The right way to use OpenIdConnect on Blazor.
-
Install Blorc.OpenIdConnect via NuGet.
-
Include
Blorc.Core/injector.jsthe index.html file:
<head>
<!-- ... -->
<script src="_content/Blorc.Core/injector.js"></script>
<!-- ... -->
</head>- Update App.razor content like this:
@using Microsoft.AspNetCore.Components.Authorization
<CascadingAuthenticationState>
<Router AppAssembly="@typeof(Program).Assembly">
<Found Context="routeData">
<AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
</Found>
<NotFound>
<LayoutView Layout="@typeof(MainLayout)">
<p>Sorry, there's nothing at this address.</p>
</LayoutView>
</NotFound>
</Router>
</CascadingAuthenticationState>- Add the required service and update Program.cs file as follow:
// Add access token delegating handler to registered http clients
var baseUrl = builder.HostEnvironment.BaseAddress;
builder.Services
.AddHttpClient<WeatherForecastHttpClient>(client => client.BaseAddress = new Uri(baseUrl))
.AddAccessToken();
// Registering required services
builder.Services.AddBlorcCore();
builder.Services.AddAuthorizationCore();
builder.Services.AddBlorcOpenIdConnect(
options =>
{
builder.Configuration.Bind("IdentityServer", options);
});
var webAssemblyHost = builder.Build();
await webAssemblyHost
.ConfigureDocumentAsync(
async documentService =>
{
await documentService.InjectBlorcCoreJsAsync();
await documentService.InjectOpenIdConnectAsync();
});
await webAssemblyHost.RunAsync();- Configure the client and identity server as described in the Configuration section.
Add a configuration file wwwroot\appsettings.json
Note
The Authorization Code Flow with Proof Key for Code Exchange (PKCE) is an authorization code flow to prevent CSRF and authorization code injection attacks and it is the only supported method. Use the configuration values as shown below.
{
"IdentityServer": {
"ResponseType": "code",
"Scope": "openid profile %API-NAME%",
"RedirectUri": "%APPLICATION_URL%",
"PostLogoutRedirectUri": "%APPLICATION_URL%",
"Authority": "%IDENTITY_SERVER_URL%",
"ClientId": "%CLIENT_ID%",
"AutomaticSilentRenew": true, // or `false`
"FilterProtocolClaims": true,
"LoadUserInfo": true
}
}You can also configure the client when registering the service:
builder.Services.AddBlorcOpenIdConnect(
options =>
{
options.ResponseType = "code";
// ...
});Configuration sample code can be found in the demo app.
Some of the configuration options are described in the following table:
| Option | Description |
|---|---|
| LoadUserInfo | Flag to control if additional identity data is loaded from the user info endpoint in order to populate the user's profile. |
| Resource | The resource parameter to send to the identity server. Useful when the identity server supports RFC 8707. |
| ExtraQueryParams | Additional query string parameters to be including in the authorization request. |
| ExtraTokenParams | Additional parameters to be sent to the token endpoint. |
Use the following guides as reference for identity server configuration.
-
Prerequisites
- Docker
- Tye
-
Open a command line console a run the following commands
> cd %CLONE_DIR%\deployment\tye
> tye run .\backend-tye.yaml-
Run the InitializeKeycloakAsync test of the Environment class in the test project. This will setup the required clients, and client scope for the demo.
-
Run the
Blorc.OpenIdConnect.DemoApp.Serverproject. -
Use the following credentials when prompted by Keycloak.
| UserName | Password |
|---|---|
| admin | Password123! |
