I'm having an issue with Policy authentication in my .Net 8 Blazor hybrid application using Microsoft Entra for authentication.
The entra authentication is working and I have a page that verifies policies are working via an <AuthorizeView> and claims are set.
My layout page has this block which enforces the user be logged in or is sent to the Entra login flow:
<AuthorizeView Policy="@PolicyConstants.MustBeAuthenticated"><Authorized> @Body</Authorized><NotAuthorized> @{ var returnUrl = NavigationManager.ToBaseRelativePath(NavigationManager.Uri);<RedirectToEntraSignInComponent ReturnUrl="@returnUrl" /> }</NotAuthorized></AuthorizeView>In my auth model, I have two Roles: Admin and Client. I have policies defined for each one, and on my root page I have this nested AuthorizeView so I can forward the user based on their role. This is working to send them to the right page.
<CascadingAuthenticationState><AuthorizeView Policy="@PolicyConstants.IsAdmin" Context="AdminContext"><Authorized><RedirectToAdminDashboardComponent /></Authorized><NotAuthorized><AuthorizeView Policy="@PolicyConstants.IsClient" Context="ClientContext"><Authorized><RedirectToClientDashboardComponent /></Authorized><NotAuthorized><RedirectTo403Component /></NotAuthorized></AuthorizeView></NotAuthorized></AuthorizeView></CascadingAuthenticationState>So, an admin ends up on their dashboard. But, I need to protect that page to ensure only an Admin can access it.
[Authorize(Policy = PolicyConstants.IsAdmin)]public partial class AdminDashboardPageWhen I do not have the authorize attribute in place, it works fine, but the page is open to anyone who is authenticated, regardless of their roles/policy status.
When I add the Authorize attribute to the page as above, the user is always forwarded to this url, even when they meet the policy requirement to get to the page in the first place.
/MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2Fadmin
I want to avoid putting a authorize view on each page to enforce policy, and I don't want to have to have a layout page with the auth view for every policy either. I don't understand why the auth attribute is failing every time. I did try defining the policies in the client and server projects, but that did not fix the problem.