I have a .NET Core Project that hosts a WebAPI and a Server-Side Blazor Application. The application uses the default authentication and authorization via an IdentityDbContext and uses the default AuthenticationStateProvider for Blazor. As I want this app to potentially move to Client-Side Blazor at some point in the future, I have been keeping the Server-Side logic in the API and calling it through HttpClient which I have manually injected in Startup using services.AddScoped<HttpClient>();
The issue I am having is that the User Claims (i.e. HttpContext.User) are empty in the API Controllers when making calls to the API. When I say empty, the HttpContext.User object is not null, but all the values are at their defaults. The expected behaviour is that the Claims would be populated with the Identity information for the logged-in user.
Strangely, the identity cookie .AspNetCore.Identity.Application is present in the browser, and the values in the AuthenticationStateProvider service are all as expected for the logged-in user. To me, this indicates that everything is configured correctly in terms of Authentication and Identity and that the issue is somehow related to HttpClient or the Api Controllers.
I have tried:
- Setting
HttpOnlyto false on the cookie configuration and retrieving the cookie manually via JSInterop to attach theHttpClientheaders. This failed due to API calls beginning before JSInterop had finished grabbing the cookies. - Manually injecting
HttpClientinto myApiServiceviaservices.AddHttpClient<IApiService, ApiService>(); - Copying the Startup configuration from a working project and overwriting my one
- Changing the order of the configured services in various different ways
- Several different cookie configurations
- Creating and using a custom
AuthenticationStateProvider - Following several different guides from the official Microsoft Documentation
- Reviewing countless articles and Stackoverflow questions on similar issues and trying out their suggestions
I also tried manually adding the authentication cookie to the HttpClient via the following:
services.AddSingleton<IHttpContextAccessor, HttpContextAccessor>();
services.AddScoped<HttpClient>(s =>
{
var httpContextAccessor = s.GetRequiredService<IHttpContextAccessor>();
string authToken = httpContextAccessor.HttpContext.Request.Cookies[".AspNetCore.Identity.Application"];
var client = new HttpClient(new HttpClientHandler
{
UseCookies = false
});
if (authToken != null)
{
client.DefaultRequestHeaders.Add("Cookie", $".AspNetCore.Identity.Application={authToken}");
}
var request = httpContextAccessor.HttpContext.Request;
client.BaseAddress = new Uri($"{request.Scheme}://{request.Host}/");
return client;
});
This solution failed as httpContextAccessor returned null when the delegate was invoked. I understand that there is no HttpContext with a SignalR connection, however, I would still expect an HttpContext when either the app is first loaded, the page is refreshed, or an API call is made. I also tried a null check version of this where it would only proceed if HttpContext was non-null, but that also failed as HttpContext was never non-null.
I was able to solve this by passing the authentication token directly to the Blazor app and then adding it to
HttpClientthat way.While my app is hosted in an MVC view, I understand that the most common way to host a Blazor app is through a Razor Page. For anyone else experiencing this issue, the Razor Page modification would be as follows.
_Host.cshtml
The MVC solution involves getting the token at the controller level and passing it down. The code for that is as follows.
HomeController.cs
Index.cshtml
And finally, regardless of which method was used above, the Blazor app would be modified to add the token to the
HttpClientas follows.App.razor