1

The default Asp.Net Core templates allow you to deploy Duende IdentityServer for individual accounts authentication. Specifically for Blazor Wasm hosted solutions, the default templates will add IdentityServer to the server hosted project and the relevant libraries to wasm to redirect to the server app for authentication and identity management (2fa, password reset , etc) One issue I'm facing is the fact that I cannot enable WASM prerender and from what I understand BFF can be a solution to this issue, with enhanced security since token will be maintained at the backend.

The question is whether IdentityServer and BFF can be hosted on the same project on the backend or if I'll have to host them in 2 separate project and hence to separate services.

I tried adding BFF libraries on the same project but it seems that the identity endpoints are overridden by those coming from IdentityServer

Michael Kanios
  • 59
  • 6

1 Answers1

1

You can always place both the BFF, client, and APIs on the same box as IdentityServer, but in my experience, that makes it complicated to debug and reason about with all the involved handlers, functionality, cookies, and other concepts.

I always recommend that place IdentityServer in its own service, just because then you reduce complexity, you achieve separations of concerns, and it becomes much more trivial to debug and reason about it.

Tore Nestenius
  • 16,431
  • 5
  • 30
  • 40
  • Thanks Tore! I managed to bundle both BFF and IdentityServer on the same project thought I do agree with you! In this specific case managing the hosting (additional ports, dns entries etc) doesn't worth the effort. – Michael Kanios Jun 05 '23 at 06:03
  • Hello, im trying to do the same thing. login works fine and authorization of the cookies works as well, the problem is that bff/user endpoint doesnt return bff logoutUrl claim and bff session state claim. also the cookies made by bff are renamed to 'Identity.External' instead of my chosen name, which might be the root of the problem, but idk. Have u encountered the same issue, or do u have some tips how to make this setup work pls? – vilem cech Jun 05 '23 at 20:44
  • I haven't played with the BFF yet, but if you have general claims problems, then I got a few related blog posts about that here: https://nestenius.se/ – Tore Nestenius Jun 06 '23 at 06:52
  • Hi vilem, yes I'm stuck on the same issue. I managed to get the redirects to work, but then realized. I'll keep you updated if I make any progress. – Michael Kanios Jun 06 '23 at 07:36
  • Hi again. what i found out is that the return url is made of session id, which is in one of the four cookies the identity server makes. the problem is that this return url wont redirect u back to the bff. it might be sufficient to hardcode the FE url to identity server and just do the redirect. i looked into duende docs to write custom session managment impl to find out whats goin on, but they are still workin on this feature. so i dropped it and just created separate Identity server. it might work but it feel hacky and i dont know whats goin on with the session and if it isnt dangerous someho – vilem cech Jun 19 '23 at 13:11
  • I think you should always place IdentityServer in its own service, because then its easier to reason about the system, and secure the system. – Tore Nestenius Jun 19 '23 at 13:33
  • i just wanted to make simple FE and web API. im fairly dissapointed in .net tbh. their go to solution is microservides, and paid on top of that. and its poorly documented and it ends up locking u into mvc for identity server so UI isnt consistant. – vilem cech Jun 19 '23 at 15:26
  • I still do not understand the reason the default templates in VS direct us in using IdentityServer. If single sign-on is and integration with external providers is not required, things should be simple enough with JWT. We've seen so far the default templates for Angular and React switching to Cookie based authentication in .NET 8.0, I can't wait to see what will happen with Blazor wasm. At the moment I'm also facing the limitations around prerendering, which renders my wasm hosted app unusable due to the loading time and payload required, since my landing page requires authentication. – Michael Kanios Jun 20 '23 at 14:56
  • You should only use IdentityServer if you have the need for it, otherwise ASP.NET Identity or using a third party Identity provider might be an option if you don't have any need for the customization features/benefits that IdentityServer brings. Also, can be good to start from scratch, so that you understand all the decissions made and features adde.d – Tore Nestenius Jun 20 '23 at 15:06
  • I totally agree with Tore. The problem is that the documentation from Microsoft for Balzor WASM apps assumes in all cases that an OpenId compatible server is used. I was not able to find anywhere documentation of samples using ASP Identity with Blazor WASM, and as mentioned before even the default VS templates are based on OpenId (Azure AD or IdentityServer). – Michael Kanios Jun 21 '23 at 06:18
  • thats not what the documantation says. identity server is the way to go for authentication according to docs. .net simply doesnt have OAuth implementation ready to use, while i ve read that other frameworks like laravel has it. hopefully .net 8 will have some solution, but im still surprised and dissapointed that it doesnt have one already. – vilem cech Jun 21 '23 at 09:18
  • You don't need to have IdentityServer if you don't need its functionality, IS is a library that you can use to build your own OpenID-Connect token service. If you don't need the amazing customizability that IS provides, then using a pre-package or third-party solution is a better option. It all depends on what your needs are. – Tore Nestenius Jun 21 '23 at 11:09
  • In my case I was able to use Microsoft Identity instead of IdentityServer with my WASM client, which supports prerendering. for those interested I published a small sample project at GitHub: https://github.com/kaniosm/BlazorWasmAppCookieAuth – Michael Kanios Jun 23 '23 at 08:04
  • and the relevant article https://www.codeproject.com/Articles/5363405/Blazor-WASM-Hosted-App-with-Cookie-based-Authentic – Michael Kanios Jun 24 '23 at 08:09