Blazor Server authorization fails with Microsoft.AspNetCore.Authentication.Negotiate

[akorchev]

Describe the bug

It seems that the Authorize attribute does not work with Microsoft.AspNetCore.Authentication.Negotiate authentication and roles.

To Reproduce

1. Create a server-side blazor application with Windows Authentication.
2. Add the Microsoft.AspNetCore.Authentication.Negotiate package.
3. Enable it

services.AddAuthentication(NegotiateDefaults.AuthenticationScheme).AddNegotiate();

4. Use middleware to challenge the authentication scheme:

 services.AddScoped<ValidateAuthentication>();

            app.UseAuthentication();
            app.UseAuthorization();
            app.UseMiddleware<ValidateAuthentication>();

    internal class ValidateAuthentication : IMiddleware
    {
        public async Task InvokeAsync(HttpContext context, RequestDelegate next)
        {
            if (context.User.Identity.IsAuthenticated)
                await next(context);
            else
                await context.ChallengeAsync();
        }
    }

5. Add authorize attribute to Index.razor with some group that your windows user is a member of.

@attribute [Authorize(Policy = "TestGroup")]

6. Important !!! Run with the default profile from launch settings and not IIS Express!!! (it works with IIS Express). After logging in the app would show you that you are not authorized even though you are a member of the group.
   

Strangely enough if you debug IsInRole("TestGroup") returns true.

I suspect it is related to the authentication scheme which one normally could pass to the Authorize attribute. However Blazor doesn't allow setting the AuthenticationSchemes property of the Authorize attribute:

NotSupportedException: The authorization data specifies an authentication scheme. Authentication schemes cannot be specified for components.
Microsoft.AspNetCore.Components.Authorization.AuthorizeViewCore.EnsureNoAuthenticationSchemeSpecified(IAuthorizeData[] authorizeData)

Further technical details

• ASP.NET Core version: 3.1.100-preview3-014645
• Visual Studio 2019 Preview 6, Windows 10 Pro

[blowdart]

This isn't blazor related, but an actual limitation of our kerberos middleware. We're tracking adding group/role support but right now it simply isn't there, because you don't get enough information in a kerberos ticket.

[akorchev]

@blowdart why does IsInRole work then? I also see all groups added as claims. Another thing that works is this:

 endpoints.MapBlazorHub()
      .RequireAuthorization( new AuthorizeAttribute { 
        AuthenticationSchemes =  NegotiateDefaults.AuthenticationScheme, 
        Roles="TestGroup" 
});             

Obviously I can't use it as makes all pages require that role but still.

[akorchev]

The linked issue gave me an idea - to test with the group id:

@attribute [Authorize( Roles = "S-1-5-21-193572532-2712524652-3721290085-1001")]

which worked!

[blowdart]

Oh I see. Luck kind of. WindowsIdentity is special, it doesn't bring the roles names with it, role name resolution is done through the WindowsIdentity class, which makes a call out to the server. IIS and IIS Express resolve WindowsIdentity, but "plain" kerberos auth, using the negotiate middleware does not as yet.

[akorchev]

I ended up using a claims transformation which somewhat works:

    public class CustomClaimsTransformation : IClaimsTransformation
    {
        public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
        {
            var identity = principal.Identity as WindowsIdentity;
            foreach (var groupId in identity.Groups)
             {
                var group = groupId.Translate(typeof(NTAccount));
                var c = new Claim(identity.RoleClaimType, group.Value.Split("\\").Last());
                identity.AddClaim(c);
            }

            return Task.FromResult(principal);
        }
    }

[blowdart]

That works, but if you're thinking about cross platform you'd need a null check in there after the cast, in case you're not running under Windows.