Blazor Authentication and Authorization


Authentication and Authorization in Blazor can be broken down into 2 parts, the normal ASP.Net Core authentication and authorization, token based, cookies, Active directory and even 3rd party.  The Blazor specific authentication and authorization that is focused on managing the UI based on whether the   user is logged in, what roles and policies need to be applied.  We will be looking at the Blazor side.

To get started we will be creating a Blazor Server project and changing the authentication to Individual Accounts:


Once we have the project created, we need to run the command to create the data store for the user accounts:

     PM> Update-Database

Run the application and create a user account with a password.  For our application we used:
           1.       User Name: BlaozrAuth@everywherec.com       
           2.       Password: Pa33word!

Since we let Asp.Net handle creating everything we needed to manage the users, we are now ready to add our code to secure our application.

To look at how authentication and authorization works in Blazor we will add some code to the index page so we can see how to access the user information.

Code to Add:

       1.       Inject the Authentication service

@inject AuthenticationStateProvider AuthenticationStateProvider

        2.       Button to check is the user is logged in

      <button @onclick="@LogUsername">Check Auth Status</button>

        3.       A label to see the user’s authentication status

<p><strong>@userAuthStatus</strong></p>

        4.       Button on click on the method

               private async Task LogUsername()
              {
                  var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
                  var user = authState.User;

                  if (user.Identity.IsAuthenticated)
                 {
                      userAuthStatus =  $"{user.Identity.Name} is authenticated.";
                 } 
                 else
                { 
                     userAuthStatus = "User is not authenticated.";
                }
             }

This method allows us to get the status of the user and display weather they are logged in or not.  The AuthenticationStateProvider is the main service that handles the authentication state.  In this handler we are getting the current state and the user.  The we are checking if the user is authenticated (logged in) and set the status for the label.

That is how we can manually access the service to check on the current users.  In addition, there are a couple of built in Blazor components that will help us secure or UI.

We want to secure the entire Counter page so only users that are log in can access it.  To do this we just need to add the authorized attribute:

@attribute [Authorize]

You can add roles and policies with the attribute as well

@attribute [Authorize(Roles(“manager”)]

This will prevent any user that is not logged in or does not have the role/policy, if used from access the page.  If they try will received a “Not Authorized” message.  The out of the box message is not that pretty but you can change it.
Once you log in, you can now access the Counter page without any limitations.

So, what if you what to limit part of a page or part of the navigation based on whether the user is logged in or if the user has the right role/policy.  Blazor has a component for that, you use the “AuthorizedView” component. 

        <AuthorizeView>
            <Authorized>
                <li class="nav-item px-3">
                    <NavLink class="nav-link" href="fetchdata">
                        <span class="oi oi-list-rich" aria-hidden="true"></span> Fetch data
                    </NavLink>
                </li>
            </Authorized>
            <NotAuthorized>
                <li class="disabled">
                    <NavLink class="nav-link" href="#">
                        <span class="oi oi-list-rich" aria-hidden="true"></span> Fetch data
                    </NavLink>
                </li>
            </NotAuthorized>
        </AuthorizeView>

This will not display that part of the page unless the user meets the security requirements, logged in, role/policy.   Use the Authorized attribute to give access to everyone and use the NotAuthorized attribute to limit to non authorized users.

Just like the authorized attribute, you can use Role and Policy with the AuthorizedView to provide even more protection.

We have seen that Blazor has several ways that we can secure the UI whether it is a whole page or just a part of a page.  Combine this with the power of ASP.Net Core security and you have a good secure base to build on.

[Source Code]




Comments

Post a Comment

Popular posts from this blog

Yes, Blazor Server can scale!

Image
From the very beginning of the release of Blazor Server naysayers have incorrectly stated that Blazor Server can not scale.  They usually state that the limit is 5,000 concurrent users. There are several misconceptions and wrong assumptions about their statement.  Let's break it down and get a better understanding of Blazor server-side scaling. What is the "limit" for users When Microsoft talks about the need to scale an application, what they are saying is that when a normal response for any concurrent user is taking longer than 200 ms, the system is not performant and needs to scale. We will accept that definition: If any normal user response is taking longer than 200 ms, the system needs to scale for concurrent users. By a normal response, we are referring to a page get, a post, etc.  Large database access requests would not be included in this measurement. What is scaling There are 2 common ways to scale, scale, out horizontally, and scale-up, up vertically. In our di
Read more

Blazor new and improved Search Box

 Back in March, I posted a new Blazor data grid with a search box ( see post ).  Since then I have found a new and improved search box that I wanted to implement.  The search part is implemented the same.  What I added was the ability for the user to narrow down the search by selecting which field they wanted to search on.  This will help the user find what they are looking for and in a large collection, the search will end up being faster. The goal of making the change was to make the search box a new component and have it handle the UI functionality part. Prep Work Here is the prep work I did before adding the search box: Started with the source code from the post listed above. Upgraded the project to .Net 5 Upgraded the Nuget packages that were out of date. Ensured every build and run. Change to a Component I wanted to create a component for the search box so I could use it in other applications.   1. Create a Folder under UIControls called "SearchBox" 2. Created a new raz
Read more

Blazor Wizard Step Component

Image
 I like using step wizards in my applications, sign-up forms, shopping cart checkout, and complex data entry, but I had not been able to find a wizard step indicator that I liked so I built this one. As it turned out, it was not as hard as I thought it would have been.  There are a couple of key parts you have to keep in mind when using a step wizard, such as: 1. What step am I on? 2. Should the "Prev" / "Next" buttons be enabled or disabled on this step? 3. What kind of visual clues do I show the user? I will walk you through how we answer these questions in this sample project.   HTML The main container has a div that holds the progress divs, one div for each "step" of your process.  Below that we have our "Prev" and "Next" buttons We will need to wire in the on-click events for the two buttons.  The buttons will need to be able to be disabled and enabled via CSS class settings.           <div class="container">       
Read more