5

I have written a Blazor WASM app based on the latest Microsoft template. In development mode it all works great but after publishing it to Azure App Service I randomly get a 401 unauthorised when calling the API, looking at the returned headers I get

WWW-Authenticate: Bearer error="invalid_token", error_description="The issuer 'https://*domain*.azurewebsites.net' is invalid"

This is when the client is using the https://domain.azurewebsites.net client. So it matches the web API.

I also have a custom domain attached to the app service, this means there is also https://www.domain.co.uk and https://domain.co.uk both are SSL'd.

I have checked the JWT token and it contains the correct URL for the version of the website I am calling.

Sometimes everything works but 60% of the time it allows the user to login and then fails on the API calls. I can't seem to track it to 1 domain name or pattern like expired logins. If you log out and then log back in, it doesn't clear the issue.

The configure looks like this

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
    {
        if (env.IsDevelopment())
        {
            app.UseDeveloperExceptionPage();
            app.UseDatabaseErrorPage();
            app.UseWebAssemblyDebugging();
        }
        else
        {
            app.UseExceptionHandler("/Error");
        }

        app.UseHttpsRedirection();
        app.UseBlazorFrameworkFiles();
        app.UseStaticFiles();

        app.UseRouting();

        app.UseIdentityServer();
        app.UseAuthentication();
        app.UseAuthorization();

        app.UseEndpoints(endpoints =>
        {
            endpoints.MapRazorPages();
            endpoints.MapControllers();
            endpoints.MapFallbackToFile("index.html");
        });
    }

Any help or hints in the right direction is appreciated

Cheers

Dave

DJIDave
  • 735
  • 5
  • 19
  • did you figure this out dave, I have the same issue with IS4 running in azure web app for containers (linux) – J King Nov 12 '20 at 18:03
  • Hi J King, Nope never got to the bottom of this, I ended up creating a Web App per URL and minimising to 1 URL per Web App. This worked but is not a great solution – DJIDave Nov 17 '20 at 16:24

1 Answers1

0

In my case it was caused by Linux environment of App Service. Now documentation has a clear note on that: For Azure App Service deployments on Linux, specify the issuer explicitly in Startup.ConfigureServices.

This is how I set it:

services.Configure<JwtBearerOptions>(
  IdentityServerJwtConstants.IdentityServerJwtBearerScheme, 
  options =>
  {
    options.Authority = "https://my-site.azurewebsites.net";
#if DEBUG
    options.Authority = "https://localhost:5001";
#endif
  });
Anthony
  • 2,715
  • 5
  • 26
  • 34