Blazor WASM with Remote Authentication (IdentityServer4)

[saulyt]

I am trying to figure out how to properly wire up CSLA using IdentityServer for authentication. I have everything working as far as logging in is concerned. My problem is that after the initial login, if the page is refreshed, CSLA losses the identity. I tried using the CslaAuthenticationStateProvider, but that causes a casting error on the authentication page with the RemoteAuthenticatorView component. See error details below. Right now I am using the OnLogInSucceeded event of the RemoteAuthenticatorView to set the CslaUserService.CurrentUser to the logged in user. Being that I currently only have 2 pages, to mitigate the issue of losing the login, I placed some code in the OnInitialized event of these 2 pages to also set the CslaUserService.CurrentUser to the logged in user when the user is authenticated. (I am getting the logged in user via a cascading AuthenticationState parameter,)

What is the proper way to wire this up?

Thank you

Casting Error Details:
Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
Unhandled exception rendering component: Specified cast is not valid.
System.InvalidCastException: Specified cast is not valid.
at Microsoft.Extensions.DependencyInjection.WebAssemblyAuthenticationServiceCollectionExtensions.<>c__03[[Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteAuthenticationState, Microsoft.AspNetCore.Components.WebAssembly.Authentication, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60],[Microsoft.AspNetCore.Components.WebAssembly.Authentication.RemoteUserAccount, Microsoft.AspNetCore.Components.WebAssembly.Authentication, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60],[Microsoft.AspNetCore.Components.WebAssembly.Authentication.OidcProviderOptions, Microsoft.AspNetCore.Components.WebAssembly.Authentication, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60]].<AddRemoteAuthentication>b__0_0(IServiceProvider sp) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitFactory(FactoryCallSite factoryCallSite, RuntimeResolverContext context) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor2[[Microsoft.Extensions.DependencyInjection.ServiceLookup.RuntimeResolverContext, Microsoft.Extensions.DependencyInjection, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60],[System.Object, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].VisitCallSiteMain(ServiceCallSite callSite, RuntimeResolverContext argument)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitCache(ServiceCallSite callSite, RuntimeResolverContext context, ServiceProviderEngineScope serviceProviderEngine, RuntimeResolverLock lockType)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.VisitScopeCache(ServiceCallSite singletonCallSite, RuntimeResolverContext context)
at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteVisitor2[[Microsoft.Extensions.DependencyInjection.ServiceLookup.RuntimeResolverContext, Microsoft.Extensions.DependencyInjection, Version=5.0.0.0, Culture=neutral, PublicKeyToken=adb9793829ddae60],[System.Object, System.Private.CoreLib, Version=5.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].VisitCallSite(ServiceCallSite callSite, RuntimeResolverContext argument) at Microsoft.Extensions.DependencyInjection.ServiceLookup.CallSiteRuntimeResolver.Resolve(ServiceCallSite callSite, ServiceProviderEngineScope scope) at Microsoft.Extensions.DependencyInjection.ServiceLookup.RuntimeServiceProviderEngine.<>c__DisplayClass1_0.<RealizeService>b__1(ServiceProviderEngineScope p) at Microsoft.Extensions.DependencyInjection.ServiceLookup.RuntimeServiceProviderEngine.<>c__DisplayClass1_0.<RealizeService>b__0(ServiceProviderEngineScope scope) at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngine.GetService(Type serviceType, ServiceProviderEngineScope serviceProviderEngineScope) at Microsoft.Extensions.DependencyInjection.ServiceLookup.ServiceProviderEngineScope.GetService(Type serviceType) at Microsoft.AspNetCore.Components.ComponentFactory.<>c__DisplayClass6_0.<CreateInitializer>g__Initialize|2(IServiceProvider serviceProvider, IComponent component) at Microsoft.AspNetCore.Components.ComponentFactory.PerformPropertyInjection(IServiceProvider serviceProvider, IComponent instance) at Microsoft.AspNetCore.Components.ComponentFactory.InstantiateComponent(IServiceProvider serviceProvider, Type componentType) at Microsoft.AspNetCore.Components.RenderTree.Renderer.InstantiateComponent(Type componentType) at Microsoft.AspNetCore.Components.RenderTree.Renderer.InstantiateChildComponentOnFrame(RenderTreeFrame& frame, Int32 parentComponentId) at Microsoft.AspNetCore.Components.RenderTree.RenderTreeDiffBuilder.InitializeNewComponentFrame(DiffContext& diffContext, Int32 frameIndex) at Microsoft.AspNetCore.Components.RenderTree.RenderTreeDiffBuilder.InitializeNewSubtree(DiffContext& diffContext, Int32 frameIndex) at Microsoft.AspNetCore.Components.RenderTree.RenderTreeDiffBuilder.InsertNewFrame(DiffContext& diffContext, Int32 newFrameIndex) at Microsoft.AspNetCore.Components.RenderTree.RenderTreeDiffBuilder.AppendDiffEntriesForRange(DiffContext& diffContext, Int32 oldStartIndex, Int32 oldEndIndexExcl, Int32 newStartIndex, Int32 newEndIndexExcl) at Microsoft.AspNetCore.Components.RenderTree.RenderTreeDiffBuilder.ComputeDiff(Renderer renderer, RenderBatchBuilder batchBuilder, Int32 componentId, ArrayRange1 oldTree, ArrayRange`1 newTree)
at Microsoft.AspNetCore.Components.Rendering.ComponentState.RenderIntoBatch(RenderBatchBuilder batchBuilder, RenderFragment renderFragment)
at Microsoft.AspNetCore.Components.RenderTree.Renderer.RenderInExistingBatch(RenderQueueEntry renderQueueEntry)
at Microsoft.AspNetCore.Components.RenderTree.Renderer.ProcessRenderQueue()

[rockfordlhotka]

The CSLA part of this is that the principal (Csla.ApplicationContext.User) is stored as a static, so it will absolutely not survive a restart of the app (refresh the browser such that the wasm app reloads).

Blazor itself uses a AuthenticationStateProvider to provide the principal to the Blazor UI components, etc. CSLA provides one of these for your use, which ultimately relies on Csla.ApplicationContext.User to store the principal.

This is a long way of saying that I don't know the answer to how (or if) you can have a Blazor wasm app survive a restart and still remain authenticated. If this is possible I would expect it to be through a cookie that your authentication framework (not CSLA, but the framework you are using for authentication) would store, because that should survive unless the browser window is closed.

You'll have to detect that the app restarted, use the cookie to connect to the server, ask the server for the principal/identity pair, and store that pair in memory on the client again.

[saulyt]

Thanks for the reply Rocky. I am already maintaining the login on refresh via a cookie. My question is really, where on refresh is the correct place to set the Csla.ApplicationContext.User based on the authenticated user. I am currently doing in OnInitialized on my page. I am looking for a global place to do it so that I don't have to repeat it on every page,

[rockfordlhotka]

Can you do it in Program.cs?

[saulyt]

I don't think so as I don't believe I would have access to the logged in user that early. Currently I am getting it via the AuthenticationState parameter which is a cascading parameter from CascadingAuthenticationState in App.razor. Perhaps I can do it in App.razor. Didn't think of that before. I'll give it a try.

[mtavares628]

Do you have a sample of your full implementation that you could share? I'm trying to get this to work myself and I'm having a lot of trouble.

[saulyt]

I'll try to get you that tomorrow.

[saulyt]

Here are the relevant parts of my setup.
In program.cs:

builder.Services.AddSingleton<CslaUserService>();
builder.Services.AddOidcAuthentication(options =>
{
    builder.Configuration.Bind("oidc", options.ProviderOptions);
});

My appsetting.json:

{
  "oidc": {
    "Authority": "https://identityserveraddress/",
    "ClientId": "wasm-client",
    "DefaultScopes": [
      "openid",
      "profile"
    ],
    "PostLogoutRedirectUri": "https://identityserveraddress/signout-callback-oidc",
    "ResponseType": "code",
    "GetClaimsFromUserInfoEndpoint ": true,
    "SaveTokens": true
  }
}

On the Identity Server side my client settings look like this:

{
	"IdentityServer": {
		"IssuerUri": "urn:https://identityserveraddress",
	"Clients": [
		{
			"Enabled": true,
			"ClientId": "wasm-client",
			"ClientName": "WASM Client",
			"RequireClientSecret": false,
			"AllowedGrantTypes": [ "authorization_code" ],
			"AllowedScopes": [ "openid", "profile"],
			"AllowedCorsOrigins": [ "https://addressOfClientWasmApp" ],
			"PostLogoutRedirectUris": [ "https://addressOfClientWasmApp/" ],
			"RedirectUris": [ "https://addressOfClientWasmApp/authentication/login-callback" ],
			"AlwaysIncludeUserClaimsInIdToken": true
		}
	]
}

Attached is my App.razor and my Authentication.razor

Hope this helps.

App.razor.txt
Authentication.razor.txt

[mtavares628]

@saulyt Thanks for the info. I got side tracked with another project for a number of months, and I am just circling back to this now. I have a few follow-up questions for you:

1. Is your solution no longer using the CslaAuthenticationStateProvider?
2. Where are you persisting and checking the cookie with the ClaimsPrincipal in it so that logging in again is not required upon refresh?
3. Do you happen to have a full sample solution of all of this working together? I'm new to both Blazor and Identity at this point, and having a full sample would help me get a better handle on it.

[saulyt]

• That is correct, I am not using the CslaAuthenticationStateProvider in my WASM app.
• I am not checking the cookie. IdentityServer is maintaining and checking the cookie. Whenever the page is refreshed the user is authenticated via the OIDC middleware. If IdentityServer finds a valid cookie, the user will not get forwarded to the IdentityServer login page. (That is just how it works out of the box. I did not do anything special to implement that.)
• Sorry, I don't have a stripped down sample solution to share at the moment.