2, 2020
Closed
@guardrex
Copy link
Collaborator

We've mostly resolved the issue here. The patterns shown for access tokens are correct AFAIK. I still think I have a minor hiccup here with Hosted B2C + an API + a separate Graph API call; however, I'm going to look at that closer after all of the framework bits move to v2.0.

Blazor.Docs automation moved this from In progress to Done Jun 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@guardrex guardrex

Labels
Blazor doc-enhancement Pri1 High priority, do before Pri2 and Pri3 Source - Docs.ms Docs Customer feedback via GitHub Issue
Projects
Blazor.Docs
Archived in project
Blazor.Docs
  
Done
Milestone
2020 Q2 ends Jun 30
Development

No branches or pull requests
6 participants
@guardrex @javiercn @dotnet-bot @Alienroid @kristiangronli @bdnts