Blazor Web Assembly AAD Auth under .Net 5.0 cannot request multiple tokens

[snapfisher]

Describe the bug

I see this was reported in #28226, but it was closed without resolution, and the problem definitely exists.

Following instructions here: https://docs.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/additional-scenarios?view=aspnetcore-5.0#request-additional-access-tokens

You cannot request multiple tokens under .Net 5.0. The error received is:

Provided value for the input parameter scope is not valid because it contains more than one resource. Scope x y is not valid, where x and y are the scopes I am requesting.

If I request 1 scope only, I can authenticate with no errors.

I have an older blazor wasm application built against .Net Standard 2.1, which follows the same coding instructions/pattern where this does work.

To Reproduce

Program.cs is:

    public static async Task Main(string[] args)
    {
        var builder = WebAssemblyHostBuilder.CreateDefault(args);
        builder.RootComponents.Add<App>("#app");

        builder.Services.AddScoped(sp => new HttpClient { BaseAddress = new Uri(builder.HostEnvironment.BaseAddress) });

        builder.Services.AddMsalAuthentication(options =>
        {
            builder.Configuration.Bind("AzureAd", options.ProviderOptions.Authentication);
            options.ProviderOptions.DefaultAccessTokenScopes.Add("https://graph.microsoft.com/openid");
            options.ProviderOptions.AdditionalScopesToConsent.Add("https://management.azure.com/user_impersonation");
        });

        builder.Services.AddAuthorizationCore(options =>
        {
            options.AddPolicy("OneUser", policy => policy.RequireAssertion(context =>
                context.User.HasClaim(c =>
                c.Type == "preferred_username" &&
                c.Value == "x*x.onmicrosoft.com")
            ));
        });

        await builder.Build().RunAsync();
    }

It fails even without attempting token access. Index.razor does not really do much, only ...

Authentication in progress

Please log in with an authorized user

Exceptions (if any)

The error/exception number is AADSTS28000

Further technical details

• ASP.NET Core version
• Include the output of dotnet --info
• The IDE (VS / VS Code/ VS4Mac) you're running on, and its version
  .NET SDK (reflecting any global.json):
  Version: 5.0.102
  Commit: 71365b4d42

Runtime Environment:
OS Name: Windows
OS Version: 10.0.19042
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\5.0.102\

Host (useful for support):
Version: 5.0.2
Commit: cb5f173b96

.NET SDKs installed:
1.1.13 [C:\Program Files\dotnet\sdk]
1.1.14 [C:\Program Files\dotnet\sdk]
2.1.617 [C:\Program Files\dotnet\sdk]
2.1.700 [C:\Program Files\dotnet\sdk]
2.1.701 [C:\Program Files\dotnet\sdk]
2.1.812 [C:\Program Files\dotnet\sdk]
2.2.300 [C:\Program Files\dotnet\sdk]
3.1.300 [C:\Program Files\dotnet\sdk]
3.1.405 [C:\Program Files\dotnet\sdk]
5.0.102 [C:\Program Files\dotnet\sdk]

.NET runtimes installed:
Microsoft.AspNetCore.All 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.All 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.All]
Microsoft.AspNetCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 1.0.15 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.0.16 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.1.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 1.1.13 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.12 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.1.24 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 2.2.5 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 3.1.11 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 5.0.2 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]

To install additional .NET runtimes or SDKs:
https://aka.ms/dotnet-download

Visual Studio Enterprise 16.8.4

[snapfisher]

The authentication in progress section of the above, was supposed to be the xaml code from the razor page, the markup is too smart for it's own good. I changed the < characters to # just so it would make it into the issue:

#AuthorizeView Policy="OneUser">
#Authorized>
#/Authorized>
#Authorizing>
#h1>Authentication in progress
#/Authorizing>
#NotAuthorized>
#h2>Please log in with an authorized user
#/NotAuthorized>
#/AuthorizeView>

[javiercn]

@snapfisher thanks for the details.

Seems like something is going on here.

[ghost]

Thanks for contacting us.
We're moving this issue to the Next sprint planning milestone for future evaluation / consideration. We will evaluate the request when we are planning the work for the next milestone. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[BenWhite27]

This is blocking me at the moment, my app needs to access it's own API and the MS Graph API. Any workarounds?

[BenWhite27]

@SteveSandersonMS I believe the tags could be reviewed for this issue. Using Microsoft Identity Platform + Graph API for things like avatar images, directory listings, and user management must be a fairly common and documented scenario?

I've started comparing the code provided as a resolution to the previous issue (#28226) and trimming it down to the bare essentials. It appears all that's required to get this working for me with the Graph API is to not specify the scopes when adding the graph client to the services collection. This in turn doesn't add anything extra to AdditionalScopesToConsent.

program.cs in wasm project file.

- builder.Services.AddGraphClient("https://graph.microsoft.com/User.Read");
+ builder.Services.AddGraphClient();

The required scopes are also specified in GraphClientExtensions.cs from the docs to authenticate the request.

I don't understand the inner workings here enough to say if this is going to work moving forward or bite me later in development but might help someone.

[igalfsg]

@javiercn @SteveSandersonMS is there any update to this?

[snapfisher]

I'm going to pile on for this. I don't understand the "affected-few" label, as anyone who is using API Management and wants to also speak with the Graph API would have this issue. @javiercn @SteveSandersonMS

In my case, it's a requirement as my middleware is just Azure Functions.

[SteveSandersonMS]

At the time, we had heard very few reports. More are emerging now so I’m updating the label.

[jelard]

This is also a blocker for me.

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[adixon501]

@SteveSandersonMS, any news on this? Like @snapfisher said, this is stopping everyone who is using token authentication for more than one API (.net hosted blazor server api, MS Graph, etc).

I have tried following both examples (to no avail) found here

[SteveSandersonMS]

Re-triaging.

[javiercn]

I've spent a chunk of time investigating this in the past couple of days and I believe it comes down to some changes AAD made to avoid requesting all scopes upfront. This now needs to be done via incremental consent, which is doable, but requires a different approach.

I'm going to spend some time to see if I can put an example that accomplishes this through our existing extensibility, but in essence, I believe that requesting the scopes upfront does no longer work.

We'll have to revisit the area in .NET 7.0

[ghost]

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[igalfsg]

@javiercn I don't know if this helps, but how we went around this is creating a different client for each endpoint for example a graph http client, and an arm http client and we use whichever we need depending on the case, maybe doing that but abstracting it from the user so the user only sees one (or use the same client and just attach different tokens based on the scope being contacted).

[javiercn]

@igalfsg that's more or less what needs to happen.

The issue is that AdditionalScopesToConsent no longer works, so instead of requesting the scopes upfront, they need to be requested incrementally and for each resource separately. It's just way more involved and there's a user experience to think about, because in the original implementation, you'll get consent during login and then you could request any additional token silently.

Now if you are in a page and need an additional token you need to define how to get that token. Do you provision it during navigation on to the page, or by reacting to an exception, for example when you try to save some data. In that case, do you show a pop-up (pop ups might be blocked)? or do you save the user data, redirect to the IdP and come back.

It's doable, it's just much more work now. That said, if you have a sample of what you did in a public repo, I would be interested in looking at how you solved it. Maybe that's an approach we might be willing to take.

[igalfsg]

Yeah the additional popup is annoying, if the user only has one account SSO takes care of it but if they have multiple AAD accounts they would get a popup for each scope.

Here is a GitHub repo : https://github.com/coding-flamingo/BlazorWasmWithAADAuth
and here is the youtube video of me explaining what I did https://www.youtube.com/watch?v=Aa8QTlyNDBM

[javiercn]

We addressed this for 7.0, the fix will be available in RC2

#43954

[igalfsg]

Thanks @javiercn, Will it work out of the box or is there something we have to do?