Skip to content

Denying authorization access to a Blazor webassembly client #28344

New issue
New issue
Open
Bug
Open
Denying authorization access to a Blazor webassembly client#28344
Bug
Labels
Pillar: Technical DebtPriority:1Work that is critical for the release, but we could probably ship withoutaffected-mediumThis issue impacts approximately half of our customersarea-blazorIncludes: Blazor, Razor ComponentsbugThis issue describes a behavior which is not expected - a bug.feature-blazor-wasmThis issue is related to and / or impacts Blazor WebAssemblygood first issueGood for newcomers.help candidateIndicates that the issues may be a good fit for community to help with. Requires work from eng. teamseverity-majorThis label is used by an internal tool
Milestone
 
Backlog
@jayrulez

Description

@jayrulez
jayrulez
opened on Dec 3, 2020

Describe the bug

I am using Openiddict as an OpenId Connect server with a blazor webassembly client.

If I attempt to access a protected route in the client, it redirects me to the oidc server (based on Openiddict) for auth*n.
If I provide access to the blazor client then it works as expected.

However, If I deny access to the blazor client then I believe the RemoteAuthenticatorViewCore is behaving incorrectly.
The expected behavior is that the client is redirected to the login failed callback route where the error message returned by the oidc server (in this case: "The authorization was denied by the end user.") is displayed to the user.

However, the client stays on this view:

image

I think the issue is in this method:

aspnetcore/src/Components/WebAssembly/WebAssembly.Authentication/src/RemoteAuthenticatorViewCore.cs

Line 245 in 648c15d

private async Task ProcessLogInCallback()

I'm not having a good time with debugging a blazor webassembly client so I cannot confirm this but I think this method is hitting one of the cases that throws an exception or the empty RemoteAuthenticationStatus.OperationCompleted case.

The login callback preview shows this:
image

So I am leaning to the former.

To Reproduce

You can reproduce the issue by running this sample project here:
https://github.com/openiddict/openiddict-samples/tree/dev/samples/Balosar

It doesn't require any setup so it should take just a few minutes.

Just click the "Fetch Data" component link. It will redirect you to the auth server for. you can then create an account and login. (I suggest creating an account beforehand or disabling email requirement for sign in as it breaks the flow by default.). Anyway, once you have an account you can attempt to authorize the client. When it prompts for consent, deny the client and you will be returned to the view in the first screenshot.

I first contacted @kevinchalet about this issue. He says as I expected that it is not an issue with Openiddict.

Further technical details

$ dotnet --info
.NET SDK (reflecting any global.json):
Version: 5.0.100
Commit: 5044b93829

Runtime Environment:
OS Name: Windows
OS Version: 10.0.19042
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\5.0.100\

Metadata

Metadata

Assignees

No one assigned

    Labels

    Pillar: Technical DebtPriority:1Work that is critical for the release, but we could probably ship withoutaffected-mediumThis issue impacts approximately half of our customersarea-blazorIncludes: Blazor, Razor ComponentsbugThis issue describes a behavior which is not expected - a bug.feature-blazor-wasmThis issue is related to and / or impacts Blazor WebAssemblygood first issueGood for newcomers.help candidateIndicates that the issues may be a good fit for community to help with. Requires work from eng. teamseverity-majorThis label is used by an internal tool

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions