Cannot use Bearer Token in new asp.net core identity API

[SandroRiz]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

Following the sample published here:
https://github.com/dotnet/blazor-samples/tree/main/8.0/BlazorWebAssemblyStandaloneWithIdentity

And the documentation published here:
https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-identity?view=aspnetcore-8.0

I tried to setup the backend and the front end to use Bearer Token instead cookie but the WASM client doesn't login (but the Register endpoint works)

cc: @guardrex #31194

Expected Behavior

Change the Sample and /or the Documentation indicating

• if the new asp.net core Identity API are suitable to be used eg. from a mobile client (that cannot use cookies)
• the risk of using bearer token
• if a WASM standalone client could use the token or only the cookies

Steps To Reproduce

Change line 9 of backend program.cs adding .AddBearerToken() instead to .AddIdentityCookies()
Change line 123 of frontend CookieAuthenticationStateProvider.cs putting false instead true

Exceptions (if any)

No response

.NET Version

8.0.0

Anything else?

I was able to call from Postman the new API with bearer token NOT including the

.AddAuthentication() but only the .AddAuthorization()

basically I copied what you obtain from the new Blazor 8 web app template when you choose to include identity... see attach

Program.zip

[guardrex]

Thanks @SandroRiz.

I can repro the failure following our guidance at ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-identity?view=aspnetcore-8.0#token-authentication

I see ...

System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action configureOptions).

If I try to set the default authentication and challenge schemes with AuthenticationOptions, the error is still thrown.

[SandroRiz]

I had another exception using AddBearerToken calling the Login endpoint

System.InvalidOperationException: No sign-in authentication handler is registered for the scheme 'Identity.Bearer'. The registered sign-in schemes are: BearerToken. Did you forget to call AddAuthentication().AddCookie("Identity.Bearer",...)?
at Microsoft.AspNetCore.Authentication.AuthenticationService.SignInAsync(HttpContext context, String scheme, ClaimsPrincipal principal, AuthenticationProperties properties)

[guardrex]

I fixed that (I think) by changing to bearer (IdentityConstants.BearerScheme). For that and the challenge scheme error, I ended up with the non-working code ...

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = IdentityConstants.BearerScheme;
    options.DefaultChallengeScheme = IdentityConstants.BearerScheme;
}).AddBearerToken();

[guardrex]

BTW @SandroRiz ... Oh, nevermind. That's a different section. We have that covered per the Logout component, LogoutAsync method, and app.MapPost("/Logout" ...); of the backend. We're good on that point.

PU: Ignore this comment. I had to go look at the sample app to see how the logout was implemented. We're good on that point.

[halter73]

We recommend using cookies for browser-based scenarios, because it's usually easier. Cookies are effectively a bearer token the browser automatically manages for you.

If you do want to use bearer tokens instead of cookies (which we recommended more for native and mobile scenarios), you should change _httpClient.PostAsJsonAsync("login?useCookies=true", ...) to just _httpClient.PostAsJsonAsync("login, ...) without the query string here:

https://github.com/dotnet/blazor-samples/blob/0ecc2bc297549b620c74efeb0b42b6ad638982c7/8.0/BlazorWebAssemblyStandaloneWithIdentity/BlazorWasmAuth/Identity/CookieAuthenticationStateProvider.cs#L123

And naturally, since the login response no longer sets a cookie automatically, you then need to parse the AccessTokenResponse on the client and manage the access and refresh tokens yourself.

[guardrex]

Thanks @halter73 ... Between your remarks and Jeremy's remarks earlier, I'll be able to update the token guidance in the Blazor article. I'll ping both of you on the PR when it goes up.

[guardrex]

My current understanding is that we aren't going to carry all of the code to implement this scenario per ...

you then need to parse the AccessTokenResponse on the client and manage the access and refresh tokens yourself.

We've left language in the doc to that effect at ...

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-identity?view=aspnetcore-8.0#token-authentication

@halter73 ... You can re-open this if you (and/or Jeremy) plan to provide additional guidance on this.