question

anastasia-3024 avatar image
0 Votes"
anastasia-3024 asked anastasia-3024 commented

CORS issue in a hosted Blazor solution

I have a hosted Blazor app based on Blazor webAssembly project template. I use azure AD B2C standard user flow for user authentication. I can log in when I run the app on the localhost, but I can not access endpoints from a controller that requires user to be authenticated. The issue seems to be CORS related and happens while sending request to https://xxx.b2clogin.com/xxx.onmicrosoft.com/b2c_1_signin/oauth2/v2.0/authorize:
196500-image.png


I use a custom AuthorizationMessageHandler class, as reccomended here and register it in the client's services like that:

 builder.Services.AddScoped<CustomAuthorizationMessageHandler>();
 builder.Services.AddHttpClient("xxxAPI",
         client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
     .AddHttpMessageHandler<CustomAuthorizationMessageHandler>();

CustomAuthorizationMessageHandler:

 public class CustomAuthorizationMessageHandler : AuthorizationMessageHandler
     {
         public CustomAuthorizationMessageHandler(IAccessTokenProvider provider,
             NavigationManager navigationManager)
             : base(provider, navigationManager)
         {
             ConfigureHandler(
                 authorizedUrls: new[] {"https://xxx.b2clogin.com/"},
                 scopes: new[] {"user.read", "user.write"});
         }
     }


Am I missing something else?



azure-ad-b2cdotnet-aspnet-core-blazor
image.png (25.9 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Can you tell us the detailed version about the Asp.net core version and the Visual Studio (2019 or 2022) version?

Besides, can you share the CORS configuration? you could refer to this part:#Cross-origin resource sharing (CORS).

0 Votes 0 ·

1 Answer

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered anastasia-3024 commented

the api you are calling appears to be redirecting to the azure ad oauth login server (probably using web flow). the ad login server does not support Ajax logins.

typically the blazer app would use msal client library to login in, then use the returned token to call the webapi. the webapi should just return a 401 for missing/invalid jwt token, not a redirect.

https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-azure-active-directory?view=aspnetcore-6.0

note: if you want to use web flow and cookies, then the index.html page should require authentication. you should change the webapi to return 401 error rather than redirect. on the client side if you get a 401 error (expired token), set location to index.html, which force a reload and authentication.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I found out it was wrong service configuration in Server app. Thank you for answers, the ticket can be closed

0 Votes 0 ·