var objectidentifierClaimType = "http://schemas.microsoft.com/identity/claims/objectidentifier";
var objectIdentifier = principal.Claims.FirstOrDefault(t => t.Type == objectidentifierClaimType);

Hi @damienbod
Have you ever done this, or got it on the list of things to try for the future?
My app architecture is ASPNET BFF Server, and a standalone Blazor WASM app.
I have been trying to hack this template so it isn't intertwined with the WASM Hosted approach but I am struggling with it.

Hi Damien,

VSDotNetGuy again. We see in your template, you're using a form post based logout to the server side api. However, we're using a menu drawer based Logout link that when clicked raises an event. From the event code we post to the server at \api\account\logout using HttpClient.

The server side Logout method is being called and the Signout command seems to run okay. However, we expected the app would no longer be authenticated so would display the Azure AD B2C login page upon redirect or refresh.

Does your template prompt for AD login after Signout? If not, any ideas on how to be prompted by Azure AD B2C to login after the server side Signout is completed?

Thx in advance and take care,
Bob Baldwin (aka VSDotNetGuy)

Dear Damien,
Sorry to bother with a perhaps silly question.
I am trying to figure out if I am not going to switch and app to use BFF on Azure B2C, so I came accross you template.

-In terms of app registration on the portal, how do you set this up?
-Do you have one or two app registrations (server and client)?
-It seems the auth is using the implicit flow?

Besides this, I am trying to figure out the difference between your template and the Blazor Wasm Hosted that comes from Microsoft?
Why did you put the _Host.cshtml in the server, instead of the index.html in the client that comes from the MS Blazor Hosted Wasm template?

Any further clarifitcation is welcomed.
Thank you

Hello @damienbod ,

I watched your recent stand-up with Jon Galloway which was super interesting and I thought I'd give this BFF template a go. Locally it works great, and deployed to a standard app service plan it works fine too. However, I'm pulling my hair out trying to get it to work with Azure container apps and was hoping you could point me in the right direction to fix this. Please note, before the index page would work I had to I fix another issue with the anti-forgery cookie which was resolved with the following change:

options.Cookie.SecurePolicy = CookieSecurePolicy.Always;

to

options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;

Once the above was resolved the index page shows fine but I unfortunately get the correlation failed error reported below when selecting the login link. Any help with this is greatly appreciated:

Issue

Correlation failed error reported when selecting the log-in link on the main page. The container app logs show the following (newest first):

[40m[1m[33mwarn[39m[22m[49m: Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler[15]

'.AspNetCore.Correlation.JV4ZtwsqyoQzUm0XjKPsZl5UeG7IAsHK18V9J3fEtwU' cookie not found.

[40m[1m[33mwarn[39m[22m[49m: Microsoft.AspNetCore.Http.ResponseCookies[1]

The cookie '.AspNetCore.Correlation.JV4ZtwsqyoQzUm0XjKPsZl5UeG7IAsHK18V9J3fEtwU' has set 'SameSite=None' and must also set 'Secure'.

[40m[1m[33mwarn[39m[22m[49m: Microsoft.AspNetCore.Http.ResponseCookies[1]

The cookie '.AspNetCore.OpenIdConnect.Nonce.CfDJ8P3OW6sbpfpEkZYp1w0JsW8f2E0rMU4me_SA7Co14Nm2S8UlmZSemDj0yeKD7P5em5sNOV_0CUKPl2JSHAmZWAqJ1GU_Ni9PMQJSPoMEaGjWmJvwp-0SRuAfja8V4tnB1FFiUapJtdRH_KCWCjo_IXrGJlpg6_7b-zkZ8xl0_GxwOSIk-gOT8150GvMagOBwG8_3W5V3M-GwnpfdQt96kA8WzYNqBVgUUdbe8N821B9ac4_NqG37gna1ubwXtF1MmlQ63XVYkMREGaGWAKY87F0' has set 'SameSite=None' and must also set 'Secure'.

To Reproduce

Enable container orchestration and deploy the BFF server to a container registry.

Create a container app (and supporting resources such as environment, app insights etc.). and deploy the image above.

On the main index page select the 'Log in' link and you will be redirected to the /MicrosoftIdentity/Account/Error page which states 'Correlation failed.'

Additional notes

Deploying to a standard app service plan works fine.

Deploying to a container based app service plan does not work either, also producing a 'correlation failed' error. This is probably the quickest path to reproducing the issue as it only takes a few minutes to create the app service.

Many Thanks,

Roger

Hi @damienbod and friends,

Firstly, many thanks for this template and associated articles - really appreciate your work.

I created a couple of Blazor apps with the template to test out SSO. I notice that a .AspNetCore.Cookies cookie is still added to the users browser when the second app signs on.
I think there's a hole in my understanding here because I thought only a __Host-X-XSRF-TOKEN cookie was meant to be written to the user's browser and that authn state is cached server-side?

Where this all leads to is trying to have a slick SSO experience (minimal redirects to B2C (even ones without prompts) for users between our apps (app1.mydomain.com, app2.mydomain.com, etc) and I've landed on sharing the .AspNetCore.Cookies cookie between apps with the aid of Data Protection. I think it's secure enough, but would be interested in other thoughts.

Thanks,
Grant.

See instructions here:

https://github.com/sayedihashimi/template-sample

services.Configure<MicrosoftIdentityOptions>(OpenIdConnectDefaults.AuthenticationScheme, options =>

instead of

services.Configure<OpenIdConnectOptions>

Hi,

First of all thanks for this fantastic resource!

I build a Blazor App using the template and can login/logout with my AD B2C tenant. When I open the App in a second tab, I am already signed in (as expected). If I now sign-out in either tab, and then click on the Direct-API link in the navbar on the other tab, I get an exception (in the Blazor Client) that looks like a malformed JSON object is being parsed.

This happens in Chrome and Safari on MacOS, but (curiously) not on Firefox, there I get redirected to sign in again (as expected).

I probably did something wrong, but I tried to stay as close to the template as possible. Anyway, I am totally baffled and stuck. Obviously I can give you access to my repository with the Blazor SPA. I can be reached by email on gmail or outlook by using firstname.lastname as name (to get the Client-Secret).

This is the exception I get:

crit: Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]
      Unhandled exception rendering component: '<' is an invalid start of a value. Path: $ | LineNumber: 1 | BytePositionInLine: 0.
System.Text.Json.JsonException: '<' is an invalid start of a value. Path: $ | LineNumber: 1 | BytePositionInLine: 0.
 ---> System.Text.Json.JsonReaderException: '<' is an invalid start of a value. LineNumber: 1 | BytePositionInLine: 0.
   at System.Text.Json.ThrowHelper.ThrowJsonReaderException(Utf8JsonReader& json, ExceptionResource resource, Byte nextByte, ReadOnlySpan`1 bytes)
   at System.Text.Json.Utf8JsonReader.ConsumeValue(Byte marker)
   at System.Text.Json.Utf8JsonReader.ReadFirstToken(Byte first)
   at System.Text.Json.Utf8JsonReader.ReadSingleSegment()
   at System.Text.Json.Utf8JsonReader.Read()
   at System.Text.Json.Serialization.JsonConverter`1[[System.String[], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
   --- End of inner exception stack trace ---
   at System.Text.Json.ThrowHelper.ReThrowWithPath(ReadStack& state, JsonReaderException ex)
   at System.Text.Json.Serialization.JsonConverter`1[[System.String[], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].ReadCore(Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
   at System.Text.Json.JsonSerializer.ReadCore[String[]](JsonConverter jsonConverter, Utf8JsonReader& reader, JsonSerializerOptions options, ReadStack& state)
   at System.Text.Json.JsonSerializer.ReadCore[String[]](JsonReaderState& readerState, Boolean isFinalBlock, ReadOnlySpan`1 buffer, JsonSerializerOptions options, ReadStack& state, JsonConverter converterBase)
   at System.Text.Json.JsonSerializer.ContinueDeserialize[String[]](ReadBufferState& bufferState, JsonReaderState& jsonReaderState, ReadStack& readStack, JsonConverter converter, JsonSerializerOptions options)
   at System.Text.Json.JsonSerializer.<ReadAllAsync>d__65`1[[System.String[], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].MoveNext()
   at System.Net.Http.Json.HttpContentJsonExtensions.<ReadFromJsonAsyncCore>d__4`1[[System.String[], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].MoveNext()
   at System.Net.Http.Json.HttpClientJsonExtensions.<GetFromJsonAsyncCore>d__13`1[[System.String[], System.Private.CoreLib, Version=6.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e]].MoveNext()
   at BlazorWasmAadB2cBffTest.Client.Pages.DirectApi.OnInitializedAsync()
   at Microsoft.AspNetCore.Components.ComponentBase.RunInitAndSetParametersAsync()
   at Microsoft.AspNetCore.Components.RenderTree.Renderer.GetErrorHandledTask(Task taskToHandle, ComponentState owningComponentState)

Hi Damien,

I've been looking at the AD B2C BFF Blazor template, it looks good, thx for great work.

I did wonder since include global anti forgery setting in Startup, why did you put [ValidateAntiForgeryToken] on DirectApiController or is this just a left over?

Thx...Bob Baldwin
aka VSDotNetGuy!