How to use Okta to authenticate Blazor WASM Asp.NET hosted app?

we have sample on how to authenticate Blazor Server app (Authentication and Authorization with Okta in .NET 6 Blazor Server - YouTube) and Blazor WASM PWA app (How to Build Securely with Blazor WebAssembly (WASM) | Okta Developer)

Does anyone have a sample or know how to use Okta to secure Blazor WASM Asp.net core hosted app?
this template produces 3 projects (Client/Server/Shared)?

image

image

Thanks very much!
John

I managed to get the client authentication work by following this link How To Add Okta Authentication to Blazor WASM - YouTube but the [authorize] does not work.
for .NET 6, you need to add Microsoft.IdentityModel.Tokens nuget package to server project get it working.
I checked that the token is stored in sessionstorage:
oidc.user:{{your_okta_domain}}/oauth2/default:0oajhf0akzw1YfG1w0h7 contains
access_token: “”
expires_at: 1658723964
id_token: “”
profile: {sub: “00u17vftfpmmUi3lr0h8”, name: “”, ver: 1,…}
scope: “openid profile”
token_type: “Bearer”

I also verified that the bearer token is attached to Blazor client Http request due to these line in Program.cs (Client project):

builder.Services.AddHttpClient(“ServerAPI”, client => client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress))
.AddHttpMessageHandler();

// Supply HttpClient instances that include access tokens when making requests to the server project
builder.Services.AddScoped(sp => sp.GetRequiredService().CreateClient(“ServerAPI”));

but at server project, if you put [Authorize] on the controller, you will get 401 unauthorized, I checked the the User context is not constructed in server project. but the bearer token is passed … I followed this link Secure Your .NET 6 Web API | Okta Developer, I was able to validate the token.

I still need to find a solution on following:

  1. how to make server project [Authorize] working
  2. how to make my role, which is group membership appear in the token as claim

Thank you for your attention!

I was able to create a groups claim in the authorization server and now the groups claim is included in the access token and id_token. but this custom claim is not populated in the signedin user’s claims. I am trying to find a way to intercept the signin event to populate that information - no luck yet.

found another interesting issue:
we have another api who support the okta token - sso, if I use the following process to get a token it works fine, but the access token I got from Blazor client sign in will not work for that API - does anyone know why?
the steps to get access token works:

  1. get a ssoSessionToken by passing username and password to authn endpoint
  2. use this ssoSessionToken to get id token from /oauth2/v1/authorize

what is the difference between the token acquired this way and the token from okta hosted widget?

got all working … GitHub - pursca/BlazorWasmHosted-Okta: Sample code to use Okta as identity server to authenticate Blazor WebAsembly Asp.net core hosted app and secure the server API

1 Like