Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blazor webassembly azure ad authentication issue after migration to .net5 #28226

Closed
rubeesh opened this issue Nov 28, 2020 · 10 comments
Closed

Blazor webassembly azure ad authentication issue after migration to .net5 #28226

rubeesh opened this issue Nov 28, 2020 · 10 comments
Labels
area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly question

Comments

@rubeesh
Copy link

rubeesh commented Nov 28, 2020

Blazor webassembly azure ad authentication issue after migration to .net5

Error: AADSTS28000: Provided value for the input parameter scope is not valid because it contains more than one resource. Scope https://graph.microsoft.com/User.Read api://861be009-5e73-4c6c-a095-b6e193522222/API. Access openid profile is not valid.

Scope Code(web assembly):

builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
    options.ProviderOptions.DefaultAccessTokenScopes.Add("https://graph.microsoft.com/User.Read");
    options.ProviderOptions.DefaultAccessTokenScopes.Add("api://861be009-5e73-4c6c-a095-b6e193522222/API.Access");
@mkArtakMSFT mkArtakMSFT added area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly labels Nov 29, 2020
@javiercn
Copy link
Member

@rubeesh thanks for contacting us.

You need to add one of the scopes to DefaultScopesToConsent. This hasn't changed in 5.0 from 3.1.

@javiercn javiercn added ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. question labels Nov 30, 2020
@ghost ghost added the Status: Resolved label Nov 30, 2020
@rubeesh
Copy link
Author

rubeesh commented Nov 30, 2020

@rubeesh thanks for contacting us.

You need to add one of the scopes to DefaultScopesToConsent. This hasn't changed in 5.0 from 3.1.

I couldnt find any method 'DefaultScopetoConsent'.
If you are referring to AdditionalScopesToConsent, I tried it and didnt work.

@javiercn
Copy link
Member

javiercn commented Nov 30, 2020
edited
Loading

@rubeesh checkout here for details. If that doesn't work, please provide a minimal repro project so that we can help determine what's missing.

@rubeesh
Copy link
Author

rubeesh commented Nov 30, 2020
edited
Loading

Webassembly code:
Programs.cs

           var httpClientName = "AbcApp.Api";
            var apiUrl = "https://localhost:44367/";
            var apiScope = "api://861be009-5e73-4c6c-a095-b6e193522222/API.Access";

            var builder = WebAssemblyHostBuilder.CreateDefault(args);
            builder.RootComponents.Add<App>("app");

            builder.Services.AddHttpClient(httpClientName,
                client => client.BaseAddress = new Uri(apiUrl))
                   .AddHttpMessageHandler(sp => sp.GetRequiredService<AuthorizationMessageHandler>()
                    .ConfigureHandler(new[] { apiUrl }, new[] { apiScope }));

            builder.Services.AddTransient(sp => sp.GetRequiredService<IHttpClientFactory>()
                                .CreateClient(httpClientName));

        builder.Services.AddMsalAuthentication(options =>
            {
                builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
                       
                
                options.ProviderOptions.DefaultAccessTokenScopes.Add(apiScope );
options.ProviderOptions.AdditionalScopesToConsent.Add("https://graph.microsoft.com/User.Read");
                options.UserOptions.RoleClaim = "roles";
            }).AddAccountClaimsPrincipalFactory<ClaimsFactory>(); 

     //Dependency injections removed code

     await builder.Build().RunAsync();

ClaimsFactory.cs

   public class ClaimsFactory : AccountClaimsPrincipalFactory<RemoteUserAccount>
    {
        public ClaimsFactory(IAccessTokenProviderAccessor accessor) : base(accessor)
        {
        }

        public override async ValueTask<ClaimsPrincipal> CreateUserAsync(RemoteUserAccount account, RemoteAuthenticationUserOptions options)
        {
            var user = await base.CreateUserAsync(account, options);
            if (user.Identity.IsAuthenticated)
            {
                var identity = (ClaimsIdentity)user.Identity;
                var roleClaims = identity.FindAll(identity.RoleClaimType);
                if (roleClaims != null && roleClaims.Any())
                {
                    foreach (var existingClaim in roleClaims)
                    {
                        identity.RemoveClaim(existingClaim);
                    }

                    var rolesElem = account.AdditionalProperties[identity.RoleClaimType];
                    if (rolesElem is JsonElement roles)
                    {
                        if (roles.ValueKind == JsonValueKind.Array)
                        {
                            foreach (var role in roles.EnumerateArray())
                            {
                                identity.AddClaim(new Claim(options.RoleClaim, role.GetString()));
                            }
                        }
                        else
                        {
                            identity.AddClaim(new Claim(options.RoleClaim, roles.GetString()));
                        }
                    }
                }
            }

            return user;
        }
    }

@ghost
Copy link

ghost commented Dec 2, 2020

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

@ghost ghost closed this as completed Dec 2, 2020
@rubeesh
Copy link
Author

rubeesh commented Dec 2, 2020

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.

Not yet resolved

@manasimahajann
Copy link

were you able to get it to work?

@rubeesh
Copy link
Author

rubeesh commented Dec 17, 2020
edited
Loading

were you able to get it to work?

Followed
https://github.com/guardrex/HostedWASM50AADGroupsAndRolesSample

@javiercn javiercn reopened this Jan 13, 2021
@javiercn
Copy link
Member

@rubeesh Did you get a resolution for this?

@javiercn javiercn removed ✔️ Resolution: Answered Resolved because the question asked by the original author has been answered. Status: Resolved labels Jan 13, 2021
@rubeesh
Copy link
Author

rubeesh commented Jan 13, 2021

@rubeesh Did you get a resolution for this?
Resolved.
https://github.com/guardrex/HostedWASM50AADGroupsAndRolesSample

@rubeesh rubeesh closed this as completed Jan 13, 2021
@snapfisher snapfisher mentioned this issue Jan 17, 2021
Closed
@ghost ghost locked as resolved and limited conversation to collaborators Feb 12, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-blazor Includes: Blazor, Razor Components feature-blazor-wasm This issue is related to and / or impacts Blazor WebAssembly question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@javiercn @manasimahajann @rubeesh @mkArtakMSFT