Blazor.BFF.AzureB2C.Template 1.2.0

There is a newer version of this package available.
See the version list below for details.
dotnet new install Blazor.BFF.AzureB2C.Template::1.2.0
This package contains a .NET Template Package you can call from the shell/command line.

Blazor.BFF.AzureB2C.Template

.NET NuGet Status Change log

This template can be used to create a Blazor WASM application hosted in an ASP.NET Core Web app using Azure B2C and Microsoft.Identity.Web to authenticate using the BFF security architecture. (server authentication) This removes the tokens form the browser and uses cookies with each HTTP request, response. The template also adds the required security headers as best it can for a Blazor application.

Features

  • WASM hosted in ASP.NET Core 6
  • BFF with Azure B2C using Microsoft.Identity.Web
  • OAuth2 and OpenID Connect OIDC
  • No tokens in the browser
  • Azure AD Continuous Access Evaluation CAE support

Using the template

install

dotnet new -i Blazor.BFF.AzureB2C.Template

run

dotnet new blazorbffb2c -n YourCompany.Bff

Use the -n or --name parameter to change the name of the output created. This string is also used to substitute the namespace name in the .cs file for the project.

Setup after installation

Add the Azure B2C App registration settings

"AzureB2C": {
	"Instance": "https://--your-domain--.b2clogin.com",
	"Domain": "[Enter the domain of your tenant, e.g. contoso.onmicrosoft.com]",
	"TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
	"ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
	"ClientSecret": "[Copy the client secret added to the app from the Azure portal]",
	"ClientCertificates": [
	],
	// the following is required to handle Continuous Access Evaluation challenges
	"ClientCapabilities": [ "cp1" ],
	"CallbackPath": "/signin-oidc"
	// Add your policy here
	"SignUpSignInPolicyId": "B2C_1_signup_signin", 
	"SignedOutCallbackPath ": "/signout-callback-oidc"
},

Add the permissions for Microsoft Graph if required, application scopes are used due to Azure B2C

"GraphApi": {
	// Add the required Graph permissions to the Azure App registration
	"TenantId": "[Enter 'common', or 'organizations' or the Tenant Id (Obtained from the Azure portal. Select 'Endpoints' from the 'App registrations' blade and use the GUID in any of the URLs), e.g. da41245a5-11b3-996c-00a8-4d99re19f292]",
	"ClientId": "[Enter the Client Id (Application ID obtained from the Azure portal), e.g. ba74781c2-53c2-442a-97c2-3d60re42f403]",
	"Scopes": ".default"
	//"ClientSecret": "--in-user-secrets--"
},

Use Continuous Access Evaluation CAE with a downstream API (access_token)

Azure app registration manifest
"optionalClaims": {
	"idToken": [],
	"accessToken": [
		{
			"name": "xms_cc",
			"source": null,
			"essential": false,
			"additionalProperties": []
		}
	],
	"saml2Token": []
},

Any API call for the Blazor WASM could be implemented like this:

[HttpGet]
public async Task<IActionResult> Get()
{
  try
  {
	// Do logic which calls an API and throws claims challenge 
	// WebApiMsalUiRequiredException. The WWW-Authenticate header is set
	// using the OpenID Connect standards and Signals spec.
  }
  catch (WebApiMsalUiRequiredException hex)
  {
	var claimChallenge = WwwAuthenticateParameters
		.GetClaimChallengeFromResponseHeaders(hex.Headers);
		
	return Unauthorized(claimChallenge);
  }
}

The downstream API call could be implemented something like this:

public async Task<T> CallApiAsync(string url)
{
	var client = _clientFactory.CreateClient();

	// ... add bearer token
	
	var response = await client.GetAsync(url);
	if (response.IsSuccessStatusCode)
	{
		var stream = await response.Content.ReadAsStreamAsync();
		var payload = await JsonSerializer.DeserializeAsync<T>(stream);

		return payload;
	}

	// You can check the WWW-Authenticate header first, if it is a CAE challenge
	
	throw new WebApiMsalUiRequiredException($"Error: {response.StatusCode}.", response);
}

Use Continuous Access Evaluation CAE in a standalone app (id_token)

Azure app registration manifest
"optionalClaims": {
	"idToken": [
		{
			"name": "xms_cc",
			"source": null,
			"essential": false,
			"additionalProperties": []
		}
	],
	"accessToken": [],
	"saml2Token": []
},

If using a CAE Authcontext in a standalone project, you only need to challenge against the claims in the application.

private readonly CaeClaimsChallengeService _caeClaimsChallengeService;

public AdminApiCallsController(CaeClaimsChallengeService caeClaimsChallengeService)
{
  _caeClaimsChallengeService = caeClaimsChallengeService;
}

[HttpGet]
public IActionResult Get()
{
  // if CAE claim missing in id token, the required claims challenge is returned
  var claimsChallenge = _caeClaimsChallengeService
	.CheckForRequiredAuthContextIdToken(AuthContextId.C1, HttpContext);

  if (claimsChallenge != null)
  {
	return Unauthorized(claimsChallenge);
  }

uninstall

dotnet new -u Blazor.BFF.AzureB2C.Template

Credits, Used NuGet packages + ASP.NET Core 6.0 standard packages

  • NetEscapades.AspNetCore.SecurityHeaders

https://github.com/AzureAD/microsoft-identity-web

This package has no dependencies.

NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
3.0.0 1,399 2/2/2024
2.2.0 3,000 11/3/2023
2.1.0 1,951 6/22/2023
2.0.2 1,339 3/12/2023
2.0.1 2,815 1/15/2023
2.0.0 1,815 12/3/2022
1.2.4 3,879 9/23/2022
1.2.3 8,904 8/12/2022
1.2.2 1,416 8/7/2022
1.2.1 3,726 7/9/2022
1.2.0 4,607 5/22/2022
1.1.0 6,083 3/20/2022
1.0.11 5,755 3/5/2022
1.0.10 1,125 3/4/2022
1.0.9 3,478 2/11/2022
1.0.8 2,542 2/6/2022
1.0.7 6,099 1/23/2022
1.0.6 766 1/21/2022
1.0.5 445 1/18/2022
1.0.4 730 1/17/2022
1.0.3 1,503 1/9/2022
1.0.2 1,793 1/4/2022
1.0.1 5,831 12/9/2021
1.0.0 1,103 12/3/2021

use new top-level statements and remove, enable ImplicitUsings, add IAntiforgeryHttpClientFactory/AntiforgeryHttpClientFactory, Replace of IdentityModel with System.Security.Claims and remove IdentityModel nuget package, Add support for Azure AD Continuous Access Evaluation CAE, Add 404, 401, response handling, Update nuget packages