Kinde & .NET Blazor Server?
Hi,
New to Kinde and exploring if it's the right choice for a new project in .NET Blazor. I tried setting up a demo project according to the docs which I understand is more generic .NET-oriented. I do not seem to get Kinde to work in .NET Blazor and read that it might be the case that it is not yet supported: https://community.kinde.com/blazor-server-net-8-kinde-user-login-integration-663TnBGmt3J6
I have added the configuration to the program.cs and use :NET built--in authentication and authroization mechanisms for protecting razor pages.
Latest error I now have is: AuthenticationFailureException: OpenIdConnectAuthenticationHandler: message.State is null or empty.
I get this when navigating to url/signin-oidc
Ayone that have experience using .NET Blazor and Kinde?
Kinde
blazor server net 8 Kinde user login integration
Hi all, Has anyone successfully integrated user login using Kinde and Blazor Server .net 8? Would be interested what guides/resources were used. Thanks all :-)
32 Replies
.NET Blazor
Hi Daniel,
Thanks for reaching out! Could you include the
Thanks for reaching out! Could you include the
state parameter in oauth2/auth? It’s a unique string used for validation when the user returns from authentication. For testing, you can try passing state=BlueFox0101.
Let me know how it goes!Hi Zaki,
How grateful I am for your response, thank you.
I will try to figure out how I could include state. As it is now I have done exactly the same as in the guide https://docs.kinde.com/developer-tools/guides/dotnet-open-id-connect/ step 1 to 5 and then securing the razor pages.
Kinde docs
Integrate Kinde with ASP.NET using Open ID Connect
Our developer tools provide everything you need to get started with Kinde.
Hi Daniel,
As you are using the starter kit, there is no need to pass the
state parameter. However, let’s confirm the following to ensure everything is set up correctly:
1. In your appsettings.json file, set the following values:
2. Ensure the backend application you created in the Kinde dashboard (where you obtained the Client ID and Client Secret) is a .NET application.
3. On the App Keys page in the Kinde dashboard:
- Set the Allowed Callback URLs to:
This is essential for successful authentication.
- Set the Allowed Logout Redirect URLs to:
This ensures proper redirection after logout.
4. Ensure HTTPS is enabled on your local machine, as the redirect URLs must use https for authentication to work properly.
Let me know if you need any further clarification!Thank you. I will show you my setup
"Authentication": {
"Schemes": {
"OpenIdConnect": {
"Authority": "https://kynavo.kinde.com",
"ClientId": "myclientid",
"MapInboundClaims": false,
"ResponseType": "code",
"ClientSecret": "myclientsecret"
}
}
}
Thanks for sharing! Could you try this updated code, which includes a state parameter?
builder.Services.AddAuthentication(options =>
{
options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
})
.AddCookie()
.AddOpenIdConnect(opt =>
{
opt.Authority = authority;
opt.ClientId = clientId;
opt.ClientSecret = clientSecret;
opt.SignedOutCallbackPath = "/signed-out";
opt.CallbackPath = new PathString("/signin-oidc");
opt.SaveTokens = true;
opt.Events = new OpenIdConnectEvents
{
// Set the 'state' parameter before redirecting
OnRedirectToIdentityProvider = context =>
{
string customStateValue = "BlueFox0101"; // For testing purposes, and it should be dynamic
context.ProtocolMessage.State = customStateValue;
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
// Log the error or examine it further
Console.WriteLine("Authentication failed: " + context.Exception.Message);
return Task.CompletedTask;
}
};
});
Let me know if you run into any issues!Thanks. I tried it out immediately but got same error:
Is this a .NET Blazor issue? :/
Could you share the 500 error message with me?
>Ensure the backend application you created in the Kinde dashboard (where you obtained the Client ID and Client Secret) is a .NET application.
What exactly does this do? I don't see documented anywhere what selecting the optional "Language/framework" does within my application.
@Daniel
I have been using Kinde with Blazor for some time, and can confirm it is definitely supported. The state parameter will be automatically set when you use AddOpenIdConnect(), which I can see you have configured.
It sounds like you are hitting the signin-oidc endpoint directly, hence the state is empty. If you haven't already, you need to wire up your own login/logout endpoints that you hit. The Blazor sample apps have the relevant code you can use: https://github.com/dotnet/blazor-samples/blob/main/9.0/BlazorWebAppOidcServer/LoginLogoutEndpointRouteBuilderExtensions.cs
GitHub
blazor-samples/9.0/BlazorWebAppOidcServer/LoginLogoutEndpointRouteB...
Contribute to dotnet/blazor-samples development by creating an account on GitHub.
@MaxRebo Thank you! I actually came a bit further. Signin works. Still having problems with signing out,
This is thrown when using the method in link you sent for signing out:
AntiforgeryValidationException: The required antiforgery request token was not provided in either form field "AntiforgeryToken" or header value "RequestVerificationToken".
I also notides User.Identity.Name is null but there are claims and .NET identity accepts that the user is authenticated.
Do you have any experience in theese challenges?
I tried Logto side by side to Kinde and there it actually works pretty much out of box, But hopefully I can get Kind to work as it has some features I need and also a nicer UI 😉
yes, I tried Logto also, as they offered Australian hosting which was a requirement for us. I backed away from them once I found out what country they are based in as it would not have been acceptable to our customers.
Antiforgery exception is curious. as it's handled automatically by .Net now and shoudn't be involved in a GET request regardless.
How are you calling the logout endpoint?
I tried two ways:
<form action="auth/logout" method="post">
<AntiforgeryToken />
<input type="hidden" name="ReturnUrl" value="@currentUrl" />
<button type="submit" class="dropdown-item notify-item">
<i class="ri-logout-box-line"></i>
<span>Logout</span>
</button>
</form>
app.MapPost("/auth/logout", async (HttpContext context) =>
{
var returnUrl = context.Request.Form["ReturnUrl"].ToString();
await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme);
var redirectUrl = string.IsNullOrEmpty(returnUrl) ? "/" : returnUrl;
context.Response.Redirect(redirectUrl);
});
first one in razor page and second in program.cs
ah you are posting to the endpoint. try created an <a> tag for your logout endpoint, so that it does a GET request.
or change the form method to method="get" if you really need to use a form.
you'll also need to change the group.MapPost() to be group.MatGet()
Thank you so much
alternatively, antiforgery tokens should be added to your blazor form automatically. I wonder if adding your own <AntiforgeryToken /> is causing an issue.
It works like a charm. I am so grateful for your time
no problem!
do you get a feeling what could cause User.Identity.Name to be null when successfully signed in?
var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
User = authState.User;
I haven't seen that happen, but it sounds like the relevant claim is not mapping to the Identity.Name.
Let me check my config...
Could it be that i have misinterpreted the docs? I thought that was managed "automatically" by .NET Add Authentication
have you set MapInboundClaims = true?
.AddOpenIdConnect(OIDC_SCHEME, oidcOptions =>
{
...
oidcOptions.MapInboundClaims = true;
In the settings file I have, yes: "MapInboundClaims": true,
Could it be that it's not being set correctly, I will check that out as well
10 claims are being set but not User.Identity.Name
as in you have 10 claims inthe Principal.Claims collection?
it sounds like the claims are not being mapped. As a quick test, I would try setting MapInboundClaims = true directly in your c# rather than relying on config
Thanks, I will try setting it to true directly and try again
Hi Daniel, I hope everything’s going smoothly. Just checking in to see if you're still experiencing any difficulties. Let us know if we can be of any help!