Blazor Authentication and Authorization


Authentication and Authorization in Blazor can be broken down into 2 parts, the normal ASP.Net Core authentication and authorization, token based, cookies, Active directory and even 3rd party.  The Blazor specific authentication and authorization that is focused on managing the UI based on whether the   user is logged in, what roles and policies need to be applied.  We will be looking at the Blazor side.

To get started we will be creating a Blazor Server project and changing the authentication to Individual Accounts:


Once we have the project created, we need to run the command to create the data store for the user accounts:

     PM> Update-Database

Run the application and create a user account with a password.  For our application we used:
           1.       User Name: BlaozrAuth@everywherec.com       
           2.       Password: Pa33word!

Since we let Asp.Net handle creating everything we needed to manage the users, we are now ready to add our code to secure our application.

To look at how authentication and authorization works in Blazor we will add some code to the index page so we can see how to access the user information.

Code to Add:

       1.       Inject the Authentication service

@inject AuthenticationStateProvider AuthenticationStateProvider

        2.       Button to check is the user is logged in

      <button @onclick="@LogUsername">Check Auth Status</button>

        3.       A label to see the user’s authentication status

<p><strong>@userAuthStatus</strong></p>

        4.       Button on click on the method

               private async Task LogUsername()
              {
                  var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
                  var user = authState.User;

                  if (user.Identity.IsAuthenticated)
                 {
                      userAuthStatus =  $"{user.Identity.Name} is authenticated.";
                 } 
                 else
                { 
                     userAuthStatus = "User is not authenticated.";
                }
             }

This method allows us to get the status of the user and display weather they are logged in or not.  The AuthenticationStateProvider is the main service that handles the authentication state.  In this handler we are getting the current state and the user.  The we are checking if the user is authenticated (logged in) and set the status for the label.

That is how we can manually access the service to check on the current users.  In addition, there are a couple of built in Blazor components that will help us secure or UI.

We want to secure the entire Counter page so only users that are log in can access it.  To do this we just need to add the authorized attribute:

@attribute [Authorize]

You can add roles and policies with the attribute as well

@attribute [Authorize(Roles(“manager”)]

This will prevent any user that is not logged in or does not have the role/policy, if used from access the page.  If they try will received a “Not Authorized” message.  The out of the box message is not that pretty but you can change it.
Once you log in, you can now access the Counter page without any limitations.

So, what if you what to limit part of a page or part of the navigation based on whether the user is logged in or if the user has the right role/policy.  Blazor has a component for that, you use the “AuthorizedView” component. 

        <AuthorizeView>
            <Authorized>
                <li class="nav-item px-3">
                    <NavLink class="nav-link" href="fetchdata">
                        <span class="oi oi-list-rich" aria-hidden="true"></span> Fetch data
                    </NavLink>
                </li>
            </Authorized>
            <NotAuthorized>
                <li class="disabled">
                    <NavLink class="nav-link" href="#">
                        <span class="oi oi-list-rich" aria-hidden="true"></span> Fetch data
                    </NavLink>
                </li>
            </NotAuthorized>
        </AuthorizeView>

This will not display that part of the page unless the user meets the security requirements, logged in, role/policy.   Use the Authorized attribute to give access to everyone and use the NotAuthorized attribute to limit to non authorized users.

Just like the authorized attribute, you can use Role and Policy with the AuthorizedView to provide even more protection.

We have seen that Blazor has several ways that we can secure the UI whether it is a whole page or just a part of a page.  Combine this with the power of ASP.Net Core security and you have a good secure base to build on.

[Source Code]




Comments

Post a Comment

Popular posts from this blog

Yes, Blazor Server can scale!

Image
From the very beginning of the release of Blazor Server naysayers have incorrectly stated that Blazor Server can not scale.  They usually state that the limit is 5,000 concurrent users. There are several misconceptions and wrong assumptions about their statement.  Let's break it down and get a better understanding of Blazor server-side scaling. What is the "limit" for users When Microsoft talks about the need to scale an application, what they are saying is that when a normal response for any concurrent user is taking longer than 200 ms, the system is not performant and needs to scale. We will accept that definition: If any normal user response is taking longer than 200 ms, the system needs to scale for concurrent users. By a normal response, we are referring to a page get, a post, etc.  Large database access requests would not be included in this measurement. What is scaling There are 2 common ways to scale, scale, out horizontally, and scale-up, up vertically. In our di
Read more

Blazor new and improved Search Box

 Back in March, I posted a new Blazor data grid with a search box ( see post ).  Since then I have found a new and improved search box that I wanted to implement.  The search part is implemented the same.  What I added was the ability for the user to narrow down the search by selecting which field they wanted to search on.  This will help the user find what they are looking for and in a large collection, the search will end up being faster. The goal of making the change was to make the search box a new component and have it handle the UI functionality part. Prep Work Here is the prep work I did before adding the search box: Started with the source code from the post listed above. Upgraded the project to .Net 5 Upgraded the Nuget packages that were out of date. Ensured every build and run. Change to a Component I wanted to create a component for the search box so I could use it in other applications.   1. Create a Folder under UIControls called "SearchBox" 2. Created a new raz
Read more

Blazor - Cool Blur Loading Page

Image
  I was working on a project and wanted an original way of showing the user the application was loading besides using the normal "Loading...." text.  I came across a website page and thought I could refactor that into what I was looking for. When my application starts, it displays a full-screen image with a count down while the page loads.  As a special effect, I want to unblur the image the closer it gets to the applicaiton finishing loading.  Once the teh count down is done, we pause for 1 sec, for effect, then proceed to the application.  I think it turned out pretty cool.  See the demo here . I used the server side Blazor project template in my example, but the code should work on any Blazor template. Template changes 1. Rename the original Index.razor page to "home".  Besure to change the routing at the top of the page as well.      @page "/home" 2. Create a new Index.razor page     a. Add routing           @page "/"           @page "/i
Read more