Scaffolding: Blazor server app with authorization, after scaffold identity - logout not working

From @sikira on Thursday, December 12, 2019 7:57:30 PM

In blazor server app with authorization, after scaffold identity into an MVC project with authorization, user can’t logout from blazor ( LoginDisplay.razor ). When user click on logout button in LoginDisplay.razor, it makes bad request

Request URL:https://localhost:5001/Identity/Account/LogOut Request Method:POST Remote Address:127.0.0.1:5001 Status Code:400 ( Bad Request) Version:HTTP/2.0

after this bad POST request :

  • no redirection to another page
  • user stil logged in
  • blazor disconected
  • complete white document is rendered.

Using this documentation. https://docs.microsoft.com/en-us/aspnet/core/security/authentication/scaffold-identity?view=aspnetcore-2.2&tabs=netcore-cli#scaffold-identity-into-an-mvc-project-with-authorization

To Reproduce

  1. dotnet new blazorserver --auth Individual
  2. create new user for testing ( user@user.com / Pass12345! )
  3. login and logout and it’s working
  4. install if not already ( dotnet tool install --global dotnet-aspnet-codegenerator --version 3.1.0 )
  5. add package to project | dotnet add package Microsoft.VisualStudio.Web.CodeGeneration.Design --version 3.1.0
  6. add package to project | dotnet add package Microsoft.EntityFrameworkCore.SqlServer --version 3.1.0
  7. do a scaffold | dotnet aspnet-codegenerator identity -dc BlazorScaffoldedIdentity.Data.ApplicationDbContext --force
  8. logout from blazor - not working
  9. using instructions from ScaffoldingReadMe.txt
  10. logout from blazor - not working

NOTE:

  1. if user go to https://localhost:5001/Identity/Account/Manage , then from _MangeNav.cshtml can succesfuly LogOut from app.

WORKAROUND NUMBER 1:

  1. Add [IgnoreAntiforgeryToken] in “LogOut.cshtml.cs” file

WORKAROUND NUMBER 2:

  1. delete files in areas/pages/account “LogOut.cshtml” and “LogOut.cshtml.cs”, and create new file that is like the one before scaffold ( “LogOut.cshtml” )
  2. if not using --force , then Building project …Build Failed. ( but possibly to specify every file except “LogOut.cshtml” , --files “Account.Register;Account.Login” )
  @page
  @using Microsoft.AspNetCore.Identity
  @attribute [IgnoreAntiforgeryToken]
  @inject SignInManager<IdentityUser> SignInManager
  @functions {
      public async Task<IActionResult> OnPost()
      {
          if (SignInManager.IsSignedIn(User)){await SignInManager.SignOutAsync();}
          return Redirect("~/");
      }
  }

REPOS

and the orginal version with wrong behaviour https://github.com/sikira/BlazorScaffoldedIdentity/tree/withbug

repo with sample project with workaround https://github.com/sikira/BlazorScaffoldedIdentity/tree/master

SIDE NOTES:
  1. This behaviour happend in version 3.0.100 and in 3.1.0, but in .Net Core 3.0.100 this is writen in console: info: Microsoft.AspNetCore.Routing.EndpointMiddleware[1] Executed endpoint ‘/_blazor’ Microsoft.AspNetCore.Routing.EndpointMiddleware: Information: Executed endpoint ‘/_blazor’ info: Microsoft.AspNetCore.Hosting.Diagnostics[2] Request finished in 21743.366ms 101 Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request finished in 21743.366ms 101 info: Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter[1] Antiforgery token validation failed. The required antiforgery request token was not provided in either form field “__RequestVerificationToken” or header value “RequestVerificationToken”. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery request token was not provided in either form field “__RequestVerificationToken” or header value “RequestVerificationToken”. at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext) at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context) Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter: Information: Antiforgery token validation failed. The required antiforgery request token was not provided in either form field “__RequestVerificationToken” or header value “RequestVerificationToken”. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery request token was not provided in either form field “__RequestVerificationToken” or header value “RequestVerificationToken”. at Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery.ValidateRequestAsync(HttpContext httpContext) at Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.ValidateAntiforgeryTokenAuthorizationFilter.OnAuthorizationAsync(AuthorizationFilterContext context) info: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[3] Authorization failed for the request at filter ‘Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter’. Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker: Information: Authorization failed for the request at filter ‘Microsoft.AspNetCore.Mvc.ViewFeatures.Filters.AutoValidateAntiforgeryTokenAuthorizationFilter’. info: Microsoft.AspNetCore.Mvc.StatusCodeResult[1] Executing HttpStatusCodeResult, setting HTTP status code 400 Microsoft.AspNetCore.Mvc.StatusCodeResult: Information: Executing HttpStatusCodeResult, setting HTTP status code 400 info: Microsoft.AspNetCore.Mvc.RazorPages.Infrastructure.PageActionInvoker[4]

Further technical details

  • ASP.NET Core version 3.1.100

.NET Core SDK (reflecting any global.json): Version: 3.1.100 Commit: cd82f021f4

Runtime Environment: OS Name: Windows OS Version: 10.0.17763 OS Platform: Windows RID: win10-x64 Base Path: C:\Program Files\dotnet\sdk\3.1.100\

Host (useful for support): Version: 3.1.0 Commit: 65f04fb6db

.NET Core SDKs installed: 3.0.100 [C:\Program Files\dotnet\sdk] 3.1.100 [C:\Program Files\dotnet\sdk]

.NET Core runtimes installed: Microsoft.AspNetCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.AspNetCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App] Microsoft.NETCore.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.NETCore.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App] Microsoft.WindowsDesktop.App 3.0.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App] Microsoft.WindowsDesktop.App 3.1.0 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

  • VS Code 1.40.2

[blazor]
[identity] [scaffold] [logout]

Copied from original issue: dotnet/aspnetcore#17839

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Reactions: 2
  • Comments: 24 (19 by maintainers)

Most upvoted comments

Fixed in VS as it ended not being a aspnet/scaffolding issue. Should be working in VS 16.6 Preview 3 and onwards.

+3
deepchoudhery on Mar 23, 2020

@danroth27 I have an existing BSSA (blazor server-side app) with facebook external login. I scaffolded everything and indeed I can’t log out anymore. I can only logout if I click on “Log out” from the Manage section in Identity.

after reading this I have deleted the LogOut.cshtml page which was scaffolded, but still logout doesn’t work.

How can I make it work?

should I try workaround #1 or #2 from dotnet/aspnetcore#17839 ?

I would recommend workaround 1. In that case you don’t need to delete anything, just add [IgnoreAntiforgeryToken] in “LogOut.cshtml.cs” file

+2
sikira on May 19, 2020

@sikira thanks, works!

+1
wstaelens on May 20, 2020
Read more comments on GitHub
← Scaffolding: aspnet-codegenerator fails to create an API with actions on Ubuntu
Scaffolding: Cannot generate controller from cli →