I'll answer as much as I can, and then Stephen Halter can correct me on anything and possibly add additional remarks. I have a couple of questions at the end that pertain to docs.

Here's a little rundown on where things are at with this scenario (BWA calling a secure external web API) AFAIK ...

We defer to the main doc set for regular ASP.NET Core web API coverage for general basics and external web API setup and configuration, including security ...

• https://learn.microsoft.com/aspnet/core/security/authentication/configure-jwt-bearer-authentication
• https://learn.microsoft.com/aspnet/core/fundamentals/minimal-apis/security
• https://learn.microsoft.com/aspnet/core/security/authentication/jwt-authn
• https://learn.microsoft.com/aspnet/core/security/cors

On the Blazor side, we just needed to pass tokens into Blazor so that Razor components could make requests to web APIs. Now, the following link is for .NET 7 or earlier (Blazor Server, NOT Blazor Web Apps) ...

https://learn.microsoft.com/aspnet/core/blazor/security/additional-scenarios?view=aspnetcore-7.0#pass-tokens-to-a-server-side-blazor-app

Blazor Web Apps came on the scene at .NET 8. There were problems/challenges with the passing token approach that works in Blazor Server apps, so we told devs the following (this link is to the current content) ...

https://learn.microsoft.com/aspnet/core/blazor/security/additional-scenarios?view=aspnetcore-9.0#pass-tokens-to-a-server-side-blazor-app

... and you can refer to those cross-links in the product unit's repo to learn more ... especially this Halter remark ... dotnet/aspnetcore#52390 (comment).

To make external web APIs work well with Blazor Web Apps (.NET 8 or later) ... and also to take advantage of the other benefits of the BFF pattern ... we added an article+sample for the BFF pattern for Blazor Web Apps ...

https://learn.microsoft.com/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-9.0&pivots=with-bff-pattern

My current understanding is that the product unit recommends that you adopt the BFF pattern.

☝ That's the direct answer to your question, @mihirpatelipsos, AFAIK.

That article+sample is OIDC, which will run with Entra. The article even has a section on using Entra for roles/security groups/AAD built-in Admin Roles authentication. If header length is a problem with the approach in that section because users have many roles and/or security groups, it refers the dev to Microsoft Graph coverage so that the claims are obtained outside of headers. Also, the article+sample (especially the sample anyway in it's Program file config) explains scope configuration for the weather data web API using Entra. You would base your web API setup on the weather data web API in the article+sample, which is a separate app (MinimalApiJwt) ... which is what you're asking about.

My questions for Stephen are ...

1. The current BFF-patterned article+sample is OIDC. It shouldn't be very hard for a dev to convert that OIDC sample over to MS Identity Web packages and API for Azure hosting with Entra. Do you prefer the status quo on the coverage that we have, or should we have a BFF pattern article+sample for MS Identity Web packages/Entra with Azure hosting? I think if you want me to add that, we can do what we've done in the past: I'll work it up into a PR within the new few weeks and then ping you for review. Otherwise, we'll not take any action and just close this issue as a 'won't fix' for the docs and continue to refer devs to the BFF-OIDC article+sample.

2. Just to clarify that when you work the Access AuthenticationStateProvider in outgoing request middleware (dotnet/aspnetcore #52379) issue that the passing tokens scenario that we used to describe for Blazor Server will work in the global interactive Server BWA case? If that's right, then I'll be able to bring back coverage similar to the old Blazor Server coverage for global interactive Server BWAs, possibly adding a section to the Secure an ASP.NET Core Blazor Web App with Microsoft Entra ID article on it as well. It's covered by an existing docs issue at Update section on passing tokens in Blazor Web Apps #31691 for .NET 10 article work. Then beyond global Interactive Server, we can discuss what to cover for global interactive Auto solutions based on passing tokens and how it might affect the existing articles+samples, if at all.

3. One more added question ... not related directly to this, but it is related to the OIDC article+samples. When you were working on Pushed Authorization Requests (PAR) for the framework, did you happen to hear if/when Entra would be supporting PAR? There's not a peep on it anywhere AFAICT.

One more thing, @mihirpatelipsos ...

I'm making improvements to help surface the various articles and samples on Secure data with Interactive Auto rendering (dotnet/AspNetCore.Docs #34765). The BFF pattern OIDC approach is being added to the Call web API article, along with the other new articles+samples.

... I might revise that further after I hear Halter's response to my comments ☝.

Note to Stephen Halter ... that PR is still stuck waiting on further feedback/updates. However, I did place the language of main concern into a PR comment that you might be able to review quickly to allow me to merge that PR ...

#34765 (comment)

Thanks a lot @guardrex . I'll review your note and get back to you with any questions.

Meanwhile I tried OIDC with BFF pattern and it worked with single API scenario, but I am trying to access multiple downstream APIs and it seems OIDC was failing with static scope limit exceeded error.

Code:

I see! Halter (and/or Javier) will need to remark on that. Let's do this for that error to get you a faster response ........

Open an issue for the product unit here ...

https://github.com/dotnet/aspnetcore/issues

Just tell them them that you're following the BWA with OIDC (BFF pattern) article and sample ...

• https://learn.microsoft.com/en-us/aspnet/core/blazor/security/blazor-web-app-with-oidc?view=aspnetcore-9.0&pivots=with-bff-pattern
• https://github.com/dotnet/blazor-samples/tree/main/9.0/BlazorWebAppOidcBff

Show them that error and see if they can help you get that running.

Please add ...

cc: @guardrex https://github.com/dotnet/AspNetCore.Docs/issues/34927

... to the bottom of your opening comment so that I can follow along. What I think is going to happen is that I'm going to end up opening a new issue for that article for that error scenario. That will cover it separately from this issue.

This issue can just be about how we address BWAs with external web APIs generally. I'll ping Halter tomorrow after you have a chance to add any of your own questions to my three questions.

Thanks a lot @guardrex .
The issue is now created here.

dotnet/aspnetcore#60868

Thanks ... I'll keep an 👁 on that.

... and I'll reach out to Stephen Halter later today about this issue.

We chatted offline, and ....... 🥁🥁🥁 .......

🎆 Yes! 🎉

I'll place a BWA BFF sample with MS Identity Web packages for devs seeking to host in Azure with Entra and with a separate web API for multiple frontend apps. It's a nice layout for Microsoft-y-ish peeps! I'll try get to it later this week or early next week. I'll ping you on the PR when it goes up.

As for the issue you opened for the OIDC sample, I'll keep an 👁 on that to see where it goes. If it's a framework bug, I might need to add something to the article about it. If it is some sort of misconfiguration of the sample, then I'll fix it ... whatever it is.

Side question for you, @mihirpatelipsos ... When you run the OIDC BFF sample, are you getting the stylesheet to load correctly for the app because I'm making an Entra version of it, and I'm not getting styles ...

However, the @import 'BlazorWebAppEntra.Client.4vsgcqpzsk.bundle.scp.css'; seems to be working fine ...

Hi @guardrex, yes it is working fine in OIDC version.

👽

Strange! ... I'll study it a bit more and see if I can figure out what's going wrong with it.

Otherwise, I'm off to a good start. The app is running (with Aspire), log in and log out are working. I'm at the stage of working on the access token for the weather data. I'm probably going to stop here for the day and pick back up with it tomorrow morning. So far, so good! ... well ... except for the styles not getting applied correctly! 🙈😆

😆

Well! That was simple enough to fix!!! ...... Delete the obj/bin folders of the BWA server and client projects! 🙈😝

Ok ... I'll pick back up with the weather data web API piece tomorrow.

Hi @guardrex , Just checking in to see what's the latest with this?

Working on it right now.

I have the app working with Entra, including weather forecast data coming down from the web API. However, the docs that they have on implementing the MSAL-based in-memory token cache (i.e., not saving tokens to the cookie) aren't helping me understand why the HttpContext doesn't include the access token when SaveTokens isn't set. I'll need at least today and tomorrow morning to either get it working and ping Halter or just put up what I have and ping Halter on how to make it work.

NOTE TO SELF 🦖

When the article pivot or article goes up, the Call web API and Security > Index articles will need a cross-link paragraph to it. Done! 👍

Ok ... I think I have at least the basics to make it work using the in-memory token provider.

https://github.com/dotnet/blazor-samples/tree/guardrex/bwa-oidc-bff-entra-sample/9.0/BlazorWebAppEntraBff

DON'T actually use that for a production app! 🙈 ... It's bound to have nasty 🦖💩👃 code smells in it until Halter can tell me how to finish it up.

For one thing, I didn't implement the OIDC cookie refresh piece that he has in the OIDC version of the sample. I'm not sure if he wants that left in place or not.

However! 🎉 ... The basics of the app are working, and I'm happy with it thus far.

I'll contact Halter now offline to see when he can look and provide feedback on it. I'll keep you posted. UPDATE: Done! 👍 I just sent him an email with a couple of questions and asking if he'll look at the draft sample app and provide suggested changes. I'll keep you posted here.

The latest news is GOOD NEWS 👍 on the sample app. Halter says that it's fairly close to what we need 🎉. I am supposed to remove 🔪 the OIDC cookie refresher bits. He says that they aren't needed with MS Identity Web. I'm also probably going to change the way that the Weather.Get scope is constructed from configuration. Other than those two NIT items, the sample is probably fine. I'll probably be working on it further in the morning (Wednesday), including possibly merging the sample into the Blazor samples repo. I might even be able to write up the article pivot to go with the sample app.