Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upGitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
Denying authorization access to a Blazor webassembly client #28344
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
I am using Openiddict as an OpenId Connect server with a blazor webassembly client.
If I attempt to access a protected route in the client, it redirects me to the oidc server (based on Openiddict) for auth*n.
If I provide access to the blazor client then it works as expected.
However, If I deny access to the blazor client then I believe the RemoteAuthenticatorViewCore is behaving incorrectly.
The expected behavior is that the client is redirected to the login failed callback route where the error message returned by the oidc server (in this case: "The authorization was denied by the end user.") is displayed to the user.
However, the client stays on this view:
I think the issue is in this method:
aspnetcore/src/Components/WebAssembly/WebAssembly.Authentication/src/RemoteAuthenticatorViewCore.cs
Line 245 in 648c15d
I'm not having a good time with debugging a blazor webassembly client so I cannot confirm this but I think this method is hitting one of the cases that throws an exception or the empty RemoteAuthenticationStatus.OperationCompleted case.
The login callback preview shows this:
So I am leaning to the former.
To Reproduce
You can reproduce the issue by running this sample project here:
https://github.com/openiddict/openiddict-samples/tree/dev/samples/Balosar
It doesn't require any setup so it should take just a few minutes.
Just click the "Fetch Data" component link. It will redirect you to the auth server for. you can then create an account and login. (I suggest creating an account beforehand or disabling email requirement for sign in as it breaks the flow by default.). Anyway, once you have an account you can attempt to authorize the client. When it prompts for consent, deny the client and you will be returned to the view in the first screenshot.
I first contacted @kevinchalet about this issue. He says as I expected that it is not an issue with Openiddict.
Further technical details
$ dotnet --info
.NET SDK (reflecting any global.json):
Version: 5.0.100
Commit: 5044b93829
Runtime Environment:
OS Name: Windows
OS Version: 10.0.19042
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\5.0.100\