[Example Request] gRPC authorization with IdentityServer4 (and roles)

[JeepNL]

For my Blazor (3.2.0) WASM project (.NET 5.0 Preview latest) I'm now using IdentityServer4 (default Visual Studio Template) and gRPC (EF Core/SQLite) data services.

I would like to protect the gRPC services against unauthorized access much like the Ticketer example with [Authorize] on the service, and use it with IdentityServer4 roles [Authorize (Roles=Administrator)] See: Microsoft Docs, Secure an ASP.NET Core Blazor WebAssembly hosted app with Identity Server / Name and role claim with API authorization

Maybe it's an idea to add an example to the samples gallery at https://github.com/grpc/grpc-dotnet/tree/master/examples

I tried to figure it out myself, but I'm stuck. I got the two (IdentityServer4 & Ticketer) working separately but I'm stuck combining gRPC authorization with IdentityServer4/Roles.

[JamesNK]

Thanks for the suggestion. This isn't a high priority but there is nothing stopping someone contributing a minimal example.

[JeepNL]

I understand, and I'm not in a hurry :). I hope someone picks this up. and yes, a minimal example is all what is needed. What should I do with this request, should it remain open or do you want to close it?

[JamesNK]

Leave it open.

[javiercn]

@JeepNL I wrote a sample for GRPC+Auth that you can find here.

Its lacking roles, but you can add that piece following the docs if that helps you.

This is the main piece to enable roles on the GRPC service (I believe)

                endpoints
                    .MapGrpcService<GreeterService>()
                    .RequireAuthorization(new AuthorizeAttribute { Roles = "Administrator"})
                    .EnableGrpcWeb();

[JeepNL]

I followed your example and got gRPC authorization working but without new AuthorizeAttribute { Roles = "Administrators"} (updated)

As soon as I add that I get this error in the client console:"

blazor.webassembly.js:1 crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
      Unhandled exception rendering component: Status(StatusCode="PermissionDenied", Detail="Bad gRPC response. HTTP status code: 403")
Grpc.Core.RpcException: Status(StatusCode="PermissionDenied", Detail="Bad gRPC response. HTTP status code: 403")
  at OpenWiki.Client.Pages.GreeterPage.HandleValidSubmitAsync () [0x0005b] in D:\Repos\OpenWiki\OpenWiki\Client\Pages\GreeterPage.razor:72 
  at Microsoft.AspNetCore.Components.ComponentBase.CallStateHasChangedOnAsyncCompletion (System.Threading.Tasks.Task task) <0x30a0ed0 + 0x000da> in <filename unknown>:0 
  at Microsoft.AspNetCore.Components.RenderTree.Renderer.GetErrorHandledTask (System.Threading.Tasks.Task taskToHandle) <0x30a1a18 + 0x000b6> in <filename unknown>:0 

Roles are working, I followed your other example with Roles With the (fake) email address admin[at]ictz.net I have access to the Roles Page. The "user[at]ictz.net" (which is not in 'Administrators', but in the 'Users' Role) doesn't have access to that page. I also tried it with a single "Administrators" role for the admin user.

Server/RolesController.cs ( [Authorize(Roles = "Administrators")])

namespace OpenWiki.Server.Controllers
{
    [Authorize(Roles = "Administrators")]
    public class RolesController : ControllerBase
    {
        private readonly UserManager<ApplicationUser> _userManager;
        private readonly RoleManager<IdentityRole> _roleManager;

        public RolesController(
            UserManager<ApplicationUser> userManager,
            RoleManager<IdentityRole> roleManager)
        {
            _userManager = userManager;
            _roleManager = roleManager;
        }

        [HttpPost("User/AddRole")] 
etc... etc...

[JeepNL]

FYI:

I'm creating a GitHub repository (my first ever 😉), it's a Visual Studio Default Blazor WASM gRPC template with IdentityServer4 (VS authentication option "individual user accounts" checked) and with 'Roles' hosted on Kestrel. In short: combining your 2 examples into 1. It will auto seed 2 users (admin & user) and auto create Roles (Administrators & Users) for them. It uses SQLite as DB. It will be CTRL-F5'able without any further configuration.

With that I can reproduce the error. I think I'll have it ready today.

But again: I'm not in a hurry, I really appreciate all of the examples you make available and the time you spend on answering questions, I hope this will make it easier for you to see what I'm doing wrong.

[JeepNL]

TL;DR (1) Everything Works!!!

TL;DR (2)

With that I can reproduce the error.

Well, no. If I follow your code and instructions the app works with gRPC Role authorization. (I tried to use the 'ProfileService' and that caused the error)

I started a new (.NET 5 Preview) project from scratch this morning and I've created my first GitHub Repo. Tt combines your BlazorAuthRoles & BlazorGrpcAuth examples and adds your snippet new AuthorizeAttribute { Roles = "Administrator"} from above: https://github.com/JeepNL/Blazor-WASM-Identity-gRPC

Please don't close this issue yet, because I've (I think) a question about using ProfileService but I would like to check that first, but my head is spinning now (8pm UTC+2) 😉 Tomorrow, tomorrow 🎵

(oh, man I'm so happy now!)

[JeepNL]

(continued from yesterday) Still happy!

I've added 2 "todo's" to the README.md file at https://github.com/JeepNL/Blazor-WASM-Identity-gRPC, (Sample project: Blazor WASM, IdentityServer4 & gRPC with roles authorization)

The first 'Todo' is about adding claims and using them in the client. I've extended the ASP.NET Identity AspNetUsers table with an extra 'CustomClaim' field. This is maybe a bit off topic here, but I've commented on an GitHub issue about that and got an answer from Javier. I've seen several questions about this on GitHub and SO but no-one seems to be able to provide an answer.

If I can add working code to use this to this sample project, maybe it will help more developers.

The second 'Todo' isn't that important, I got the gRPC auth working now, but it's about using claims with 'Profile Service' instead of 'API authorization options' as described here (MS Docs)

[JamesNK]

You're making a request to another domain, so you need to setup CORS - https://docs.microsoft.com/en-us/aspnet/core/grpc/browser?view=aspnetcore-3.1#grpc-web-and-cors

[JeepNL]

Additional User Claims
Source: https://github.com/JeepNL/Blazor-WASM-Identity-gRPC

[JeepNL]

I got everything working now so if someone wants to close this issue ...