Blazor Server Side AADB2C AllowAnonymous Not working in latest template

[MetaHex]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

In the latest template for Blazor Server Side with Microsoft Identity platform. program.cs has:

builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy
options.FallbackPolicy = options.DefaultPolicy;
});

So now all pages will direct to login. However, if I want to define a landing page that doesn't require login with

@Attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous], it doesn't work. Page still gets redirected to login.

Maybe this is related to #37064 and #23157

cc: @guardrex per dotnet/AspNetCore.Docs#24473

Expected Behavior

Pages marked with Attribute AllowAnonymous should not be redirected to login if not logged in

Steps To Reproduce

-Start a project with Blazor Server Side with Microsoft Identity Platform.
-Fill in all the required AADB2C configs
-Launch the site to see if AADB2C is setup correctly. clean up (logout)
-go to index.razor or fetchData.razor and add @Attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous]
-Launch site. It still requires AADB2C login on index,razor or fetchData.razor

Exceptions (if any)

No response

.NET Version

6.0.100

Anything else?

No response

Thanks for contacting us.

We're moving this issue to the .NET 7 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

[silentdevnull]

Has anyone gotten this to work or have a work around for it?

[MetaHex]

Not I am aware of Get Outlook for iOS<https://aka.ms/o0ukef>

…

________________________________ From: silentdevnull ***@***.***> Sent: Saturday, January 8, 2022 10:39:32 AM To: dotnet/aspnetcore ***@***.***> Cc: MetaHex ***@***.***>; Author ***@***.***> Subject: Re: [dotnet/aspnetcore] Blazor Server Side AADB2C AllowAnonymous Not working in latest template (Issue #39321) Has anyone gotten this to work or have a work around for it? — Reply to this email directly, view it on GitHub<#39321 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AWOI5HLOZKBD7N3FNHNNZN3UVCAGJANCNFSM5LKK3NZQ>. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[silentdevnull]

@MetaHex Thanks.

The only workaround I was able to do was to use two projects and a reverse proxy to route the URL to each project. It is a big pain and I'm still trying to work through some of it, but it is slow working and coming together.

Hopefully, the time will get this fixed fast

[rpskelton2]

Modifying _Hosts.chtml and opting into auth worked for me.
https://stackoverflow.com/questions/60768399/blazor-using-azure-ad-authentication-allowing-anonymous-access

[MetaHex]

@rpskelton2 I think this was the default case previously. I think MSFT now recommends (at least from their samples) auth to be set by default and allow anonymous on individual pages.

[rpskelton2]

@MetaHex , that's what I tried first but the AllowAnonymous attribute seemed to be ignored. (Server Side Blazor) Whenever I hit my razor page that contained the AllowAnonymous attribute it would redirect me to the Azure login. If you know of a working sample please pass along!

[tjorvenK]

Has anyone been able to figure this out?

[larsholm]

Not an actual (or practical) work-around, but we decided to allow anyone to signup in B2C, and instead check for association in our own User table. If user==null then they're "anonymous". This will definitely be changed to AllowAnonymous once working.

[hammypants]

This affects even non-Blazor pages. E.g. endpoints and everything MVC.