Hi,
On a customer project we have upgraded one project to use blazor server, so to make it work with authentication i have removed UseTokenCookie = false, i had this on the previous version to get the bearer token.
Currently my Xamarin Forms worked with Bearer and Refresh Token, now the Services does not return tokens anymore, i guess it is expected to work with cookies now? there is a way to still get the bearer and refresh token?
Is the ServiceStack client going to store cookies client side for me?
I have tried to get the token with client.GetTokenCookie() but after a successful authentication return null
Yes, UseTokenCookie=true is the default since v6 which only sends the JWT Tokens over Secure HttpOnly Cookies.
The GetTokenCookie() and GetRefreshTokenCookie() is what you should be able to get the ss-tok and ss-reftok cookies respectively. What ServiceClient are you using? I’d recommend using the same JsonApiClient as your Blazor project.
The clients doesn’t have any special behavior for Xamarin, it all behaves the same way where during usage the cookies are maintained in client.CookieContainer which is where the ss-tok and ss-reftok cookies should be stored after Authentication.
Ok, looks like the GlobalHttpMessageHandlerFactory takes over the HttpClientHandler construction, try configuring it to use the same CookieContainer, something like:
var cookieContainer = new CookieContainer();
var client = new JsonHttpClient(baseUrl) {
CookieContainer = cookieContainer
};
JsonHttpClient.GlobalHttpMessageHandlerFactory= new Func<HttpMessageHandler>(()=>
new AndroidMessageHandler() {
ServerCertificateCustomValidationCallback = (msg,cert,arg3,arg4) => true,
CookieContainer = cookieContainer
});
Ok i got it working, i had to change these in the apphost, maybe is something strange on the server that was causing some issues, i have a cloudflare dns in front.
Not seeing how this would help in a C# App as HTTP Only cookies should only prevent JavaScript in a webpage to access the cookies, it would be an issue with Blazor WASM since all HTTP access is still going through fetch/Web sandbox, but this a native Android App that isn’t going through a Web View right?
Are you just using dns or are the calls going through a Cloudflare reverse proxy? Is it doing SSL termination?
Also weird that you’re able to Authenticate & call protected APIs but not access the cookies since you need cookies to call authenticated services.
IMO we’d need to see the HTTP Headers (with sensitive info scrubbed) to see if it provides any more insight into the behavior.
Yeah, it is a very strange behaviour, i will try to send more data, now i’m a rush to fix other issues…
But yeah we are using an unusual configuration with cloudflare.
The customer has a messy setup, so we had to use proxied dns entries on cloudflare, https is handled by him and on the server we have a Origin Certificate also we are using a non default port 8443 has they have occupied on other iis sites the standard https port and we can’t touch it
If i have more time later today I will do more testing and let you know.
BTW thanks for the support