Blazor server app with authorization, after scaffold identity - logout not working

[sikira]

In blazor server app with authorization, after scaffold identity into an MVC project with authorization, user can't logout from blazor ( LoginDisplay.razor ).
When user click on logout button in LoginDisplay.razor, it makes bad request

Request URL:https://localhost:5001/Identity/Account/LogOut
Request Method:POST
Remote Address:127.0.0.1:5001
Status Code:400 ( Bad Request)
Version:HTTP/2.0

after this bad POST request :

• no redirection to another page
• user stil logged in
• blazor disconected
• complete white document is rendered.

Using this documentation.
https://docs.microsoft.com/en-us/aspnet/core/security/authentication/scaffold-identity?view=aspnetcore-2.2&tabs=netcore-cli#scaffold-identity-into-an-mvc-project-with-authorization

To Reproduce

1. dotnet new blazorserver --auth Individual
2. create new user for testing ( user@user.com / Pass12345! )
3. login and logout and it's working
4. install if not already ( dotnet tool install --global dotnet-aspnet-codegenerator --version 3.1.0 )
5. add package to project | dotnet add package Microsoft.VisualStudio.Web.CodeGeneration.Design --version 3.1.0
6. add package to project | dotnet add package Microsoft.EntityFrameworkCore.SqlServer --version 3.1.0
7. do a scaffold | dotnet aspnet-codegenerator identity -dc BlazorScaffoldedIdentity.Data.ApplicationDbContext --force
8. logout from blazor - not working
9. using instructions from ScaffoldingReadMe.txt
10. logout from blazor - not working

NOTE:

1. if user go to https://localhost:5001/Identity/Account/Manage , then from _MangeNav.cshtml can succesfuly LogOut from app.

WORKAROUND NUMBER 1:

1. Add [IgnoreAntiforgeryToken] in "LogOut.cshtml.cs" file

WORKAROUND NUMBER 2:

1. delete files in areas/pages/account "LogOut.cshtml" and "LogOut.cshtml.cs", and create new file that is like the one before scaffold ( "LogOut.cshtml" )
2. if not using --force , then Building project ...Build Failed. ( but possibly to specify every file except "LogOut.cshtml" , --files "Account.Register;Account.Login" )

  @page
  @using Microsoft.AspNetCore.Identity
  @attribute [IgnoreAntiforgeryToken]
  @inject SignInManager<IdentityUser> SignInManager
  @functions {
      public async Task<IActionResult> OnPost()
      {
          if (SignInManager.IsSignedIn(User)){await SignInManager.SignOutAsync();}
          return Redirect("~/");
      }
  }

REPOS

and the orginal version with wrong behaviour
https://github.com/sikira/BlazorScaffoldedIdentity/tree/withbug

repo with sample project with workaround
https://github.com/sikira/BlazorScaffoldedIdentity/tree/master

SIDE NOTES:

1. This behaviour happend in version 3.0.100 and in 3.1.0, but in .Net Core 3.0.100 this is writen in console:
   info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1]
   Executed endpoint '/_blazor'
   Microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executed endpoint '/_blazor'
   info: Microsoft.AspNetCore.Hosting.Diagnostics[2]
   Request finished in 21743.366ms 101
   Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished in 21743.366ms 101
   info: Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter[1]
   Antiforgery token validation failed. The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
   Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
   at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
   Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter: Information: Antiforgery token validation failed. The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
   Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
   at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext)
   at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context)
   info: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[3]
   Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter'.
   Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker: Information: Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter'.
   info: Microsoft.AspNetCore.Mvc.StatusCodeResult[1]
   Executing HttpStatusCodeResult, setting HTTP status code 400
   Microsoft.AspNetCore.Mvc.StatusCodeResult: Information: Executing HttpStatusCodeResult, setting HTTP status code 400
   info: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[4]

Further technical details

• ASP.NET Core version 3.1.100

.NET Core SDK (reflecting any global.json):
Version: 3.1.100
Commit: cd82f021f4

Runtime Environment:
OS Name: Windows
OS Version: 10.0.17763
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\3.1.100\

Host (useful for support):
Version: 3.1.0
Commit: 65f04fb6db

.NET Core SDKs installed:
3.0.100 [C:\Program Files\dotnet\sdk]
3.1.100 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed:
Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

• VS Code 1.40.2

[blazor]
[identity]
[scaffold]
[logout]

[mkArtakMSFT]

Thanks for contacting us.
Unfortunately Identity scaffolder doesn't work well with Blazor projects yet. We plan to handle this as part of 5.0 release.

[sikira]

enetstudio tnx for suggestion, but it didn't work for me on this issue. This "a" element is a GET request, not POST, and i don't see how it would work without further modification on logout page. Maybe i'm missing something.

[pm64]

@sikira have you been able to determine WHY your workaround is necessary? Without your workaround, in the scaffolded Logout.cshtml.cs, placing breakpoints everywhere shows that no code associated with this page is ever executed. Why is this? Also, a blank page is rendered (instead of the "not found" behavior), which is equally perplexing, since the framework is acknowledging that the page exists. Do you have any insight into this behavior? I'm baffled as to why OnPost() in the scaffolded Logout.cshtml.cs is not executed.

[sikira]

@pm64 your comment intrigued me to try to investigate more, and i find out that the issue is actually about antiforgery token. Another and better fix would be to put atribute [IgnoreAntiforgeryToken] on top of LogoutModel class in "LogOut.cshtml.cs" file. I've add this fix to orginal issue.

[pm64]

@sikira amazing catch!! This is precisely the issue, You have saved me many hours of hair-pulling and cursing. Huge thanks!

[pm64]

@sikira you might be interested in another issue I discovered in the ASP.Net Core Identity scaffolder: #18200

[yeahrow]

@sikira It works perfectly for me