0

I am testing Duende Identity Server (v6) with a Blazor WASM (hosted) project, along with the BackEnd For FrontEnd (BFF) Duende also provides.

With HTTPS everything works well. With HTTP I find several issues. Some are due to browser policies in cookie SameSite (I think), but I cannot have them working, even in Firefox which, afaik, does not enforce the same restriction of using HTTPS that Chromium does when using other sites/domain cookies with policy SameSite set to None.

In any case, I am looking for a way to have the flow interaction between my SPA (Blazor WASM hosted) with my Auth Server (Identity Server) running in http for testing purposes, as I would like to dockerize the applications and development certificates are not meant to be used for cross container communication.

Long story short. I have created this GitLab repository at a specific commit in time with a solution with 4 basic projects:

  1. Sample.Auth, the .NET 7 AspNetCore + Duende Identity Server
  2. Sample.Server, the .NET 7 AspNetCore which serves a Blazor WASM in the root path + Duende BFF
  3. Sample.Client, the .NET 7 Blazor WASM
  4. Sample.Shared, the .NET 7 class library shared between blazor client and server, not really needed.

Everything is very standard, but I've just added some parameters in appsettings.Development.json and launchSettings.json to configure and behave differently depending on whether I want to run both projects with HTTP or with HTTPS.

The question is: Is there any good configuration that allows me to run both Identity Server and Blazor WASM (or any SPA I guess) properly, have the user redirected to the Identity Server UI to enter credentials (e.g: bob/bob or alice/alice) and being redirected back with the secure BFF (i.e: authorization_code grant + PKCE) so that the client app can retrieve it using HTTP?

As you can see on my code, in addition to

options.RequireHttpsMetadata = false;

I've played with settings cookie options in Blazor WASM

options.Cookie.SameSite = SameSiteMode.Lax;
options.Cookie.SecurePolicy = CookieSecurePolicy.SameAsRequest;

because I've read that in other older questions. But I can't have it working in Firefox or Chrome, and I'm not sure it's even possible with the latest browsers available. Probably HTTPS is a must, even for local development, when dealing with cookie related auth. Is it?

More info and instructions on how to reproduce and test it, at the README.md on the shared repo.

diegosasw
  • 13,734
  • 16
  • 95
  • 159

0 Answers0