kawa
ebda614aaa
Two deployment-breaking issues caused 404s on protected pages after a container recreate: 1. DataProtection keys were stored in the container's ephemeral home dir. Every redeploy regenerated them, invalidating all auth cookies (users silently logged out) and — worse — making the app-only certs encrypted under /data/appcerts undecryptable. Persist keys to /data/dpkeys with a stable application name so they survive recreates. 2. DefaultChallengeScheme was OpenIdConnect, so a logged-out request to any [Authorize] Blazor page forced an OIDC challenge. When OIDC is unconfigured/unreachable the challenge throws and the request 404s, with no path to the login page. Challenge the cookie scheme instead, which redirects to /account/login (the combined local + Microsoft page). OIDC is still triggered explicitly from /account/login/entra. Also harden the container image: - Pin base images to exact patch (sdk:10.0.300, aspnet:10.0.8). Floating :10.0 tags drift; a stale/pre-GA SDK base silently drops blazor.web.js from the publish manifest, 404ing framework assets in production. - Install curl and switch the compose healthcheck to it (the aspnet image ships no wget/curl, so the old healthcheck always reported unhealthy). Probe /account/login (anonymous, 200) since / now 302-redirects. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
SharePoint Toolbox
A web admin toolbox for Microsoft 365 / SharePoint Online, built with Blazor Server (.NET 10) and Microsoft Graph.
Features
- Site management — bulk site creation, folder-structure provisioning, templates
- Members & permissions — bulk member add, permission inspection
- Content tools — search, duplicate finder, file transfer, storage usage, version cleanup
- Reporting — on-demand reports, scheduled reports (unattended via app-only cert auth)
- Auditing — tenant-wide user-access audit (SP + M365/AAD group expansion)
- Directory — user directory browsing
- Multi-tenant via connection profiles. EN / FR localization.
Requirements
- An Entra ID (Azure AD) app registration — see Configuration
- Docker, or the .NET 10 SDK for bare-metal
Configuration
Authentication uses Microsoft OIDC (interactive sign-in) and, for scheduled reports, app-only certificate auth.
Set these as environment variables (or in appsettings.json under the Oidc section). .NET maps Section__Key to Section:Key.
| Variable | Description |
|---|---|
Oidc__TenantId |
Entra tenant GUID |
Oidc__ClientId |
App registration client ID |
Oidc__ClientSecret |
App registration client secret |
ClientConnect__RedirectUri |
Public callback URL, e.g. https://your-host/connect/callback |
DataFolder |
Persistent data path (default /data) |
ASPNETCORE_ENVIRONMENT |
Must be Production to enable OIDC |
In
Development, OIDC is disabled — the app uses a cookie-only auto-login (hardcoded Admin) for local work.
Entra app registration must include redirect URI https://your-host/signin-oidc and the Graph permissions required by the audit/reporting features (GroupMember.Read.All, Group.Read.All, User.Read.All).
Persistent state (profiles, settings, templates, logs, exports, certs) lives in DataFolder.
Installation — Docker
docker compose up -d --build
App listens on http://localhost:8080. Data persists in the sptb-data volume.
Set your OIDC values in docker-compose.yml under environment:, or pass an env file:
environment:
- ASPNETCORE_ENVIRONMENT=Production
- DataFolder=/data
- Oidc__TenantId=...
- Oidc__ClientId=...
- Oidc__ClientSecret=...
- ClientConnect__RedirectUri=https://your-host/connect/callback
Plain Docker (no compose):
docker build -t sptb-web .
docker run -d -p 8080:8080 \
-v sptb-data:/data \
-e ASPNETCORE_ENVIRONMENT=Production \
-e Oidc__TenantId=... \
-e Oidc__ClientId=... \
-e Oidc__ClientSecret=... \
-e ClientConnect__RedirectUri=https://your-host/connect/callback \
sptb-web
Installation — Bare metal
Requires the .NET 10 SDK.
# Restore + build
dotnet restore
dotnet publish -c Release -o ./publish
# Configure (PowerShell example)
$env:ASPNETCORE_ENVIRONMENT = "Production"
$env:DataFolder = "C:\sptb-data"
$env:Oidc__TenantId = "..."
$env:Oidc__ClientId = "..."
$env:Oidc__ClientSecret = "..."
$env:ClientConnect__RedirectUri = "https://your-host/connect/callback"
# Run
dotnet ./publish/SharepointToolbox.Web.dll
By default it listens on the Kestrel port (http://localhost:5000). Override with ASPNETCORE_URLS, e.g. http://+:8080.
Local development
dotnet run
Runs in Development mode — OIDC off, auto-login as Admin. No Entra config needed.
Tech stack
.NET 10 · Blazor Server · Microsoft Graph SDK · PnP.Framework · Serilog · CsvHelper