locked
.NET Core 3.1 Blazor Server default request authorization header RRS feed

  • Question

  • User-1004235376 posted

    Dear Reader,

    I use JWT Token authentication for a NET Core API.

    I want to use custom middleware to retrieve a token from Azure AD and Add this to HTTP Requests.

     app.Use(async (context, next) =>
                {
                    IConfidentialClientApplication app;
                    app = ConfidentialClientApplicationBuilder.Create("ClientID")
                                                                .WithClientSecret("Secret")
                                                                .WithAuthority(new Uri("https://login.microsoftonline.com/79e14469-174a-4e55-add7-eb32eccb14d1/oauth2/v2.0/token"))
                                                                .Build();
    
                    string[] scopes = new string[] { "APIScope" };
    
                    try
                    {
                        AuthenticationResult _result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
                        context.Request.HttpContext.Request.Headers.Add("Authorization", "Bearer " + _result.AccessToken);
                    }
                    catch (MsalUiRequiredException ex)
                    {
                        Debug.WriteLine(ex);
                    }
    
                    await next();
                });

    The Tokens I receive are valid but somehow this middleware doesnt add the Authorization header to all HTTP Requests and still receive 401 not authorized. I tested the client id, secret and scope etc. with Postman and the token I receive is valid.

    Thanks in advance!

    Friday, August 7, 2020 4:48 PM

All replies

  • User475983607 posted

    The middleware runs on the initial request from a browser or if the Blazor application is refreshed.  Otherwise; messages are sent over the SignalR pipeline.  

    Your security design is not clear but i assume you have a misunderstanding. 

    Friday, August 7, 2020 5:20 PM
  • User-1004235376 posted

    Ok thats is clear to me now!

    I heard a good practice is to add a fresh JWT token to each request. If I use middleware, retrieve a token and add it to the services.addhttpclient() the token is not fresh on each request?

    Should I add the JWT tokens to the SignalR pipeline or where do I add the tokens on each request? Do I implement it on each request when I use my custom services to retrieve data from the API?

    Thanks in advance!

    Friday, August 7, 2020 5:24 PM
  • User475983607 posted

    I heard a good practice is to add a fresh JWT token to each request. If I use middleware, retrieve a token and add it to the services.addhttpclient() the token is not fresh on each request?

    Refresh tokens are long lived tokens used to get an access token.  Access tokens are sent on each request.

    Should I add the JWT tokens to the SignalR pipeline or where do I add the tokens on each request? Do I implement it on each request when I use my custom services to retrieve data from the API?

    I don't understand the design or the intent.  JWT token typically secure remote Web APIs.  Perhaps follow built-in standards.

    https://docs.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-3.1

    Friday, August 7, 2020 5:43 PM
  • User-474980206 posted

    If you are using your webapi as a proxy for the blazor app, you use the JavaScript msal library to get a new access token for every request (use JavaScript interop). Msal will cache the refresh token if supported.

    if wsam blazor Include the access token with webapi requests, if server, just get the access token via JavaScript interop.

    Friday, August 7, 2020 8:27 PM