Automatically Attaching Identity Cookie to HTTP Client in Blazor wasm

Question

I am working on a blazor application where I used my API project as Identity

Provider. Everything is working fine but the issue is that the access token

issued by my API is not validated by the API. It turns out the API is expecting a

cookie header. I took a closer look at blazor hosted application and found out

the cookie is being sent along with each request but it's same-origin.

My Blazor WASM project does not automatically attach this cookie in the request

header, just the access token.

Is there a way I can make the Http handler attach this cookie on each request?

or make the API validate the access token instead of the identity cookie.

This is my startup class in the API Project

       public static void AddIdentityServer(IServiceCollection services,IConfiguration configuration)
        {
            services.AddIdentityServer(options =>
            {
                options.UserInteraction.LoginUrl = "/Identity/Account/Login";
                options.UserInteraction.LogoutUrl = "/Identity/Account/Logout";
            }).AddProfileService<LocalProfileService>()
             .AddApiAuthorization<ApplicationUser, ApplicationDbContext>(option =>
             {
                 option.Clients.Add(new Client
                 {
                     ClientId = "blazor",
                     AllowedGrantTypes = GrantTypes.Code,
                     RequirePkce = true,
                     RequireClientSecret = false,
                     AllowedCorsOrigins = { "https://localhost:5001" },
                     AllowedScopes = { "openid", "profile", "email","id" },
                     RedirectUris = { "https://localhost:5001/authentication/login-callback" },
                     PostLogoutRedirectUris = { "https://localhost:5001/" },
                     Enabled = true,
                     RequireConsent = false,  
                 });
                 option.IdentityResources.AddEmail();
                 option.IdentityResources["openid"].UserClaims.Add("name");
                 option.ApiResources.Single().UserClaims.Add("name");
                 option.IdentityResources["openid"].UserClaims.Add("role");
                 option.ApiResources.Single().UserClaims.Add("role");

                 option.IdentityResources.Add(new IdentityResource("id",new string[] {"id" }));
                 option.ApiResources.Single().UserClaims.Add("id");
                 

             });

            services.AddAuthentication()
                .AddGoogle("Google", options =>
                {
                    options.ClientId = configuration["ExternalLoginApiKey:GoogleClientId"];
                    options.ClientSecret = configuration["ExternalLoginApiKey:GoogleClientSecret"];
                })
                .AddFacebook("Facebook", options =>
                {
                    options.AppId = configuration["ExternalLoginApiKey:FacebookAppId"];
                    options.AppSecret = configuration["ExternalLoginApiKey:FacebookAppSecret"];
                })
               .AddIdentityServerJwt();

          
        }

Program class in the Blazor Project

        public static async Task Main(string[] args)
        {
            var builder = WebAssemblyHostBuilder.CreateDefault(args);
            builder.RootComponents.Add<App>("app");

            builder.Services.AddOidcAuthentication(options =>
            {
                builder.Configuration.Bind("oidc", options.ProviderOptions);
                options.UserOptions.RoleClaim = "role";
            }).AddAccountClaimsPrincipalFactory<CustomUserFactory>();

            builder.Services.AddHttpClient<IAuthorizedRestService, AuthorizedRestService>(
               client => client.BaseAddress = new Uri("https://localhost:5002/api/mart/v1/"))
                 .AddHttpMessageHandler(sp => sp.GetRequiredService<AuthorizationMessageHandler>()
            .ConfigureHandler(authorizedUrls: new[] { "https://localhost:5002" }));


            builder.Services.AddHttpClient("noauth", option => option.BaseAddress = new 
              Uri("https://localhost:5002/api/mart/v1/"));

            builder.Services.AddScoped<IRestService, RestService>();

            await builder.Build().RunAsync();
        }

Answer 1

I have found the Solution.

It happens that there is already a JWT handler provided by IdentityServer4 for APIs that double as Authorization Server

 .AddIdentityServerJwt();

So what I did was to configure it

      services.Configure<JwtBearerOptions> 
       (IdentityServerJwtConstants.IdentityServerJwtBearerScheme,
                options =>
                {
                    options.Authority = "https://localhost:5002";
                    options.Audience = "mart";
                    options.SaveToken = true;
                });

Then specify the Authentication scheme to use

    [Authorize(AuthenticationSchemes = IdentityServerJwtConstants.IdentityServerJwtBearerScheme)]

You can also add it globally in the start up class

 var authorizationPolicy = new AuthorizationPolicyBuilder(IdentityServerJwtConstants.IdentityServerJwtBearerScheme)
                .RequireAuthenticatedUser().Build();
                options.Filters.Add(new AuthorizeFilter(authorizationPolicy));

You can read more using these links

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-3.1

https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-3.1