fix

afedyanin · Oct 19, 2023 · 1e93290 · 1e93290
1 parent 14b237a
commit 1e93290
Show file tree

Hide file tree

Showing 36 changed files with 515 additions and 275 deletions.
diff --git a/Keycloak4Blazor.sln b/Keycloak4Blazor.sln
@@ -18,6 +18,10 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{9C59A7AC
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorApp", "src\BlazorApp\BlazorApp.csproj", "{2E141D10-E6F4-45F6-94D1-BFE23D0B1B8F}"
 EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorBff", "src\BlazorBff\BlazorBff.csproj", "{9A116B39-F9D1-460A-A269-596894B3AA3C}"
+EndProject
+Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "BlazorShared", "src\BlazorShared\BlazorShared.csproj", "{AE623DB2-D790-4901-8BC7-D8F73659B83F}"
+EndProject
 Global
  GlobalSection(SolutionConfigurationPlatforms) = preSolution
  Debug|Any CPU = Debug|Any CPU
@@ -28,12 +32,22 @@ Global
  {2E141D10-E6F4-45F6-94D1-BFE23D0B1B8F}.Debug|Any CPU.Build.0 = Debug|Any CPU
  {2E141D10-E6F4-45F6-94D1-BFE23D0B1B8F}.Release|Any CPU.ActiveCfg = Release|Any CPU
  {2E141D10-E6F4-45F6-94D1-BFE23D0B1B8F}.Release|Any CPU.Build.0 = Release|Any CPU
+ {9A116B39-F9D1-460A-A269-596894B3AA3C}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {9A116B39-F9D1-460A-A269-596894B3AA3C}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {9A116B39-F9D1-460A-A269-596894B3AA3C}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {9A116B39-F9D1-460A-A269-596894B3AA3C}.Release|Any CPU.Build.0 = Release|Any CPU
+ {AE623DB2-D790-4901-8BC7-D8F73659B83F}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+ {AE623DB2-D790-4901-8BC7-D8F73659B83F}.Debug|Any CPU.Build.0 = Debug|Any CPU
+ {AE623DB2-D790-4901-8BC7-D8F73659B83F}.Release|Any CPU.ActiveCfg = Release|Any CPU
+ {AE623DB2-D790-4901-8BC7-D8F73659B83F}.Release|Any CPU.Build.0 = Release|Any CPU
  EndGlobalSection
  GlobalSection(SolutionProperties) = preSolution
  HideSolutionNode = FALSE
  EndGlobalSection
  GlobalSection(NestedProjects) = preSolution
  {2E141D10-E6F4-45F6-94D1-BFE23D0B1B8F} = {4B42857C-FD8E-4EB6-B9D6-200FD3E19168}
+ {9A116B39-F9D1-460A-A269-596894B3AA3C} = {4B42857C-FD8E-4EB6-B9D6-200FD3E19168}
+ {AE623DB2-D790-4901-8BC7-D8F73659B83F} = {4B42857C-FD8E-4EB6-B9D6-200FD3E19168}
  EndGlobalSection
  GlobalSection(ExtensibilityGlobals) = postSolution
  SolutionGuid = {AED32BEA-7168-480C-BA57-E1182383356F}

diff --git a/README.md b/README.md
@@ -14,8 +14,9 @@ Keycloak for Blazor demo
 - [C#/NetStandard OpenID Connect Client Library for native Applications](https://github.com/IdentityModel/IdentityModel.OidcClient)
 - [Secure ASP.NET Core Blazor WebAssembly](https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-7.0)
 - [OpenIDConnect Response Type Confusion](https://stackoverflow.com/questions/29275477/openidconnect-response-type-confusion)
-
-
+- [Blazor.BFF.OpenIDConnect.Template](https://github.com/damienbod/Blazor.BFF.OpenIDConnect.Template)
+- [Securing SPAs and Blazor Applications using the BFF (Backend for Frontend) Pattern - Dominick Baier](https://www.youtube.com/watch?v=hWJuX-8Ur2k)
+- [Backend for Frontend (BFF) Security Framework](https://duendesoftware.com/products/bff)
 
 ## Keycloak setup
 
@@ -44,22 +45,8 @@ http:https://localhost:8080/realms/myrealm/account
 - AuthFlow: Standard flow, Direct access grants
 - Client Auth - On
 
-Add an audience to a client by using client scopes
-- On the left side bar click on “Clients” item.
-- Click “blazor-client”
-- Open “Client scopes” tab
-- Click on “blazor-client-dedicated”, should be on tope of the list of scopes
-- From the “Mappers” tab, click “Create a new mapper”
-- Pick “Audience” from the list
-- specify name: Audience
-- include client audience: “blazor-client”
-- Click “Save”
-Besides “Setup” sub-tab, “Client Scopes” tab has “Evaluate” sub-tab. It might come in handy when you need to figure out effective protocol mappers, effective role scope mappings, the content of access, and id tokens.
-
-
-Add valid redirect urls: http:https://localhost:5278/*
-
-
+- Add valid redirect urls: http:https://localhost:5278/*
+- Enable CORS on Keycloak +
 - Download adapter config
 
 ```
@@ -79,6 +66,5 @@ Add valid redirect urls: http:https://localhost:5278/*
 curl --data "grant_type=password&client_id=blazor-client&username=afedyanin&password=afedyanin&client_secret=aNZUREfcTwZjh1qiD095SGQnzL6SQWo0" localhost:8080/realms/myrealm/protocol/openid-connect/token
 ```
 
-- Enable CORS on Keycloak
 - 
 
diff --git a/src/BlazorApp/App.razor b/src/BlazorApp/App.razor
@@ -1,4 +1,4 @@
-<CascadingAuthenticationState>
+<CascadingAuthenticationState>
  <Router AppAssembly="@typeof(App).Assembly">
  <Found Context="routeData">
  <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)">
@@ -22,4 +22,4 @@
  </LayoutView>
  </NotFound>
  </Router>
-</CascadingAuthenticationState>
+</CascadingAuthenticationState>
diff --git a/src/BlazorApp/BFF/AntiforgeryHandler.cs b/src/BlazorApp/BFF/AntiforgeryHandler.cs
@@ -0,0 +1,10 @@
+namespace BlazorApp.Client.BFF;
+
+public class AntiforgeryHandler : DelegatingHandler
+{
+ protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+ {
+ request.Headers.Add("X-CSRF", "1");
+ return base.SendAsync(request, cancellationToken);
+ }
+}
diff --git a/src/BlazorApp/BFF/BffAuthenticationStateProvider.cs b/src/BlazorApp/BFF/BffAuthenticationStateProvider.cs
@@ -0,0 +1,103 @@
+using System.Net;
+using System.Net.Http.Json;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Components.Authorization;
+
+namespace BlazorApp.Client.BFF;
+
+public class BffAuthenticationStateProvider : AuthenticationStateProvider
+{
+ private static readonly TimeSpan UserCacheRefreshInterval = TimeSpan.FromSeconds(60);
+
+ private readonly HttpClient _client;
+ private readonly ILogger<BffAuthenticationStateProvider> _logger;
+
+ private DateTimeOffset _userLastCheck = DateTimeOffset.FromUnixTimeSeconds(0);
+ private ClaimsPrincipal _cachedUser = new(new ClaimsIdentity());
+
+ public BffAuthenticationStateProvider(
+ HttpClient client,
+ ILogger<BffAuthenticationStateProvider> logger)
+ {
+ _client = client;
+ _logger = logger;
+ }
+
+ public override async Task<AuthenticationState> GetAuthenticationStateAsync()
+ {
+ var user = await GetUser();
+ var state = new AuthenticationState(user);
+
+ // checks periodically for a session state change and fires event
+ // this causes a round trip to the server
+ // adjust the period accordingly if that feature is needed
+ if (user.Identity.IsAuthenticated)
+ {
+ _logger.LogInformation("starting background check..");
+ Timer? timer = null;
+
+ timer = new Timer(async _ =>
+ {
+ var currentUser = await GetUser(false);
+ if (currentUser.Identity.IsAuthenticated == false)
+ {
+ _logger.LogInformation("user logged out");
+ NotifyAuthenticationStateChanged(Task.FromResult(new AuthenticationState(currentUser)));
+ await timer.DisposeAsync();
+ }
+ }, null, 1000, 5000);
+ }
+
+ return state;
+ }
+
+ private async ValueTask<ClaimsPrincipal> GetUser(bool useCache = true)
+ {
+ var now = DateTimeOffset.Now;
+ if (useCache && now < _userLastCheck + UserCacheRefreshInterval)
+ {
+ _logger.LogDebug("Taking user from cache");
+ return _cachedUser;
+ }
+
+ _logger.LogDebug("Fetching user");
+ _cachedUser = await FetchUser();
+ _userLastCheck = now;
+
+ return _cachedUser;
+ }
+
+ public record ClaimRecord(string Type, object Value);
+
+ private async Task<ClaimsPrincipal> FetchUser()
+ {
+ try
+ {
+ _logger.LogInformation("Fetching user information.");
+ var response = await _client.GetAsync("bff/user?slide=false");
+
+ if (response.StatusCode == HttpStatusCode.OK)
+ {
+ var claims = await response.Content.ReadFromJsonAsync<List<ClaimRecord>>();
+
+ var identity = new ClaimsIdentity(
+ nameof(BffAuthenticationStateProvider),
+ "name",
+ "role");
+
+ foreach (var claim in claims!)
+ {
+ identity.AddClaim(new Claim(claim.Type, claim.Value.ToString()));
+ }
+
+ return new ClaimsPrincipal(identity);
+ }
+ }
+ catch (Exception ex)
+ {
+ _logger.LogWarning(ex, "Fetching user failed.");
+ }
+
+ return new ClaimsPrincipal(new ClaimsIdentity());
+ }
+}
diff --git a/src/BlazorApp/BlazorApp.csproj b/src/BlazorApp/BlazorApp.csproj
@@ -1,16 +1,21 @@
 <Project Sdk="Microsoft.NET.Sdk.BlazorWebAssembly">
 
- <PropertyGroup>
- <TargetFramework>net7.0</TargetFramework>
- <Nullable>enable</Nullable>
- <ImplicitUsings>enable</ImplicitUsings>
- </PropertyGroup>
+  <PropertyGroup>
+  <TargetFramework>net7.0</TargetFramework>
+  <Nullable>enable</Nullable>
+  <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
 
- <ItemGroup>
- <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="7.0.12" />
- <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="7.0.12" />
- <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="7.0.12" PrivateAssets="all" />
- <PackageReference Include="Microsoft.Extensions.Http" Version="7.0.0" />
- </ItemGroup>
+ <ItemGroup>
+ <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly" Version="7.0.12" />
+ <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.DevServer" Version="7.0.12" PrivateAssets="all" />
+ <PackageReference Include="Microsoft.Extensions.Http" Version="7.0.0" />
+ <PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Authentication" Version="7.0.12" />
+
+ </ItemGroup>
+
+ <ItemGroup>
+ <ProjectReference Include="..\BlazorShared\BlazorShared.csproj" />
+ </ItemGroup>
 
 </Project>
diff --git a/src/BlazorApp/Client/Program.cs b/src/BlazorApp/Client/Program.cs
diff --git a/src/BlazorApp/Pages/Authentication.razor b/src/BlazorApp/Pages/Authentication.razor
diff --git a/src/BlazorApp/Pages/FetchData.razor b/src/BlazorApp/Pages/FetchData.razor
@@ -1,6 +1,9 @@
 @page "/fetchdata"
+@using BlazorWasm.Shared
 @inject HttpClient Http
 
+@attribute [Authorize]
+
 <PageTitle>Weather forecast</PageTitle>
 
 <h1>Weather forecast</h1>
@@ -41,17 +44,6 @@ else
 
  protected override async Task OnInitializedAsync()
  {
- forecasts = await Http.GetFromJsonAsync<WeatherForecast[]>("sample-data/weather.json");
- }
-
- public class WeatherForecast
- {
- public DateOnly Date { get; set; }
-
- public int TemperatureC { get; set; }
-
- public string? Summary { get; set; }
-
- public int TemperatureF => 32 + (int)(TemperatureC / 0.5556);
+ forecasts = await Http.GetFromJsonAsync<WeatherForecast[]>("WeatherForecast");
  }
 }
diff --git a/src/BlazorApp/Pages/Index.razor b/src/BlazorApp/Pages/Index.razor
@@ -1,40 +1,5 @@
-@page "/"
-
-@using Microsoft.AspNetCore.Components.Authorization
-@using Microsoft.AspNetCore.Components.WebAssembly.Authentication
-@using System.Security.Claims
-
-@inject AuthenticationStateProvider AuthenticationStateProvider
+@page "/"
 
 <PageTitle>Index</PageTitle>
 
-<h1>BlazorWASM Keycloak Authentication</h1>
-
-This application demonstrates how to integrate with Keycloak from BlazorWASM application.
-
-@if (claims.Count() > 0)
-{
- <h2>User Claims:</h2>
- <ul>
- @foreach (var claim in claims)
- {
- <li>@claim.Type: @claim.Value</li>
- }
- </ul>
-}
-
-@code {
- private IEnumerable<Claim> claims = Enumerable.Empty<Claim>();
-
- protected override Task OnInitializedAsync() => GetClaimsPrincipalData();
-
- private async Task GetClaimsPrincipalData()
- {
- var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
- var user = authState.User;
- if (user.Identity?.IsAuthenticated ?? false)
- {
- claims = user.Claims;
- }
- }
-}
+<CurrentSession />