SPA template issues with Individual authentication when running in production

[Ogglas]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

This is probably related to:

#28880

Since that conversation is "locked as resolved and limited to collaborators." with a link to documentation stating "SPA template issues with Individual authentication when running in development" I have created a new issue.

https://github.com/dotnet/core/blob/main/release-notes/6.0/known-issues.md#spa-template-issues-with-individual-authentication-when-running-in-development

This does not only happen in development but in production environments as well and should imao be prioritized. I have a personal application that is hosted as an Azure App Service and it is not used every week. I always access it via a custom domain like example.com. However sometimes I can not authenticate when I start using the application, I only receive this error:

WWW-Authenticate: Bearer error="invalid_token", error_description="The issuer 'https://example.com' is invalid"

If I then access the application via example.azurewebsites.net I can use it like normal. Since the application is not always used I have Always on set to false. I can not remove the domain example.azurewebsites.net from an Azure App Service.

https://docs.microsoft.com/en-gb/azure/app-service/configure-common?tabs=portal#configure-general-settings

I have only noticed it with the application that requires login for every page though. I have another personal project that has a public part and another part behind login using the exact same template and technologies. It does not happen there.

I'm using the code below to always redirect to login if the user is not authenticated:

https://stackoverflow.com/a/65854313/3850405

Since it is on the server it does not help to clean any browser cache or anything similar. Then only thing that helps is manually stopping the App Service and then Start it again. Then everything works as expected.

Expected Behavior

An application in production should be able to go idle and login should work when the application is accessed again

Steps To Reproduce

Create a new Blazor Webassembly App with Individual Accounts and ASP.NET Core hosted from Visual Studio.

Follow the guide below to redirect to login if a user is not authenticated

https://stackoverflow.com/a/65854313/3850405

Host the application on Azure as an App Service and then wait

Exceptions (if any)

No response

.NET Version

6.0.300

Anything else?

ASP.NET Core 6.0.5
Microsoft Visual Studio 2022 (64-bit) - Version 17.2.2

.NET SDK (reflecting any global.json):
 Version:   6.0.300
 Commit:    8473146e7d

Runtime Environment:
 OS Name:     Windows
 OS Version:  10.0.19043
 OS Platform: Windows
 RID:         win10-x64
 Base Path:   C:\Program Files\dotnet\sdk\6.0.300\

Host (useful for support):
  Version: 6.0.5
  Commit:  70ae3df4a6

.NET SDKs installed:
  5.0.402 [C:\Program Files\dotnet\sdk]
  6.0.300 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.All 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.20 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 5.0.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.30 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.20 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 5.0.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.NETCore.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
  Microsoft.WindowsDesktop.App 3.1.20 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 5.0.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
  Microsoft.WindowsDesktop.App 6.0.5 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET runtimes or SDKs:
  https://aka.ms/dotnet-download

[Ogglas]

Tested with Always on set to true for Azure App Service and the error actually occurred more frequently. I was however able to mitigate it. The example fix for development was not enough.

https://github.com/dotnet/core/blob/main/release-notes/6.0/known-issues.md#spa-template-issues-with-individual-authentication-when-running-in-development

Started of by adding a new Application settings for the Azure App Service called IdentityServer:IssuerUri with value https://example.com/. I then added the code below:

//Used until https://github.com/dotnet/aspnetcore/issues/42072 is fixed
if (!string.IsNullOrEmpty(settings.IdentityServer.IssuerUri))
{
    builder.Services.Configure<JwtBearerOptions>(IdentityServerJwtConstants.IdentityServerJwtBearerScheme, o => o.Authority = settings.IdentityServer.IssuerUri);
}

below this code:

builder.Services.AddAuthentication()
    .AddIdentityServerJwt();

I have not verified if it matters where the code is placed but AddIdentityServerJwt() calls AddPolicyScheme and .AddJwtBearer(IdentityServerJwtConstants.IdentityServerJwtBearerScheme, null, o => { });. Therefore I deemed it appropriate to set it after this code has been called.

After doing this the app still failed with the same error. I then modified AddIdentityServer like this:

builder.Services.AddIdentityServer(options =>
                {
                    //Used until https://github.com/dotnet/aspnetcore/issues/42072 is fixed
                    if (!string.IsNullOrEmpty(settings.IdentityServer.IssuerUri))
                    {
                        options.IssuerUri = settings.IdentityServer.IssuerUri;
                    }
                })
    .AddApiAuthorization<ApplicationUser, ApplicationDbContext>();

and then it started working for me. If you still experience a problem you could also try to set AuthenticatorIssuer like this:

builder.Services.AddDefaultIdentity<ApplicationUser>(options =>
{
    options.SignIn.RequireConfirmedAccount = true;
    //Used until https://github.com/dotnet/aspnetcore/issues/42072 is fixed
    if (!string.IsNullOrEmpty(settings.IdentityServer.IssuerUri))
    {
        options.Tokens.AuthenticatorIssuer = settings.IdentityServer.IssuerUri;
    }
})
    .AddEntityFrameworkStores<ApplicationDbContext>();

[adityamandaleeka]

@Ogglas Glad you found the workaround. We should add that workaround to the notes here because it's not something we can actually fix in aspnetcore code.

@HaoK

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[HaoK]

@Rick-Anderson can we add these other two examples to the release notes for 6 here perhaps as a in production section? https://github.com/dotnet/core/blob/main/release-notes/6.0/known-issues.md#spa-template-issues-with-individual-authentication-when-running-in-development?

builder.Services.AddIdentityServer(options =>
                {
                    if (!string.IsNullOrEmpty(settings.IdentityServer.IssuerUri))
                    {
                        options.IssuerUri = settings.IdentityServer.IssuerUri;
                    }
                })

Or:

builder.Services.AddDefaultIdentity<ApplicationUser>(options =>
{
    if (!string.IsNullOrEmpty(settings.IdentityServer.IssuerUri))
    {
        options.Tokens.AuthenticatorIssuer = settings.IdentityServer.IssuerUri;
    }
})