From ca008528a351b102d88325ac79cad45be676090f Mon Sep 17 00:00:00 2001
From: Luke Latham <1622880+guardrex@users.noreply.github.com>
Date: Mon, 21 Oct 2024 07:37:08 -0400
Subject: [PATCH] Sensitive terms with GUIDs in Blazor node (#33885)
---
aspnetcore/blazor/fundamentals/routing.md | 2 +-
aspnetcore/blazor/security/blazor-web-app-with-oidc.md | 10 +++++-----
.../blazor/security/includes/authorize-client-app.md | 2 +-
.../blazor/security/includes/troubleshoot-wasm.md | 4 ++--
.../hosted-with-azure-active-directory-b2c.md | 4 ++--
.../webassembly/hosted-with-microsoft-entra-id.md | 4 ++--
.../microsoft-entra-id-groups-and-roles-net-5-to-7.md | 7 +++----
.../webassembly/microsoft-entra-id-groups-and-roles.md | 7 +++----
.../blazor/tutorials/movie-database-app/part-4.md | 2 +-
9 files changed, 20 insertions(+), 22 deletions(-)
diff --git a/aspnetcore/blazor/fundamentals/routing.md b/aspnetcore/blazor/fundamentals/routing.md
index aef6f2a2c5f4..2743d86a34c6 100644
--- a/aspnetcore/blazor/fundamentals/routing.md
+++ b/aspnetcore/blazor/fundamentals/routing.md
@@ -372,7 +372,7 @@ Constraint | Example | Example Matches | Invariant
culture
matching
`decimal` | `{price:decimal}` | `49.99`, `-1,000.01` | Yes
`double` | `{weight:double}` | `1.234`, `-1,001.01e8` | Yes
`float` | `{weight:float}` | `1.234`, `-1,001.01e8` | Yes
-`guid` | `{id:guid}` | `CD2C1638-1638-72D5-1638-DEADBEEF1638`, `{CD2C1638-1638-72D5-1638-DEADBEEF1638}` | No
+`guid` | `{id:guid}` | `00001111-aaaa-2222-bbbb-3333cccc4444`, `{00001111-aaaa-2222-bbbb-3333cccc4444}` | No
`int` | `{id:int}` | `123456789`, `-123456789` | Yes
`long` | `{ticks:long}` | `123456789`, `-123456789` | Yes
`nonfile` | `{parameter:nonfile}` | Not `BlazorSample.styles.css`, not `favicon.ico` | Yes
diff --git a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md
index 0c56f1b85a9a..640ca1a3f622 100644
--- a/aspnetcore/blazor/security/blazor-web-app-with-oidc.md
+++ b/aspnetcore/blazor/security/blazor-web-app-with-oidc.md
@@ -116,7 +116,7 @@ The following If you don't have the authority to grant admin consent to the tenant in the last step of **API permissions** configuration because consent to use the app is delegated to users, then you must take the following additional steps:
>
> * The app must use a [trusted publisher domain](/entra/identity-platform/howto-configure-publisher-domain).
-> * In the **`Server`** app's configuration in the Azure portal, select **Expose an API**. Under **Authorized client applications**, select the button to **Add a client application**. Add the **`Client`** app's Application (client) ID (for example, `4369008b-21fa-427c-abaa-9b53bf58e538`).
+> * In the **`Server`** app's configuration in the Azure portal, select **Expose an API**. Under **Authorized client applications**, select the button to **Add a client application**. Add the **`Client`** app's Application (client) ID (for example, `11112222-bbbb-3333-cccc-4444dddd5555`).
diff --git a/aspnetcore/blazor/security/includes/troubleshoot-wasm.md b/aspnetcore/blazor/security/includes/troubleshoot-wasm.md
index 165e14077ecb..9b25c972ca9d 100644
--- a/aspnetcore/blazor/security/includes/troubleshoot-wasm.md
+++ b/aspnetcore/blazor/security/includes/troubleshoot-wasm.md
@@ -210,10 +210,10 @@ Example JWT decoded by the tool for an app that authenticates against Azure AAD
"exp": 1610059429,
"nbf": 1610055829,
"ver": "1.0",
- "iss": "https://mysiteb2c.b2clogin.com/5cc15ea8-a296-4aa3-97e4-226dcc9ad298/v2.0/",
+ "iss": "https://mysiteb2c.b2clogin.com/11112222-bbbb-3333-cccc-4444dddd5555/v2.0/",
"sub": "aaaaaaaa-0000-1111-2222-bbbbbbbbbbbb",
"aud": "00001111-aaaa-2222-bbbb-3333cccc4444",
- "nonce": "b2641f54-8dc4-42ca-97ea-7f12ff4af871",
+ "nonce": "bbbb0000-cccc-1111-dddd-2222eeee3333",
"iat": 1610055829,
"auth_time": 1610055822,
"idp": "idp.com",
diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md
index b727b34d3942..e3ca1104ce14 100644
--- a/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md
+++ b/aspnetcore/blazor/security/webassembly/hosted-with-azure-active-directory-b2c.md
@@ -137,7 +137,7 @@ The output location specified with the `-o|--output` option creates a project fo
*The guidance in this section covers optionally populating `User.Identity.Name` with the value from the `name` claim.*
-The **:::no-loc text="Server":::** app API populates `User.Identity.Name` with the value from the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` claim type (for example, `2d64b3da-d9d5-42c6-9352-53d8df33d770@contoso.onmicrosoft.com`).
+The **:::no-loc text="Server":::** app API populates `User.Identity.Name` with the value from the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` claim type (for example, `aaaabbbb-0000-cccc-1111-dddd2222eeee@contoso.onmicrosoft.com`).
To configure the app to receive the value from the `name` claim type:
@@ -358,7 +358,7 @@ Example default access token scope:
```csharp
options.ProviderOptions.DefaultAccessTokenScopes.Add(
- "https://contoso.onmicrosoft.com/41451fa7-82d9-4673-8fa5-69eff5a761fd/API.Access");
+ "https://contoso.onmicrosoft.com/00001111-aaaa-2222-bbbb-3333cccc4444/API.Access");
```
For more information, see the following sections of the *Additional scenarios* article:
diff --git a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md
index 2f865310c285..efa05e4b3214 100644
--- a/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md
+++ b/aspnetcore/blazor/security/webassembly/hosted-with-microsoft-entra-id.md
@@ -141,7 +141,7 @@ The output location specified with the `-o|--output` option creates a project fo
*The guidance in this section covers optionally populating `User.Identity.Name` with the value from the `name` claim.*
-The **:::no-loc text="Server":::** app API populates `User.Identity.Name` with the value from the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` claim type (for example, `2d64b3da-d9d5-42c6-9352-53d8df33d770@contoso.onmicrosoft.com`).
+The **:::no-loc text="Server":::** app API populates `User.Identity.Name` with the value from the `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name` claim type (for example, `bbbb0000-cccc-1111-dddd-2222eeee3333@contoso.onmicrosoft.com`).
To configure the app to receive the value from the `name` claim type:
@@ -464,7 +464,7 @@ Instead of the App ID URI matching the format `api://{SERVER API APP CLIENT ID O
```csharp
options.ProviderOptions.DefaultAccessTokenScopes
- .Add("https://contoso.onmicrosoft.com/41451fa7-82d9-4673-8fa5-69eff5a761fd/API.Access");
+ .Add("https://contoso.onmicrosoft.com/00001111-aaaa-2222-bbbb-3333cccc4444/API.Access");
```
In the preceding scope, the App ID URI/audience is the `https://contoso.onmicrosoft.com/00001111-aaaa-2222-bbbb-3333cccc4444` portion of the value, which doesn't include a trailing slash (`/`) and doesn't include the scope name (`API.Access`).
diff --git a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles-net-5-to-7.md b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles-net-5-to-7.md
index 19582aa4c709..8e042aebfabd 100644
--- a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles-net-5-to-7.md
+++ b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles-net-5-to-7.md
@@ -542,7 +542,7 @@ When working with the default directory, follow the guidance in [Add app roles t
],
"description": "Administrators manage developers.",
"displayName": "Admin",
- "id": "584e483a-7101-404b-9bb1-83bf9463e335",
+ "id": "{ADMIN GUID}",
"isEnabled": true,
"lang": null,
"origin": "Application",
@@ -554,7 +554,7 @@ When working with the default directory, follow the guidance in [Add app roles t
],
"description": "Developers write code.",
"displayName": "Developer",
- "id": "82770d35-2a93-4182-b3f5-3d7bfe9dfe46",
+ "id": "{DEVELOPER GUID}",
"isEnabled": true,
"lang": null,
"origin": "Application",
@@ -563,8 +563,7 @@ When working with the default directory, follow the guidance in [Add app roles t
],
```
-> [!NOTE]
-> You can generate GUIDs with an [online GUID generator program (Google search result for "guid generator")](https://www.google.com/search?q=guid+generator).
+For the `{ADMIN GUID}` and `{DEVELOPER GUID}` placeholders in the preceding example, you can generate GUIDs with an [online GUID generator (Google search result for "guid generator")](https://www.google.com/search?q=guid+generator).
To assign a role to a user (or group if you have a Premium tier Azure account):
diff --git a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md
index a3692d2c9047..42140e821e42 100644
--- a/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md
+++ b/aspnetcore/blazor/security/webassembly/microsoft-entra-id-groups-and-roles.md
@@ -282,7 +282,7 @@ Take either of the following approaches add app roles in ME-ID:
],
"description": "Administrators manage developers.",
"displayName": "Admin",
- "id": "584e483a-7101-404b-9bb1-83bf9463e335",
+ "id": "{ADMIN GUID}",
"isEnabled": true,
"lang": null,
"origin": "Application",
@@ -294,7 +294,7 @@ Take either of the following approaches add app roles in ME-ID:
],
"description": "Developers write code.",
"displayName": "Developer",
- "id": "82770d35-2a93-4182-b3f5-3d7bfe9dfe46",
+ "id": "{DEVELOPER GUID}",
"isEnabled": true,
"lang": null,
"origin": "Application",
@@ -303,8 +303,7 @@ Take either of the following approaches add app roles in ME-ID:
],
```
- > [!NOTE]
- > You can generate GUIDs with an [online GUID generator program (Google search result for "guid generator")](https://www.google.com/search?q=guid+generator).
+ For the `{ADMIN GUID}` and `{DEVELOPER GUID}` placeholders in the preceding example, you can generate GUIDs with an [online GUID generator (Google search result for "guid generator")](https://www.google.com/search?q=guid+generator).
To assign a role to a user (or group if you have a Premium tier Azure account):
diff --git a/aspnetcore/blazor/tutorials/movie-database-app/part-4.md b/aspnetcore/blazor/tutorials/movie-database-app/part-4.md
index b44113a9a302..908f783c1bf5 100644
--- a/aspnetcore/blazor/tutorials/movie-database-app/part-4.md
+++ b/aspnetcore/blazor/tutorials/movie-database-app/part-4.md
@@ -95,7 +95,7 @@ For local development, configuration obtains the database connection string from
The following is an example connection string:
-> :::no-loc text="Server=(localdb)\\mssqllocaldb;Database=BlazorWebAppMoviesContext-c347f669-bddf-56a3-a32e-7fe010306593;Trusted_Connection=True;MultipleActiveResultSets=true":::
+> :::no-loc text="Server=(localdb)\\mssqllocaldb;Database=BlazorWebAppMoviesContext-00001111-aaaa-2222-bbbb-3333cccc4444;Trusted_Connection=True;MultipleActiveResultSets=true":::
When the app is deployed to a test/staging or production server, securely store the connection string outside of the project's configuration files.