blazor web app - oidc options

[bart-auvifox]

Hi

I am trying to connect a blazor web to an API with oidc auth. But i cannot get it to overwrite the authority per tenant.

the goal is to use subdomains for the tenant: ex:

• sub01.localhost:7120
• sub02.localhost:7120
• sub03.localhost:7120

each tenant should connect to its own authority:

• authurl/sub01
• authurl/sub02
• authurl/sub03

My config:

` const string MS_OIDC_SCHEME = "MicrosoftOidc";

var builder = WebApplication.CreateBuilder(args); string authUrl = builder.Configuration.GetValue("oidc:Authority");

builder.Services.AddAuthentication(MS_OIDC_SCHEME) .AddOpenIdConnect(MS_OIDC_SCHEME, oidcOptions => { oidcOptions.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;

    oidcOptions.Scope.Add(OpenIdConnectScope.OfflineAccess);
    oidcOptions.Scope.Add(OpenIdConnectScope.Email);
    oidcOptions.Scope.Add(OpenIdConnectScope.OpenIdProfile);

    oidcOptions.Authority = "https://__temp";

    oidcOptions.ClientId = builder.Configuration.GetValue<string>("oidc:ClientId");
    oidcOptions.ClientSecret = builder.Configuration.GetValue<string>("oidc:ClientSecret");

    oidcOptions.ResponseType = OpenIdConnectResponseType.Code;

    oidcOptions.MapInboundClaims = false;
    oidcOptions.ProtocolValidator.RequireNonce = false;

    oidcOptions.TokenValidationParameters.NameClaimType = JwtRegisteredClaimNames.Name;
    oidcOptions.TokenValidationParameters.RoleClaimType = "role";
})
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme);

builder.Services.AddMultiTenant<TenantInfo>() .WithBasePathStrategy() .WithHostStrategy() .WithPerTenantAuthentication();

builder.Services.ConfigurePerTenant<OpenIdConnectOptions, TenantInfo>((oidcOptions, tenant) => { oidcOptions.Authority = $"{authUrl}/{tenant.Name}"; });

builder.Services.ConfigureCookieOidcRefresh(CookieAuthenticationDefaults.AuthenticationScheme, "DmOidc");

builder.Services.AddAuthorization(); builder.Services.AddCascadingAuthenticationState(); builder.Services.AddRazorComponents() .AddInteractiveServerComponents() .AddInteractiveWebAssemblyComponents();

builder.Services.AddScoped<AuthenticationStateProvider, PersistingAuthenticationStateProvider>(); builder.Services.AddHttpContextAccessor();

var app = builder.Build();

if (app.Environment.IsDevelopment()) { IdentityModelEventSource.ShowPII = true; app.UseWebAssemblyDebugging(); } else { app.UseExceptionHandler("/Error", createScopeForErrors: true); app.UseHsts(); }

app.Use(async (context, next) => { context.Response.Headers.Append("X-Robots-Tag", "none, noarchive, nositelinkssearchbox"); await next(); });

app.UseHttpsRedirection();

app.UseStaticFiles();

app.UseMultiTenant();

app.UseAuthentication(); app.UseAuthorization();

app.UseAntiforgery();

app.MapRazorComponents<App>() .AddInteractiveServerRenderMode();

app.MapGroup("/authentication").MapLoginAndLogout();

app.Run(); `

It seems the ConfigurePerTenant is not overriding the setting.

[AndrewTriesToCode]

hi, I am sorry for the late reply. I have to admit I'm not an expert at client side Blazor. Can you confirm if the issue applies if you just try injecting IOptions<OpenIdConnectOptions> somewhere to inspect what it is resolving?

[github-actions[bot]]

This issue has been labeled inactive because it has been open 180 days with no activity. Please consider closing this issue if no further action is needed.

[benjamin-hg]

This might be due to the oidcOptions.MapInboundClaims = false setting. If you're configuring the ClaimsStrategy, make sure you still find the expected claim name in the token.