You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the question
I'm wondering if any guidance can be given for the following situation:
React SPA hosted with a .NET 8 BFF
Typical usage for the SPA involves making calls to an external API (mine) via YARP
Azure Entra ID is used as the identity provider, so there is a published API scope that the client requests as a scope during authentication (registered applications with Entra ID for the API as well as for the client)
Less commonly, administrators need to perform user management via the frontend, which requires the use of MS Graph. The Entra ID registered app provides these scopes as possible scopes to be requested, but it doesn't make sense to request them for all users all the time
My question is: Is there a standard/normative way to perform the authentication to get the additional scopes? The typical use case simply sets the browser location to /bff/login, which works fine, but I don't see a simple way to do something similar when I need additional scopes.
Additional context
Here is the configuration for the defaults and for the two OIDC/cookie scheme pairs in Program.cs:
For reference, the current way I do this is by having an endpoint hosted by the BFF and an authorization policy that I can require for it. In the frontend, when I need to do something with users as an admin, I set the window location to this endpoint, with a return URL for where I want it to end up.
[ApiController]
[Authorize(Policy = Policies.MsGraphUser)]
[Route("/graph")]
public class GraphController(IGraphService graphService) : ControllerBase
{
...
[HttpGet("login")]
[ProducesResponseType(StatusCodes.Status302Found)]
public Task<ActionResult> Login([FromQuery] string returnUrl)
{
return Task.FromResult((ActionResult)Redirect(returnUrl));
}
...
I then set up a special HttpClient with a custom DelegatingHandler in order to grab the access token out of the MsGraph cookie and set it in the header for the requests that HttpClient uses.
This all seems like it probably isn't the normal way to do this. I also run into issues where (Edge more often than Chrome) gets stuck in a loop between my app and the auth endpoint. Any feedback would be greatly appreciated.
The text was updated successfully, but these errors were encountered:
If I understand this right, you are using the Duende BFF component to interact directly with Microsoft Entra Id, without using IdentityServer in between.
If the upstream provider had been Duende IdentityServer you could just have added all the scopes to the initial request and that would generate an access token that has both scopes. Entra Id however doesn't work that way, they enforce resource isolation and do not allow an access token to be valid for two different resources (i.e. families of APIs) on the same time.
The correct way to handle this is to use a single OIDC client configuration (with a single cookie) and request all scopes at once, including the special offline_access scope. offline_access is a special scope that requests a refresh token. Using the refresh token you can request additional access tokens without having to log in. It is possible to set specific scopes for each such request, which will make it possible to have two different access tokens on the same time.
Which version of Duende BFF are you using?
2.2.0
Which version of .NET are you using?
8.0
Describe the question
I'm wondering if any guidance can be given for the following situation:
My question is: Is there a standard/normative way to perform the authentication to get the additional scopes? The typical use case simply sets the browser location to /bff/login, which works fine, but I don't see a simple way to do something similar when I need additional scopes.
Additional context
Here is the configuration for the defaults and for the two OIDC/cookie scheme pairs in Program.cs:
For reference, the current way I do this is by having an endpoint hosted by the BFF and an authorization policy that I can require for it. In the frontend, when I need to do something with users as an admin, I set the window location to this endpoint, with a return URL for where I want it to end up.
Policy in Program.cs:
Controller:
I then set up a special HttpClient with a custom DelegatingHandler in order to grab the access token out of the MsGraph cookie and set it in the header for the requests that HttpClient uses.
This all seems like it probably isn't the normal way to do this. I also run into issues where (Edge more often than Chrome) gets stuck in a loop between my app and the auth endpoint. Any feedback would be greatly appreciated.
The text was updated successfully, but these errors were encountered: