Question/Clarification wanted for Blazor WebAssembly Azure AD Setup Documentation

[nickkfwong]

Hello, recently I was just trying to setup a Blazor project with Azure AD.

Indeed, I want to have few clarifications - im not sure if

(1)
In the doc it mentions: "when publisher domain of the directory is untruysed...",
then app url should be written as
"https:////<default_scope>"

But, when I setup using the https scheme it does not work but when I switch back to api:// scheme, this works magically. (In azure portal, I can see failure login saying "The resource principal named {name} was not found in the tenant named {tenant}.")

I believe I'm on the "untrusted" publisher domain, because I see my publisher domain as .onmicrosoft.com with a message saying "The application’s consent screen will show ‘Unverified..."

(2)
For scope, the doc mentioned adding a default "API.Access"
In Blazor server, it seems it also require another scope, named as access_as_user.
So I either need to add an extra scope or user "access_as_user" as the default scope.

For above two items, I want to know if there is actually a discrepancy between the correct-setup and the doc. Or it was something I am doing wrong? Honestly, strictly following the doc doesn't seem to allow me to setup a working project with Azure AD.

In terms of feedback,
For the appsetting section for Server API , one part mentioning : "To configure the server API app for a matching audience, set the Audience in the Server API app settings file...,
which then includes "Audience", "Authority", "ValidateAuthority"
However, Im not sure if this is actually needed for SERVER?
The template generated from Visual Studio and dotnet cli does not contains this section also. And when I setup the app without these 3 settings, it seems the authentication/authorization still function correctly.
I would feel much better if some explanation can be added here?

I am using NET5, and viewing the doc on web on 5.0 as well.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 3039ff79-ee86-20b1-0082-d3899a84c823
• Version Independent ID: af4a3a75-ae52-5f6d-2120-737bc2fefb07
• Content: Secure an ASP.NET Core Blazor WebAssembly hosted app with Azure Active Directory
• Content Source: aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory.md
• Product: aspnet-core
• Technology: aspnetcore-blazor
• GitHub Login: @guardrex
• Microsoft Alias: riande

[guardrex]

Hello @nickkfwong ... The document is correct. Unfortunately due to high priority and high volume 🏃😅 docs work at this time, it isn't possible to troubleshoot individual dev apps here. Your best bet for support is to reach out to the community for product support. We recommend the usual support channels ...

• Stack Overflow (tag: blazor)
• ASP.NET Core Slack Team
• Blazor Gitter

I can toss out in passing that the onmicrosoft.com domain doesn't determine trust/lack of trust all by itself. See the Azure docs on trusted/untrusted publisher domains for more info.

Blazor Server isn't addressed by this doc. Access ASP.NET Core web API docs for a web API experience with Blazor Server (and perhaps Azure docs+examples). Yes ... IIRC, you do need that scope. It's covered in the docs for web API IIRC.

For the content following ...

To configure the server API app for a matching audience ...

It ties in with the prior paragraph's instructions for ...

When working with a server API registered with AAD and the app's AAD registration is in an tenant that relies on an unverified publisher domain ...

Those two paragraphs and examples go together. I'll mark your comment on my UE pass tracking issue to clarify it by placing both of these instructions and examples into a separate sub-section. Thanks for mentioning this problem. I'll make sure to address it when I reach this node of topics.

[nickkfwong]

Hi @guardrex, Thanks for quick response and the clarification! I will check the ASP.NET web api core doc to get a complete understanding.
On the other hand, since that Blazor doc is somehow for "ASP.NET Core hosted" - does it means most part of it should follow the web api doc then? (Asking this because I was wondering if the scope setup (ie. Access.API) mentioned in Blazor doc is meaningful or not...?)

[guardrex]

since that Blazor doc is somehow for "ASP.NET Core hosted"

If by "that topic" you mean the web API topics (here and in the Azure docs), then no ... it doesn't apply to hosted Blazor WebAssembly.

• If you're building a hosted Blazor WebAssembly app, use this doc.
• If you're building a Blazor Server app, use the ASP.NET Core web API docs and other Azure docs+examples in the Azure doc set that apply to ASP.NET Core apps. They have a web API quickstart somewhere over there (I don't have the link handy) that explains the access_as_user scope and shows how to use it.

if the scope setup (ie. Access.API) mentioned in Blazor doc is meaningful or not...?)

It's only relevant in the context of this topic's subject: hosted Blazor WebAssembly app with AAD.

... and only if you use it. You can name it anything that you want. That's just what the example is for the topic.

[nickkfwong]

@guardrex

If you're building a hosted Blazor WebAssembly app, use this doc.

Yes Im exactly following this

You can name it anything that you want. That's just what the example is for the topic.

I see, That's good now! Big thanks!

[joaodotnet]

@guardrex I think the docs are not correct, like @nickkfwong said, in the docs when it says:

To configure the server API app for a matching audience, set the Audience in the Server API app settings file (appsettings.json) to match the app's audience provided by the Azure portal

Is not in the Server API app settings file that we need to add the Audience, is in the Client app settings file

[guardrex]

@joaodotnet ... It's in the Server's app's app settings file only if the publisher domain in use isn't a trusted/verified publisher.

Cross-reference: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-configure-publisher-domain

Having said that tho, Azure is a rapidly evolving platform. I plan to check all of the guidance for 6.0 when I reach this batch of topics on the UE passes that I'm making on #19286. I'll create a batch of 6.0 preview apps (RC1 release timeframe) for testing all of the main scenarios in all of the WASM topics. If something has changed, then I'll get right on it with a fix. Also note that there are no current issues regarding the docs guidance from readers, and my own 5.0 test apps are still running based on the guidance provided.