I am having trouble configuring a .Net 8 Blazor SSR Static application to work with Entra Id (AD B2C).
In Program.cs I have this:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme) .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdB2C"));My config looks like this:
"AzureAdB2C": {"Instance": "https://[example].b2clogin.com","Domain": "[example].onmicrosoft.com","TenantId": "[my tenant id]","ClientId": "[my client id]","ClientCapabilities": [ "cp1" ],"SignUpSignInPolicyId": "B2C_1_signup-signin", //"ResponseType": "code" <== commented out }On Azure,I register the application:
Platform: Web
Redirect URI: https://localhost:7021/signin-oidc
Access Tokens and Id Tokens both NOT selected.
With the above config, I get the following error when I navigate to the site:
'AADB2C90057: The provided application is not configured to allow the 'OAuth' Implicit flow.If I select both Access and Id tokens I get the same error.
If I include "ResponseType": "code" in the config then I am presented with the login screen. I am able to login but I then get the following error:
'AADB2C90079: Clients must send a client_secret when redeeming a confidential grant.This happens whether or not the Access and Id tokens are selected.
If I add a client secret in the portal and I also add it to the config, I get the following error:
IDX21336: Both 'id_token' and 'access_token' should be present in OpenIdConnectProtocolValidationContext.ProtocolMessage received from Token Endpoint. Cannot process the message.This happens whether or not the Access and Id tokens are selected.
The Entra Id Integration Assistant also reports:
If I disable Access Tokens then the second warning is satisfied.
Out of desperation I even tried setting the platform to SPA which simply brought another round of errors.
Researching this problem is challenging in part because .NET 8 Blazor SSR (Static) is relatively new and because Blazor comes in three flavors (WASM, Server, and now static).
I am looking for some guidance here. I thought this would be easy compared to implementing Auth in a SPA but I was wrong. Hopefully I'm overlooking the obvious. I want the "right" configuration that not only works but is the most secure possible.
Update
I finally got this working (I think). Here are the settings that work:
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme).AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdB2C"));
// I resolved another error by adding this:builder.Services.AddScoped<AuthenticationStateProvider, ServerAuthenticationStateProvider>();
Config:
"AzureAdB2C": {"Instance": "https://[example].b2clogin.com","Domain": "[example].onmicrosoft.com","TenantId": "[my tenant id]","ClientId": "[my client id]","ClientSecret": "[some client secret value]""ClientCapabilities": [ "cp1" ],"SignUpSignInPolicyId": "B2C_1_signup-signin","ResponseType": "code","UsePkce": true,"Scope": [ "openid", "{clientId}" ] }The above configuration worked but required a client secret which the Integration Assistant didn't like. The need for the client secret suggested that PKCE wasn't working or supported. Armed with that I deleted the client secret, removed ClientSecret from the config, and deleted the Web Platform configuration. I added a SPA Platform configuration and it worked (after a few minutes) and the with the client secret removed, the Integration Assistant is happy.
So it seems that PKCE is supported for SPA but not Web. Of course, Blazor Server SSR is a Web app not a SPA but this was the only way I could get it to work.
Also note that both Access Tokens and Id Tokens are not selected in the final setup.
Although I got this working, I am leaving this question open and not providing my solution as an answer because it would be really useful if some experts chimed in. It's working but I'm not sure it's "right".