openiddict-samples
openiddict-samples copied to clipboard
openiddict
Integrated OpenIddict server into vanilla .NET 8 Identity Web UI
Confirm you've already contributed to this project or that you sponsor it
- [X] I confirm I'm a sponsor or a contributor
Version
5.4.0
Question
Background
We are currently working on using the latest .NET identity web UI (which you can get bundled in your IDE when you create a .NET 8 Blazor Web App) in combination with OpenIddict.
The latest template provides a good base for creating a production-ready UI for users to interact with the IdP, including doing things like registering MFA devices, resetting passwords, confirming email addresses and a whole lot more. (You can read more about it here https://devblogs.microsoft.com/dotnet/whats-new-with-identity-in-dotnet-8/#the-blazor-identity-ui)
Our goal was to take this template as a starting point and then integrate OpenIddict into it. Since OpenIddict fundamentally uses the AspNet identity classes, and extends them with entities such as Appplication, Token etc. we hoped that this would be simple to do (even if for someone who is not intimately familiar with either framework). To a large extent this is true, and the result of that is a sample that can be found here:
https://github.com/karlschriek/openiddict-blazor-server-sample/tree/main/OpenIddict.Blazor.Server
(For comparison, here is what the vanilla identity UI we worked from looks like: https://github.com/karlschriek/openiddict-blazor-server-sample/tree/main/VanillaIdentityUI.Blazor.Server)
In addition to the above, this sample also includes a few other things that we have worked on in the past, but these are not directly relevant to this issue
- Allows for input of Symmetric and RSA keys via appsettings
- Allows for DbSeeding via appsettings
- Allows for configuring AzureAD external login provider via appsettings
- Adds a "SendGrid" EmailSender implementation (can be switched on in appsettings)
- Adds the ability to add an MFA device via QR code (vanilla UI only displays a code that user must type in)
Where we need help
While we were able to get the login flows to work correctly, we are having trouble with the anti-forgery token (although I suspect this might rather just be a symptom of something more fundamental that is misconfigured). The identity UI has several places where it uses the anti-forgery token. The simplest one to test against is the "logout" button.
The moment you navigate to https://localhost:7143/ (where the "OpenIddict.Blazor.Server" sample project is hosted) I can see the anti-forgery token being set, with a name like ".AspNetCore.Antiforgery.hLXdGIjSYB8". As soon as the user logs in, the ".AspNetCore.Identity.Application" cookie is also set. If I now logout, I get:
An unhandled exception occurred while processing the request.
AntiforgeryValidationException: The provided antiforgery token was meant for a different claims-based user than the current user.
Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)
BadHttpRequestException: Invalid anti-forgery token found when reading parameter "string returnUrl" from the request body as form.
Microsoft.AspNetCore.Http.RequestDelegateFactory+Log.InvalidAntiforgeryToken(HttpContext httpContext, string parameterTypeName, string parameterName, Exception exception, bool shouldThrow)
Similar errors occur on other Blazor components that also require <AntiforgeryToken/>.
This makes me think that either something that we switched off (such as the ".AddIdentityCookies();" extension, which causes an error if use in conjunction with the OpenIddict setup we've added) or some other fundamental mismatch is happening. Would you be able to help us get this sample working correctly? It would go a long way to us being able to take OpenIddict into production.
