Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

NET 8 Blazor Cookie Authentication and Authorization Policy not the same as in NET 7 #52222

Closed
1 task done
joecuevasjr opened this issue Nov 20, 2023 · 2 comments
Closed
1 task done
Labels
area-blazor Includes: Blazor, Razor Components

Comments

@joecuevasjr
Copy link

joecuevasjr commented Nov 20, 2023

Is there an existing issue for this?

  • I have searched the existing issues

Describe the bug

I've got a NET 8 Blazor (Interactive Server - Per page/component interactivity) application where Cookie Authentication has been added.
I handle cookie authentication via a minimal api endpoint, where I interact with the HttpContext and create a ClaimsPrincipal and call context.SignInAsync. Subsequently, a Results.Redirect call reloads the Blazor page where Authorization is now in effect.

The issue occurs when I add an authorization policy, such as:

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("Age", policy =>
    {
        policy.RequireClaim("age", "21");
    });
});

If I add the following to a routable component, for example the counter page:

@attribute [Authorize(Policy = "Age")]

And if the policy is not satisfied with the required claim, then the page redirects to the cookie's configured LoginPath.
However, I'm already logged on and I expect the Routes.Razor <NotAuthorized> template directive to render in the Blazor component instead of a redirect to the default LoginPath /Account/AccessDenied?ReturnUrl=

Expected Behavior

I'm expecting this to work as it did on NET 7. On Net 7, the authorized component correctly renders the <NotAuthorized> template directive when the policy based authorization requirement is not met.

Here's my Routes.razor code:

<CascadingAuthenticationState>
    <Router AppAssembly="@typeof(Program).Assembly">
        <Found Context="routeData">
            <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(Layout.MainLayout)">
                <NotAuthorized>
                    <h1>Sorry</h1>
                    <p>You're not authorized to reach this page.</p>
                </NotAuthorized>
            </AuthorizeRouteView>
            <FocusOnNavigate RouteData="@routeData" Selector="h1" />
        </Found>
    </Router>
</CascadingAuthenticationState>

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version

8

Anything else?

No response

@dotnet-issue-labeler dotnet-issue-labeler bot added the area-blazor Includes: Blazor, Razor Components label Nov 20, 2023
@joecuevasjr joecuevasjr changed the title NET 8 Blazor Cookie Authorization and Authorization Policy not the same as in NET 7 NET 8 Blazor Cookie Authentication and Authorization Policy not the same as in NET 7 Nov 20, 2023
@joecuevasjr
Copy link
Author

joecuevasjr commented Nov 21, 2023

An update to my issue. It seems to only affect .NET 8 Blazor apps where interactivity is set to a "Per page/component" level. Once I set it to Global interactivity via App.razor's <HeadOutlet> and <Routes> set to @rendermode="@InteractiveServer", the <NotAuthorized> template directive renders as expected and it no longer redirects to the cookie's default LoginPath. 🤔

@joecuevasjr
Copy link
Author

joecuevasjr commented Nov 21, 2023

I think I've got this figured out. I'll close this out with an explanation of my realization:

Since I'm trying to use Static Server Rendering mixed with Interactive Server components, the default for SSR in Routes.razor is to utilize the cookie LoginPath when I'm not authorized. I've come to the realization that my expectations were incorrect and the default case here is expected.

However, once authorized I was still having the issue of an Interactive Server component not properly receiving the cascading authorization state, but I was able to rectify that with a call to builder.Services.AddCascadingAuthenticationState() to support mixed render modes.

My original issue was that I was migrating a Blazor Server Net 7 app to a SSR/Interactive Server Blazor Net 8 app. Once My Blazor app was set to Global Interactive Server, everything was acting as it did in Net 7.

@ghost ghost locked as resolved and limited conversation to collaborators Feb 7, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
area-blazor Includes: Blazor, Razor Components
Projects
None yet
Development

No branches or pull requests

1 participant