kawa
c23039efa1
The app stuck on "Chargement…" after sign-in because the interactive Blazor circuit came up anonymous: no auth cookie reached this origin. Root cause was the deployment (plain HTTP on an IP, http://host:8080), which Microsoft OIDC cannot serve — Entra forbids http redirect URIs for non-localhost hosts, so the sign-in cookie never lands on the origin. Changes: - ForwardedHeaders (X-Forwarded-Proto/For) so that behind a TLS proxy the app sees the real https scheme, builds a matching OIDC redirect_uri, and sets the auth cookie Secure. Proxy IP unknown in-container → known proxy/network restrictions cleared. - First-run bootstrap: seed a local admin (Bootstrap__AdminEmail / Bootstrap__AdminPassword) when that email has no account, so HTTP/LAN deployments that can't use OIDC can sign in via the local form. Idempotent. - OIDC SaveTokens=false: the cookie-stored access/id/refresh tokens were never read (SharePoint/Graph auth uses the separate connect-flow + cert paths). Dropping them keeps the auth cookie small/unchunked. - AppInitializer now logs which branch leaves UserContext unseeded (unauthenticated principal / missing claim / no user row) instead of failing silently — this is what surfaced the anonymous-circuit cause. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SharePoint Toolbox
A web admin toolbox for Microsoft 365 / SharePoint Online, built with Blazor Server (.NET 10) and Microsoft Graph.
Features
- Site management — bulk site creation, folder-structure provisioning, templates
- Members & permissions — bulk member add, permission inspection
- Content tools — search, duplicate finder, file transfer, storage usage, version cleanup
- Reporting — on-demand reports, scheduled reports (unattended via app-only cert auth)
- Auditing — tenant-wide user-access audit (SP + M365/AAD group expansion)
- Directory — user directory browsing
- Multi-tenant via connection profiles. EN / FR localization.
Requirements
- An Entra ID (Azure AD) app registration — see Configuration
- Docker, or the .NET 10 SDK for bare-metal
Configuration
Authentication uses Microsoft OIDC (interactive sign-in) and, for scheduled reports, app-only certificate auth.
Set these as environment variables (or in appsettings.json under the Oidc section). .NET maps Section__Key to Section:Key.
| Variable | Description |
|---|---|
Oidc__TenantId |
Entra tenant GUID |
Oidc__ClientId |
App registration client ID |
Oidc__ClientSecret |
App registration client secret |
ClientConnect__RedirectUri |
Public callback URL, e.g. https://your-host/connect/callback |
DataFolder |
Persistent data path (default /data) |
ASPNETCORE_ENVIRONMENT |
Must be Production to enable OIDC |
In
Development, OIDC is disabled — the app uses a cookie-only auto-login (hardcoded Admin) for local work.
Entra app registration must include redirect URI https://your-host/signin-oidc and the Graph permissions required by the audit/reporting features (GroupMember.Read.All, Group.Read.All, User.Read.All).
Persistent state (profiles, settings, templates, logs, exports, certs) lives in DataFolder.
Installation — Docker
docker compose up -d --build
App listens on http://localhost:8080. Data persists in the sptb-data volume.
Set your OIDC values in docker-compose.yml under environment:, or pass an env file:
environment:
- ASPNETCORE_ENVIRONMENT=Production
- DataFolder=/data
- Oidc__TenantId=...
- Oidc__ClientId=...
- Oidc__ClientSecret=...
- ClientConnect__RedirectUri=https://your-host/connect/callback
Plain Docker (no compose):
docker build -t sptb-web .
docker run -d -p 8080:8080 \
-v sptb-data:/data \
-e ASPNETCORE_ENVIRONMENT=Production \
-e Oidc__TenantId=... \
-e Oidc__ClientId=... \
-e Oidc__ClientSecret=... \
-e ClientConnect__RedirectUri=https://your-host/connect/callback \
sptb-web
Installation — Bare metal
Requires the .NET 10 SDK.
# Restore + build
dotnet restore
dotnet publish -c Release -o ./publish
# Configure (PowerShell example)
$env:ASPNETCORE_ENVIRONMENT = "Production"
$env:DataFolder = "C:\sptb-data"
$env:Oidc__TenantId = "..."
$env:Oidc__ClientId = "..."
$env:Oidc__ClientSecret = "..."
$env:ClientConnect__RedirectUri = "https://your-host/connect/callback"
# Run
dotnet ./publish/SharepointToolbox.Web.dll
By default it listens on the Kestrel port (http://localhost:5000). Override with ASPNETCORE_URLS, e.g. http://+:8080.
Local development
dotnet run
Runs in Development mode — OIDC off, auto-login as Admin. No Entra config needed.
Tech stack
.NET 10 · Blazor Server · Microsoft Graph SDK · PnP.Framework · Serilog · CsvHelper