How do you configure OIDC for the dashboard using the starter template?

[los93sol]

I'm playing with the starter template and trying to enable OIDC login to the dashboard, but no matter what I do it continues to used BrowserToken. I read something in the docs the leads me to believe OIDC can only be setup for standalone mode, but why is that the case? It looks like there's a clean split between where the resources send data to the app host and the user login to the app host so I'm trying to understand if this is something that currently works and if so how you set it up.

[los93sol]

I was able to get this to work, but it required a lot of hackery and several steps to bypass things.

I had to set the following in appsettings.json of the AppHost project

"DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS": true,
"AppHost": {
  "OtlpApiKey": "random key",
  "ResourceService": {
    "AuthMode": "ApiKey",
    "ApiKey": "random key"
  }
}

The next trick to this is to add a custom IDistributedApplicationLifecycleHook something like....

internal class HookHack : IDistributedApplicationLifecycleHook
{
    public Task BeforeStartAsync(DistributedApplicationModel appModel, CancellationToken cancellationToken)
    {
        if (appModel.Resources.SingleOrDefault(r => r.Name == "aspire-dashboard") is { } dashboardResource)
        {
            dashboardResource.Annotations.Add(new EnvironmentCallbackAnnotation(context =>
            {
                context.EnvironmentVariables["Dashboard__Frontend__AuthMode"] = "OpenIdConnect";

                context.EnvironmentVariables["Dashboard__Frontend__OpenIdConnect__RequiredClaimType"] = "someClaim";
                context.EnvironmentVariables["Dashboard__Frontend__OpenIdConnect__RequiredClaimValue"] = "someValue";

                context.EnvironmentVariables["Authentication__Schemes__OpenIdConnect__MetadataAddress"] = "https://example.com/.well-known/openid-configuration";
                context.EnvironmentVariables["Authentication__Schemes__OpenIdConnect__ClientId"] = "clientId";
                context.EnvironmentVariables["Authentication__Schemes__OpenIdConnect__ClientSecret"] = "clientSecret";

            }));
        }

        return Task.CompletedTask;
    }
}

Then you have to register that in Program with....

builder.Services.AddLifecycleHook<HookHack>();

So let's break down why all this is necessary....

aspire/src/Aspire.Hosting/DistributedApplicationBuilder.cs

Line 206 in 69cabab

if (!IsDashboardUnsecured(_innerBuilder.Configuration))

Here you can see that whenever the dashboard is secured (which it is by default) then it automatically sets...

AppHost:OtlpApiKey to a generated token
AppHost:BrowserToken to a generated token
AppHost:ResourceService:AuthMode to ApiKey
AppHost:ResourceService:ApiKey to a generated token

We actually want it to do all of that EXCEPT set the BrowserToken, so the modification to the AppHost section of appsettings.json prevents this block from running while still setting the things we need, although, not in a way that you would ever want to use outside of this testing setup.

Now let's take a look at why we need the custom lifecycle hook...

aspire/src/Aspire.Hosting/Dashboard/DashboardLifecycleHook.cs

Line 218 in 69cabab

if (!string.IsNullOrEmpty(browserToken))

Here we see that Dashboard:Frontend_AuthType will only ever get set to BrowserToken or Unsecured so the only way I could see that we could override that was with the custom lifecycle hook that runs AFTER this one to set that to OpenIdConnect. If it were supported here then I believe it would be easy enough to just copy values for Dashboard:Frontend:OpenIdConnect and Authentication:Schemes:OpenIdConnect into the EnvironmentCallbackContext and you would be done.

Now, onto the questions....

This appears to work just fine so was it by design for some reason that it appears to be explicitly ignored or just an oversight when OIDC was added?

[davidfowl]

Why do you want to use OIDC auth for local development?

[los93sol]

Why do you want to use OIDC auth for local development?

For typical cycles I don’t technically need to, but when taking things to any other environment I would use OIDC. I typically run local dev setup as close to a real config as I can so seemed logical to give this a go and learn a bit about the inner workings in the process

[davidfowl]

I understand it for leaning but we don't test this scenario because when you are running with the app host, it's a local developer scenario so we don't test or optimize for any auth besides browser token

[los93sol]

I put together a PR for this