Skip to content

Cannot lock down API when emulating auth locally - Blazor stack #390

Description

@egeyer

Are you accessing the CLI from the default port :4280 ?

  • No, I am using a different port number (--port) and accessing the CLI from that port
  • Yes, I am accessing the CLI from port :4280

Describe the bug

I cannot get API authentication working when running locally. It's possible I'm missing something in my setup, but I've read and searched documentation and haven't hit upon a solution. I'm running blazor wasm client side with a C# function api. Running the emulator and I can login and see the proper roles listed when I go to .auth/me. Client side authentication using Microsoft.Azure.Function.Authentication.WebAssembly package works fine. Pages properly authenticate using the Authorize attribute and views seem to properly respond to the authenticated state. The problem comes when trying to lock down the API.

My first attempt was to put the AllowedRoles in a route.

{
   "route": "/api/*",
   "methods": ["GET"],
   "allowedRoles": ["registereduser"]
},
{
   "route": "/api/*",
   "methods": ["PUT", "POST", "PATCH", "DELETE"],
   "allowedRoles": ["admin"]
}

This doesn't seem to do anything in the emulator. I can still see the calls being successfully made from the client side even when I'm not logged in.

I then moved on in my exploration and went to inspect what headers I'm getting in my api function. And I do not see any auth information. I made a test function to simply spit out all the headers and the x-ms-client-principal header is not present even when I make the call from an authenticated state.

Note that this all works perfectly fine when I'm actually running on Azure in a real static web app.

What am I missing? I really love the concept of being able to develop all of this locally, but trying to set this up has been kind of frustrating.

To Reproduce
Steps to reproduce the behavior:

  1. I created a blazor (.net 6) swa from the github template found at staticwebdev/blazor-starter
  2. I modified it for authentication as seen in this tutorial: https://docs.microsoft.com/en-us/shows/azure-tips-and-tricks-static-web-apps/how-to-secure-your-c-api-with-azure-static-web-apps-13-of-16--azure-tips-and-tricks-static-web-apps
  3. I run the swa cli using the following command:
    swa start http://localhost:5000 --run "dotnet run --project Client/Client.csproj" --api-location Api
  4. using a login button that simulates aad login, I can see the emulator's auth page and I enter a test username and the roles
  5. I can see those roles represented in the .auth/me page
  6. No auth information is attached when I call the api. The api is being called using the following syntax (Standard from the template):
    await Http.GetFromJsonAsync<WeatherForecast[]>("/api/WeatherForecast") ?? new WeatherForecast[]{};

Expected behavior
I would expect to be able to get/create the ClaimsPrincipal using the information found here: (https://docs.microsoft.com/en-us/azure/static-web-apps/user-information?tabs=csharp#api-functions)

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: [e.g. iOS] MacOS Monterey 12.2.1
  • Browser [e.g. chrome, safari]: Microsoft Edge
  • Version [e.g. 22]: Version 98.0.1108.56

Running SWA CLI version 0.8.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    os: unixIssues happened on a Unix-like environmentpriority: low (P2)Low priorityruntime: dotnetIssues related to the .NET runtime (API)scope: authIssues related to the authentication emulatorscope: mshaIssues happened a the ./src/msha levelscope: rules engineSpecific issues related to src/msha/routes-engine/**status: investigatingThe team is investigating the issuesstatus: regression bugThis is a regression bug. NOTE: regression bugs need to have more coverage tests.status: release-blockerIssues blocking a major releasetype: bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions