Azure AD 限制整个 ASP.NET 内核 API

Question

Creating a WASS Blazor ASP.net Core hosted .NET 6 Application secured with Azure AD. I followed this guide: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-azure-active-directory?view=aspnetcore-6.0

I only want to restrict access to a few endpoints in my controller. I have tried adding and removing the following annotations from my controller:

//[Authorize]
[Route("api/wikipages")]
[ApiController]
//[RequiredScope(RequiredScopesConfigurationKey = "AzureAd:Scopes")]
[AllowAnonymous]
public class WikiPageController : ControllerBase
{

Even when I go into the Program.cs class and comment the app.UseAuthentication(); and app.UseAuthorization(); , I still get the following error when trying to access the API without logging in:

Microsoft.AspNetCore.Components.WebAssembly.Rendering.WebAssemblyRenderer[100]

Unhandled exception rendering component: ''

Microsoft.AspNetCore.Components.WebAssembly.Authentication.AccessTokenNotAvailableException: ''

at Microsoft.AspNetCore.Components.WebAssembly.Authentication.AuthorizationMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at Microsoft.Extensions.Http.Logging.LoggingScopeHttpMessageHandler.SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
at System.Net.Http.HttpClient.g__Core|83_0(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationTokenSource cts, Boolean disposeCts, CancellationTokenSource pendingRequestsCts, CancellationToken originalCancellationToken)..............

Answer 1

This issue has three solutions, you can read this article, it useful to you.

Related Blog:

How to send HTTP requests to public API without access token on an authentication enabled Blazor Wasm App?

You need add HttpClient like below.

public static async Task Main(string[] args)
{
    // Add a plain "HttpClient" with a name.
    builder.Services.AddHttpClient("BlazorWasmApp.AnonymousAPI", client => {
    client.BaseAddress = new Uri(builder.HostEnvironment.BaseAddress);

    builder.Services.AddHttpClient("BlazorWasmApp.ServerAPI", ...)
      .AddHttpMessageHandler<BaseAddressAuthorizationMessageHandler>();
    ...
});

And in your page, you can invoke like below.

@* @inject HttpClient Http *@
@inject IHttpClientFactory HttpClientFactory
...
@code {
protected override async Task OnInitializedAsync()
{
    ...
    // Don't get a HttpClient from DI directly for accessing a public API.
    // RecentlyUpdates = await Http.GetFromJsonAsync<string[]>("RecentlyUpdates");

    // Instead, get a HttpCient from IHttpClientFactory service with name explicitly.
    var http = HttpClientFactory.CreateClient("BlazorWasmApp.AnonymousAPI");
    RecentlyUpdates = await http.GetFromJsonAsync<string[]>("RecentlyUpdates");
}

Answer 2

Azure AD does not support anonymous auth for you to be able to use the AllowAnonymous attribute in your WebAPI. Reference: Azure AD allow anonymous

If you want to allow the anonymous request, you can implement the authentication using OWIN component instead of using the Easy Auth.

Here is an example protect the MVC with OpenId component:

active-directory-dotnet-webapp-openidconnect

For more details refer this SO Thread:

1) AllowAnonymous is not working with azure ad authentication

2) How to allow unauthenticated requests to a controller when rest of site is using Azure AD Authentication