ASP.NET Core supports the configuration and management of security in Blazor apps.
Security scenarios differ between Blazor Server and Blazor WebAssembly apps. Because Blazor Server apps run on the server, authorization checks are able to determine:
- The UI options presented to a user (for example, which menu entries are available to a user).
- Access rules for areas of the app and components.
Blazor WebAssembly apps run on the client. Authorization is only used to determine which UI options to show. Since client-side checks can be modified or bypassed by a user, a Blazor WebAssembly app can’t enforce authorization access rules.
Blazor WebAssembly authentication
In Blazor WebAssembly apps, authentication checks can be bypassed because all client-side code can be modified by users. The same is true for all client-side app technologies, including JavaScript SPA frameworks or native apps for any operating system.
Add the following:
- A package reference for
Microsoft.AspNetCore.Components.Authorization
to the app’s project file. - The
Microsoft.AspNetCore.Components.Authorization
namespace to the app’s_Imports.razor
file.
To handle authentication, use of a built-in or custom AuthenticationStateProvider service is covered in the following sections.
For more information on creating apps and configuration, see Secure ASP.NET Core Blazor WebAssembly.
Blazor Server authentication
Blazor Server apps operate over a real-time connection that’s created using SignalR. Authentication in SignalR-based apps is handled when the connection is established. Authentication can be based on a cookie or some other bearer token.
The built-in AuthenticationStateProvider service for Blazor Server apps obtains authentication state data from ASP.NET Core’s HttpContext.User
. This is how authentication state integrates with existing ASP.NET Core authentication mechanisms.
For more information on creating apps and configuration, see Secure ASP.NET Core Blazor Server apps.
Sources:
https://docs.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-5.0
Comments