I have a blazor server app with AAD login. I want to restrict access only to specific users (based on user roles).
program.cs
builder.Services
.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection(AppConsts.Config.AzureAdSectionKey))
builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = options.DefaultPolicy;
});
builder.Services
.AddControllersWithViews()
.AddMicrosoftIdentityUI();
builder.Services.AddRazorPages();
app.UseAuthentication();
app.UseAuthorization();
//app.MapRazorPages(); when commented I get endless redirection to MicrosoftIdentity/Account/AccessDenied?ReturnUrl=%2FMicrosoftIdentity%2FAccount%2FAccessDenied%3FReturnUrl%
app.MapControllers();
app.MapRazorComponents<App>()
.AddInteractiveServerRenderMode()
.RequireAuthorization();
I restrict access to my app using ClaimsTransformation so that it cannot be overriden in AuthorizationPolicy
public class ClaimsTransformation : IClaimsTransformation
{
public async Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
if (!IsUserAllowed(principal))
{
var emptyClaimIdentity = new ClaimsIdentity();
emptyClaimIdentity.AddClaim(new Claim(ClaimTypes.Name, principal.Identity?.Name ?? "anonym"));
return new ClaimsPrincipal(emptyClaimIdentity);
}
return principal;
}
}
Now I'm getting endless redirects to MicrosoftIdentity/Account/AccessDenied. However when I add razor pages, I get proper "Access denied" page response.
- Why is the AccessDenied page being redirected at all?
- Is MicrosoftIdentityUI package dependent on razor pages? I thought they switched to controllers
