dotnet
Incomplete documentation
Description
Unfortunately, what should be a simple documentation with basic example fail in a productive view point. If you take current core 8 LTS in vs 2022 and create a simple blazor web app using microsoft identity login template and try to add google oauth, it simply fail. Adding google oauth break microsoft identity, break the antiforgery and break the whole authentification. If you try log off, app crash and each solution to fix one of theses problem break something else. What should be simple, the current documentation fail to achieve by showing a working example. Its eitheir a bug in the current version, a lack in the documentation or an unsuported feature that is silently undocumented
Page URL
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/social/?view=aspnetcore-9.0&tabs=visual-studio
Content source URL
https://github.com/dotnet/AspNetCore.Docs/blob/main/aspnetcore/security/authentication/social/index.md
Document ID
d312db0f-6cf1-87ca-09b0-604a66e18a07
Platform Id
3cd833d7-5dae-9614-dcf8-3d2f85c91989
Article author
@wadepickett
Metadata
- ID: d1612f19-f267-493a-c230-2ca18e4eb50b
- PlatformId: 3cd833d7-5dae-9614-dcf8-3d2f85c91989
- Service: aspnet-core
- Sub-service: security
Hello @Sigma3Wolf ... Stand-by while we triage this.
@halter73 ... This is for a BWA+Individual Accounts+social auth (Google in this case). Would you like to transfer this to the product unit's repo for investigation or have @Sigma3Wolf open it there (with a repro app in GH)?
@wadepickett ... I'll keep an 👁️ on this one given that it's focused on Blazor.
Update.
I seem to have found a way to make it work. This week end ill sort it out to understand why it doesnt work with Microsoft base template. It seem to be related to blazor sensitivity to middleware ordering and some incompatibility between microsoft identity and oAuth (google) connection. I have made a working project including the 3 culprit in login: Microsoft Identity + Google oAuth + jwt (web api) all in the same web blazor app.
I should have time this week end to put that in a public repository with explanation why the modification required is complex.
Hope that help. Best regards
Patrice CHARBONNEAU
Thanks. I'll leave this issue open until the end of next week.
Nevermind, @halter73, for now. I'll get back to you later depending on what @Sigma3Wolf provides.
Hi,
On September 25, I installed vs 2022 17.14.16 (I was on the next previous version) and today I was trying to reproduce the bug which was plugging me for the last 8 month and while doing the video for your team, I realized apparently, 17.14.16 fixed it.
There is nothing in the update documentation about this issue but it does work on 17.14.16 in previous version, when adding Google auth, it broke the internal id/pw auth, and when trying to logout, it crash the app. the fix was to remove the .AddIdentityCookies() and not to add the google concurrently but as a separate call.
what work now: builder.Services.AddAuthentication(options => { options.DefaultScheme = IdentityConstants.ApplicationScheme; options.DefaultSignInScheme = IdentityConstants.ExternalScheme; }) .AddIdentityCookies();
builder.Services.AddAuthentication().AddGoogle(googleOptions => { googleOptions.ClientId = builder.Configuration["Authentication:Google:ClientId"] ?? ""; googleOptions.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"] ?? ""; });
thoses 2 separate calls DIDN'T work last week. we had to do it in 1 call and disable AddIdentityCookies:
builder.Services.AddAuthentication(googleOptions => { googleOptions.DefaultScheme = IdentityConstants.ApplicationScheme; googleOptions.DefaultSignInScheme = IdentityConstants.ExternalScheme; }) //.AddIdentityCookies(); .AddGoogle(options => { options.ClientId = builder.Configuration["Authentication:Google:ClientId"] ?? ""; options.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"] ?? ""; });
I'll mangle a little more with it to ensure it's completely fixed now
Patrice CHARBONNEAU
Hi,
It seems the problem is not totally fixed.
I'm trying to add jwtbearer (web API) on top of identity and Google auth and I face the same issue I was facing previously. Let me get back to you on that one.
Patrice CHARBONNEAU
Hi,
Ok I found the culprit
The template for Blazor Web App uses AddIdentityCore. when someone want to add Google and other auth like jwt, we need to replace AddIdentityCore with AddIdentity
The documentation is faulty here because nothing points into that direction. You need to have a solid knowledge on how Identity works and how the whole auth scheme works to understand the difference. I think the documentation should at least specify something about this.
Senior programmers are not experts, nor engineers of auth, they need documentation that point them into the right direction. when documentation about adding google or other scheme point to only 3 line of code, it should be at least be mentioned that particular aspect.
on top of that, when replacing AddIdentityCore with AddIdentity, AddIdentityCookies need to be removed. here a working example:
// 1-. Add Identity FIRST (this registers cookies internally) builder.Services.AddIdentity<ApplicationUser, IdentityRole>(options => { options.SignIn.RequireConfirmedAccount = true; }) .AddRoles<IdentityRole>() //Added .AddEntityFrameworkStores<ApplicationDbContext>() .AddDefaultTokenProviders(); //***************************************************************************************************************
// 2-. Now extend authentication with Google / JWT, WITHOUT calling AddIdentityCookies explicitly builder.Services.AddAuthentication(identityOptions => { identityOptions.DefaultScheme = IdentityConstants.ApplicationScheme; identityOptions.DefaultSignInScheme = IdentityConstants.ExternalScheme; })
// ---- Google external login ---- .AddGoogle(googleOptions => { googleOptions.ClientId = builder.Configuration["Authentication:Google:ClientId"] ?? ""; googleOptions.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"] ?? ""; })
// ---- Add Jwt ---- .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, jwtOptions => { jwtOptions.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(objJwt.JwtSecret)), ValidateIssuer = true, ValidIssuer = objJwt.JwtIssuer, ValidateAudience = true, ValidAudience = objJwt.JwtAudience, ValidateLifetime = true }; });
Patrice CHARBONNEAU
Thanks for figuring it out, @Sigma3Wolf. 🥇
@halter73 to confirm the suggested direction for the doc updates.
After Stephen approves/modifies what we'll be doing, I'll update the article.
The template for Blazor Web App uses AddIdentityCore. when someone want to add Google and other auth like jwt, we need to replace AddIdentityCore with AddIdentity
I'm glad you got your application working, but I don't think the above is true. Calling AddIdentity instead of AddIdentityCore requires defining a TRole/IdentityRole which seems like a lot to ask if you're just trying to add external auth. This could be a bigger challenge if it's an already deployed app forcing you to do a database migration. It should be possible to do everything AddIdentity does aside from role stuff by calling AddIdentityCore and a few other methods like AddIdentityCookies.
I also don't think there are any updates in 17.14.16 that would have fixed this flow.
@Sigma3Wolf, can you provide please a minimal repro of a project that didn't work prior to switching from AddIdentityCore to AddIdentity? Ideally, it should be the smallest changes from the template necessary to demonstrate the issue or issues you ran into. If you could create a new GitHub repository with the repro solution, and link to it here, we'd appreciate it. Thanks.
You're right saying there doesn't seem to be anything in 17.14.16 that would change the behavior. But at some point, something changed. Something that wasn't working as expected started to work unexpectedly and right now, it seem using AddIdentity alone "seem" to work if we don't link together the 3 token (wich wasn't working a few weeks ago. a few weeks ago adding Google token after AddIdentityCookies() failed.
I'm currently working on a minimal working template, let me come back at you.
publish the git soon
Don't spend too much time on it if just a comment here can clarify what you plan to do to receive @halter73's approval. We've had a few cases where a dev spent a lot of time on something only to end up having it rejected for publication because the product unit didn't approve.
well.. First, I already spent a lot of time trying to understand why it's happening with the original template, this was for my own documentation for future projects.
the git will be only a repo on how to reproduce the problem, I won't spend much more time. There are still things I'm trying to understand that "should work" but "doesn't work" and I'm trying to figure out if it's because of faulty documentation or if it's something I personally not understand properly.
However, I did found things that "I think" should be improved for clarity. and I don't want you to think I abandoned the idea and then the blog get "closed"
Therefore I just updated you on what I intend to do / finish.
Patrice CHARBONNEAU
I see ... I thought for a sec your second sentence on the git was referring to "how to improve the documentation." 😄 I'm with you now! 🙈
nah... I don't think I got the right "method" to say to anybody with your expertise on "how" to improve the docs.
I'll make a git explaining the problem and how to reproduce it and when "you" experts see what users like "me" are facing, I'm pretty sure you'll know "how" the doc can be updated for "us" to avoid confusion.
I trust your ability !
:)
Patrice CHARBONNEAU
thanks for your patience. This bug has been puzzling me for weeks. I found something unrelated to Google in the core of Identity related to the NavigationManager that prevent under some circonstance to make everything to work properly (including Google OAuth and Jwt). The crash page identify itself as related to the [Authorize] attribute and Auth Cookie but it is greatly misleading because the core of the problem "seem" (I'm prudent with my statement now) to be related with NavigationManager and how the url is handled under specific circonstance. I have now a working prototype that is fixed and I understand more the problem. I'm asking for more of your patience because I'm only free in the week end to work on this (bummer) and I want to show you the how and why it happend under specific settings. I think I made a great job at identifying the problem properly now. with a little more time I'll make a great job at explaining it with example so you professionnal can fix it properly. The documentation will have (I think) to be modified as well. thanks again.
Hi, is there anyone that could help me fix out that bug. I have made a long path of identifying the problem, but not the root cause. it doesn't seem to be related to Google anymore, because I have identified the source of the problem wich is the base Href causing the problem of the Google oAuth. the bug appear after we set base href="/Subdir/" / in App.Razor, the whole application break. I then moved from Core 8 to Core10 and the bug there is even worse. What "worked" for Core8 to fix the problem doesn't work on Core 10 and render all my application useless. here BASIC template to reproduce bug:
Using Core10, Vs2026, Create Blazor Web App + identity add base href="/Subdir/" to App.blazor, in programm.cs, add this: var app = builder.Build(); app.UsePathBase("/Subdir"); app.UseAuthentication(); app.UseAuthorization();
and Before app.UseAntiforgery(); add app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseRouting();
if you publish, make sure you publish under https://YourDomain.com/Subdir
Now, running the SAMPLE program made by Microsoft, you cannot logout, you cannot login and there is ton of error everything while trying to use identity. plz help ? I got production project that cannot be ported to Core 10
@Sigma3Wolf ... Provide a minimal GH repro project of your app without any sensitive security configuration in it for @halter73 to look at.
This is Vs2026, Core 10 repo The repo is at https://github.com/Sigma3Wolf/NotWorking/
note that the repo WORK locally, at least with some warning error but still work. it DOESN'T WORK when you put it in real server UNDER a subdirectory like https://YourDomain.com/Subdir
I managed to fix "most" of problem under Core 8 Vs 2022 but it took me month. The fix don't work on Core10. You can see a demo example "mostly" working under https:// It is a Core8 demo under Subdir named Allergy