Remove the principal caching logic from HostAuthenticationStateProvider and enforce antiforgery for all requests

OpenIddict.Samples.slnx

@@ -31,7 +31,6 @@
   <Folder Name="/samples/Balosar/">
     <Project Path="samples/Balosar/Balosar.Client/Balosar.Client.csproj" />
     <Project Path="samples/Balosar/Balosar.Server/Balosar.Server.csproj" />
-    <Project Path="samples/Balosar/Balosar.Shared/Balosar.Shared.csproj" />
   </Folder>
 
   <Folder Name="/samples/Contruum/">
@@ -43,7 +42,6 @@
     <Project Path="samples/Dantooine/Dantooine.Server/Dantooine.Server.csproj" />
     <Project Path="samples/Dantooine/Dantooine.WebAssembly.Client/Dantooine.WebAssembly.Client.csproj" />
     <Project Path="samples/Dantooine/Dantooine.WebAssembly.Server/Dantooine.WebAssembly.Server.csproj" />
-    <Project Path="samples/Dantooine/Dantooine.WebAssembly.Shared/Dantooine.WebAssembly.Shared.csproj" />
   </Folder>
 
   <Folder Name="/samples/Fornax/">

samples/Balosar/Balosar.Client/Balosar.Client.csproj

@@ -5,10 +5,6 @@
     <NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile> 
   </PropertyGroup>
 
-  <ItemGroup>
-    <ProjectReference Include="..\Balosar.Shared\Balosar.Shared.csproj" />
-  </ItemGroup>
-
   <ItemGroup>
     <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" />
     <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" />

samples/Balosar/Balosar.Client/Pages/FetchData.razor

@@ -1,7 +1,6 @@
 @page "/fetchdata"
 @using Microsoft.AspNetCore.Authorization
 @using Microsoft.AspNetCore.Components.WebAssembly.Authentication
-@using Balosar.Shared
 @attribute [Authorize]
 @inject HttpClient Http
 
@@ -53,4 +52,14 @@ else
         }
     }
 
+    class WeatherForecast
+    {
+        public DateTime Date { get; set; }
+
+        public int TemperatureC { get; set; }
+
+        public required string Summary { get; set; }
+
+        public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
+    }
 }

samples/Balosar/Balosar.Client/Program.cs

@@ -1,21 +1,15 @@
 using Balosar.Client;
 using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
 using Microsoft.AspNetCore.Components.WebAssembly.Hosting;
+using Microsoft.Extensions.Options;
 
 var builder = WebAssemblyHostBuilder.CreateDefault(args);
 builder.RootComponents.Add<App>("#app");
 
-builder.Services.AddHttpClient("Balosar.ServerAPI")
+builder.Services.AddHttpClient(Options.DefaultName)
     .ConfigureHttpClient(client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
     .AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
 
-// Supply HttpClient instances that include access tokens when making requests to the server project.
-builder.Services.AddScoped(provider =>
-{
-    var factory = provider.GetRequiredService<IHttpClientFactory>();
-    return factory.CreateClient("Balosar.ServerAPI");
-});
-
 builder.Services.AddOidcAuthentication(options =>
 {
     options.ProviderOptions.ClientId = "balosar-blazor-client";

samples/Balosar/Balosar.Server/Balosar.Server.csproj

@@ -7,7 +7,6 @@
 
   <ItemGroup>
     <ProjectReference Include="..\Balosar.Client\Balosar.Client.csproj" />
-    <ProjectReference Include="..\Balosar.Shared\Balosar.Shared.csproj" />
   </ItemGroup>
 
   <ItemGroup>

samples/Balosar/Balosar.Server/Controllers/AuthorizationController.cs

@@ -138,7 +138,7 @@ public async Task<IActionResult> Authorize()
                         .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
                         .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
                         .SetClaim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user))
-                        .SetClaims(Claims.Role, [.. (await _userManager.GetRolesAsync(user))]);
+                        .SetClaims(Claims.Role, [.. await _userManager.GetRolesAsync(user)]);
 
                 // Note: in this sample, the granted scopes match the requested scope
                 // but you may want to allow the user to uncheck specific scopes.
@@ -232,7 +232,7 @@ public async Task<IActionResult> Accept()
                 .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
                 .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
                 .SetClaim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user))
-                .SetClaims(Claims.Role, [.. (await _userManager.GetRolesAsync(user))]);
+                .SetClaims(Claims.Role, [.. await _userManager.GetRolesAsync(user)]);
 
         // Note: in this sample, the granted scopes match the requested scope
         // but you may want to allow the user to uncheck specific scopes.
@@ -332,7 +332,7 @@ public async Task<IActionResult> Exchange()
                     .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
                     .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
                     .SetClaim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user))
-                    .SetClaims(Claims.Role, [.. (await _userManager.GetRolesAsync(user))]);
+                    .SetClaims(Claims.Role, [.. await _userManager.GetRolesAsync(user)]);
 
             identity.SetDestinations(GetDestinations);
 

samples/Balosar/Balosar.Server/Controllers/WeatherForecastController.cs

@@ -1,4 +1,4 @@
-using Balosar.Shared;
+using Balosar.Server.Models;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using OpenIddict.Validation.AspNetCore;

samples/Balosar/Balosar.Shared/WeatherForecast.cs → samples/Balosar/Balosar.Server/Models/WeatherForecast.cs

@@ -1,4 +1,4 @@
-namespace Balosar.Shared;
+namespace Balosar.Server.Models;
 
 public class WeatherForecast
 {

samples/Dantooine/Dantooine.Api/Program.cs

@@ -46,7 +46,7 @@
 app.UseAuthentication();
 app.UseAuthorization();
 
-app.MapGet("api/DantooineApi", [Authorize] () => new string[] { "data1", "data2" });
+app.MapGet("api/downstream-api", () => new[] { "data1", "data2" }).RequireAuthorization();
 
 app.Run();
 

samples/Dantooine/Dantooine.Server/Controllers/AuthorizationController.cs

@@ -138,7 +138,7 @@ public async Task<IActionResult> Authorize()
                         .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
                         .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
                         .SetClaim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user))
-                        .SetClaims(Claims.Role, [.. (await _userManager.GetRolesAsync(user))]);
+                        .SetClaims(Claims.Role, [.. await _userManager.GetRolesAsync(user)]);
 
                 // Note: in this sample, the granted scopes match the requested scope
                 // but you may want to allow the user to uncheck specific scopes.
@@ -232,7 +232,7 @@ public async Task<IActionResult> Accept()
                 .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
                 .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
                 .SetClaim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user))
-                .SetClaims(Claims.Role, [.. (await _userManager.GetRolesAsync(user))]);
+                .SetClaims(Claims.Role, [.. await _userManager.GetRolesAsync(user)]);
 
         // Note: in this sample, the granted scopes match the requested scope
         // but you may want to allow the user to uncheck specific scopes.
@@ -332,7 +332,7 @@ public async Task<IActionResult> Exchange()
                     .SetClaim(Claims.Email, await _userManager.GetEmailAsync(user))
                     .SetClaim(Claims.Name, await _userManager.GetUserNameAsync(user))
                     .SetClaim(Claims.PreferredUsername, await _userManager.GetUserNameAsync(user))
-                    .SetClaims(Claims.Role, [.. (await _userManager.GetRolesAsync(user))]);
+                    .SetClaims(Claims.Role, [.. await _userManager.GetRolesAsync(user)]);
 
             identity.SetDestinations(GetDestinations);
 

samples/Dantooine/Dantooine.Server/Program.cs

@@ -177,7 +177,7 @@ static async Task RegisterApplicationsAsync(IServiceProvider provider)
         // Blazor Hosted
         if (await manager.FindByClientIdAsync("blazorcodeflowpkceclient") is null)
         {
-            await manager.CreateAsync(new OpenIddictApplicationDescriptor
+            var descriptor = new OpenIddictApplicationDescriptor
             {
                 ClientId = "blazorcodeflowpkceclient",
                 ConsentType = ConsentTypes.Explicit,
@@ -217,14 +217,17 @@ await manager.CreateAsync(new OpenIddictApplicationDescriptor
                     Permissions.ResponseTypes.Code,
                     Permissions.Scopes.Email,
                     Permissions.Scopes.Profile,
-                    Permissions.Scopes.Roles,
-                    Permissions.Prefixes.Scope + "api1"
+                    Permissions.Scopes.Roles
                 },
                 Requirements =
                 {
                     Requirements.Features.ProofKeyForCodeExchange
                 }
-            });
+            };
+
+            descriptor.AddScopePermissions("api1");
+
+            await manager.CreateAsync(descriptor);
         }
     }
 

samples/Dantooine/Dantooine.WebAssembly.Client/Dantooine.WebAssembly.Client.csproj

@@ -12,8 +12,4 @@
     <PackageReference Include="Microsoft.Extensions.Http" />
   </ItemGroup>
 
-  <ItemGroup>
-    <ProjectReference Include="..\Dantooine.WebAssembly.Shared\Dantooine.WebAssembly.Shared.csproj" />
-  </ItemGroup>
-
 </Project>

samples/Dantooine/Dantooine.WebAssembly.Client/Pages/DownstreamApi.razor

@@ -0,0 +1,58 @@
+@page "/downstream-api"
+@using System.Net
+@inject HttpClient client
+@inject NavigationManager manager
+@inject AuthenticationStateProvider provider
+@inject IJSRuntime runtime
+
+<h1>Data retrieved from downstream API via YARP</h1>
+
+@if (data is null)
+{
+    <p><em>Loading...</em></p>
+}
+else
+{
+    <table class="table">
+        <thead>
+            <tr>
+                <th>Name</th>
+            </tr>
+        </thead>
+        <tbody>
+            @for (var index = 0; index < data.Length; index++)
+            {
+                <tr>
+                    <td>@data[index]</td>
+                </tr>
+            }
+        </tbody>
+    </table>
+}
+
+@code {
+    private string[] data = default!;
+
+    protected override async Task OnInitializedAsync()
+    {
+        var state = await provider.GetAuthenticationStateAsync();
+        if (state is not { User.Identity.IsAuthenticated: true })
+        {
+            manager.NavigateTo($"login?returnUrl=/{Uri.EscapeDataString(manager.ToBaseRelativePath(manager.Uri))}", true);
+            return;
+        }
+
+        client.DefaultRequestHeaders.Add("X-XSRF-TOKEN", await runtime.InvokeAsync<string>("getAntiForgeryToken"));
+
+        try
+        {
+            data = (await client.GetFromJsonAsync<string[]>("api/downstream-api"))!;
+        }
+
+        catch (HttpRequestException exception) when (exception.StatusCode is HttpStatusCode.Unauthorized)
+        {
+            manager.NavigateTo($"login?returnUrl=/{Uri.EscapeDataString(manager.ToBaseRelativePath(manager.Uri))}", true);
+            return;
+        }
+    }
+}