BWA with WinAuth article #34708
BWA with WinAuth article #34708
Conversation
aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md
Outdated
Show resolved
Hide resolved
aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md
Show resolved
Hide resolved
aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md
Outdated
Show resolved
Hide resolved
aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md
Outdated
Show resolved
Hide resolved
aspnetcore/blazor/security/blazor-web-app-with-windows-authentication.md
Show resolved
Hide resolved
|
Made some updates on the last two commits ☝️ 👇 ...
|
| @page "/user-claims" | ||
| @using System.Security.Claims | ||
| @using Microsoft.AspNetCore.Authorization | ||
| @attribute [Authorize] |
There was a problem hiding this comment.
What's the point of this attribute given that this sample also uses options.FallbackPolicy = options.DefaultPolicy?
I'd sooner remove the fallback policy part than this attribute though. I find too many people set the fallback policy to the default policy not realizing it makes [Authorize] redundant.
There was a problem hiding this comment.
The presence of the attribute is merely an oversight. However, I just ran into a pre-rendering/rendering problem removing the fallback policy:
- If components that require security (via the attribute) are linked in the sidebar and one of the links is followed, the page merely states, "Not Authorized." There's no provision to authenticate the user (yet) in the sample app. It's not automatic, and it's not clear to me (or in our main doc set article on WinAuth ... all examples use the fallback policy approach) how to authenticate a user for WinAuth on-the-fly after an app has started.
- If the relative URL to a secure component is added to the address bar and a secure page load is forced, the Windows Security sign-in popup appears and allows credentials to be entered. However, authenticated user state is only present for prerendering of the render after authentication. The secure page flashes its secure contents and displays "Not Authorized" for final rendering.
TL;DR ☝️😆 ... I don't know how to make this sample work without the fallback policy that requires all users to authenticate as soon as the app starts.
Sample App: https://github.com/dotnet/blazor-samples/tree/main/9.0/BlazorWebAppWinAuthServer
There was a problem hiding this comment.
I think the sample would need a RedirectToLogin like the OIDC sample has here. It would probably best to call it something like ForceLogin even though, and I think you could get away with having the component just call NavigationManager.Refresh(forceReload: true) rather than hit the "authentication/login" minimal endpoint and redirect back, so it would be even simpler. The new top-level request induced by Refresh should be enough for the authorization middleware issue a challenge via the Windows authentication handler (NegotiateHandler).
There was a problem hiding this comment.
Thx @halter73 ... I'll give that a shot on Monday morning. Have a great weekend! 🍻
There was a problem hiding this comment.
@halter73 ... I made the updates on https://github.com/dotnet/blazor-samples/pull/478/files.
Sample: https://github.com/dotnet/blazor-samples/tree/main/9.0/BlazorWebAppWinAuthServer
No 🎲🎲 yet ... Try to access a secure page, it presents the Windows Security signin popup, and then it puts the app/page into a redirect loop of death 💀😆 immediately after signing in.
Fixes #34707
Notes
❓***QUESTION:***❓ We want to show claims and how to set a policy for a Win SID. Is there anything else that we need this sample app to show, or is this enough to get folks going?
Thanks @markat1 for requesting this sample and coverage.
Internal previews