Blazor WASM (WebAssembly / client-side) Windows authentication

[Stirda]

I am tired of trying to get windows authentication working in ABP Blazor. CORS Access-Control-Allow-Origin missing, ClaimsPrincipal null, NullReferenceException caused by missing loginUrl, Windows provider login button on Login page not working, api-definition endpoint wanting anonymous request ...

I didn't expect adding automatic Windows authentication being so hard. Even manual auth doesn't work.

One day I succeeding in getting windows account name by implementing a middleware, but I am unable today to get this working again. But, even there, I don't know how to keep going ABP auto-registration workflow. New external login provider feature ? No luck. All value everywhere are null or false. Everytime. Whatever I do.

There are many issues posted in ABP GitHub about that. Many developers on the Web pill their hair off on this subject.

Why this functionality is so wanted by so many people (not just ABP, ASP.NET Core SPA world too) but all implementation options found on the Web don't work?

Please consider tackle this problem. I spent days on this subject. By reading all issues on this subject on ABP GitHub, I know I am not the only one waiting for months for a solution.

Edit: I remember now. When I succeeded in manual Windows authentication (simply IIS auth, not ABP one), it was by calling LoginAsync method from Swagger. So it was hacky and just the beginning of a possible solution.

[Stirda]

@hikalkan I just found that my quest is hopeless. Blazor WASM seems to not support Windows authentication. I know you have plan to give ABP a Blazor server support in ABP 4.2 next year.

So what do you advise me?

• Waiting ABP 4.2 then migrating all our apps from Blazor client-side to Blazor server-side?
• Crossing fingers for Microsoft adding Windows authentication support to Blazor WASM?
• Developing an alternative by finding a way to use JWT token authentication, Blazor WASM, and Windows auth together?

[hikalkan]

Hi,

Blazor server side work is planned to start in 4.2. However, we can't promise that it finishes in 4.2 (actually, this is an open source and free project - we can't even promise to start with 4.1 😄 but we planned so).

If you find an alternative way, it would be great. And please share to everyone if you can do it.

[Stirda]

@hikalkan Thank you for your reply.

[274188A]

@Stirda I also had this requirement for an internal (intranet) web app. I used WASM Abp and code to authenticate against Azure AD so the identity check is done by Azure, then passes back to local Identity Server for permissions etc.

There was a community article that I used/adapted for my purposes here

[Stirda]

I know this article but Windows authentication is more difficult then Azure AD one. It implies IIS internal auto-auth and Microsoft does not support it by WASM.

[Stirda]

I finally got this working 🥳 The "how" is here.

@hikalkan I was wrong saying:

I just found that my quest is hopeless. Blazor WASM seems to not support Windows authentication.

I understand know that I didn't need WASM to be able to respond to a Challenge("Windows"). Only backend has to. Which I finally did. So long having worked on ABP and realized just recently that frontend redirects to backend to negotiate with the browser. Work was not as simple as just a Windows challenge, because I had to include also ABP registration/logon workflow in my implementation.

Anyway, thank you for your support, @hikalkan , even if, at the end of the day, I don't need Blazor server-side compatibility for my project anymore (but still curious about).

[spiridonovav]

Dear @Stirda,
could you tell me more about your solution or give an example (link to the project)?

[spiridonovav]

To solve I had to follow these steps (minor details omitted):

1. Enable IWA
2. Create a descendant of AbpOpenIdDictControllerBase, in which create an action that requires IWA ([Authorize(AuthenticationSchemes = NegotiateDefaults.AuthenticationScheme)]) and performs user authentication
3. Override Volo.Abp.OpenIddict.Controllers.AuthorizeController.HandleAsync in which, after calling the base implementation, redirect to the action of controller 2
4. Add controller 2 action endpoint as another OpenIddict authorization endpoint (in addition to the Volo.Abp.OpenIddict.Controllers.AuthorizeController endpoints)

I would be grateful if my mistakes or possible improvements are pointed out to me.

[spiridonovav]

Be carefull - app.UseErrorPages() block IWA.