This question already has answers here:
Authorization policies in blazor server side
(3 answers)
Closed 3 years ago.
Blazor, being relatively new, does not have a lot of documentation on security authentication. In VS 2019, when i create a new Blazor project (server-side or client-side) the authentication options are all disabled.
What is the authentication solution for organization level security
for Blazor apps?
Right now no solution is available. The Asp.Net team are working on an Auth system for both flavors of Blazor. Be patient. It is coming soon. Read here what is going on... https://github.com/aspnet/AspNetCore/issues/4048
I would invest my spare time polishing my knowledge of the Component model instead, while waiting for the guys in Microsoft to come up with a good solution.
Hope this helps...
[Edit]:
The following is a link to an example of using Identity Authentication with Blazor client-side: https://github.com/stavroskasidis/BlazorWithIdentity
This sample code is fine and all, but I would recommend using JwtToken authentication instead as JwtToken is often used in SPA applications.
Related
I'm in need of a detailed explanation on how I should configure OpenIddict in ASP.NET Core 7.
I have been looking at the available examples and documentation for a week now.
But I do not understand why some examples have ~400 lines of code and others have ~40, in their controller or endpoint implementations.
To make my use case and problem more specific:
Server side:
ASP.NET Core 7
Using minimal APIs
EF Core 7
PostgreSQL
Clients:
Blazor WASM or Angular
Decision not yet made
A skeleton Blazor WASM app created
Mobile apps (native iOS and Android)
I also need to refresh the token, and the user to access and modify the profile data.
I will also need to use other authentication providers (e.g.: Apple, Google).
I read the official docs and tried to undertand the examples.
Edit: I tried the Balosar and Zirku examples.
It left me more confused.
So my goal would be to understand why I need to add and how to configure certain services to achive the functionality described above.
Also, how to implement the needed endpoints, can I do it in minimal APIs, or do I have to stick with the controllers, or add views?
I have been working on authentication methods for my blazor app for some time now. I am currently developing as a standalone protected WebApi + Blazor Server, but will ultimately migrate to standalone protected WebApi + Hosted Blazor WASM so I need to be mindful of both server and client side authentication. The WebAPI will also serve an external OData feed and API for end users that also needs to be protected using the central authentication mechanism.
I would like to be able to sign on with Microsoft (ie. Microsoft.Identity.Web / MSAL), but want to configure some fairly complex roles and behaviours at the database level
(ie. ASP.NET Core Identity). To hopefully help someone else understand the different documentation sets, following are links to MS docs for the 2 options.
Introduction to Identity on ASP.NET Core
Microsoft Identity Platform Documentation
Don’t know about anyone else, but I have found it very difficult to navigate through the different documentation sets and tutorials to firstly understand how they work and secondly determine if it is best for me.
My question is, does anyone have any documentation on how they have integrated Microsoft.Identity.Web with the individual user accounts available in ASP.NET Core Identity for Blazor Server and/or WASM apps?, .
The following link shows how to do it all within ASP.NET Core Identity.
Integrate ASP.NET Core Identity with Microsoft account | BinaryIntellect Knowledge Base
If I was building an MVC web app, that’s what I would do. However, I really like the token handling capabilities of Microsoft.Identity.Web / MSAL (ie. ITokenAquisition etc.) for Blazor. It seems to be a real kludge to have to use the Razor pages for ASP.NET Core Identity and handling tokens securely becomes an issue – especially for Blazor WASM.
Chris Sainty has done some good work in porting some of the ASP.Net Razor pages to Blazor Components in the following link. However he does a lot of (very clever) manual processing of the token and I’m not sure I like the idea of storing the token in unprotected Local Storage of the blazor app. I haven’t gone into it in full detail yet, but I don’t think this method will be directly transferrable to Blazor WASM.
Authentication with client-side Blazor using WebAPI and ASP.NET Core Identity (chrissainty.com)
This SO post indicates that it is not possible to integrate Individual user accounts with Microsoft.Identity.Web.
c# - Microsoft Identity Plataform with asp.net Core Identity - Stack Overflow
I got a working solution going where I had both ASP.NET Core Identity and Microsoft.Identity.Web working side by side. However, I found this to be very difficult to implement and debug. Once you start mixing the various builder.Services.AddAuthetication(
) options (eg. .AddMicrosoftIdentityWebApp, . AddMicrosoftIdentityWebApi, .AddIdentityCore, .AddIdentity, .AddDefaultIdentity, .AddJWTBearer etc. etc.) I have found that you enter a world of pain and unpredictable behaviour. I basically had to go back to the source for each of them to work out what they were actually doing under the covers and work out how to blend them. I ended up going back to the raw OAuth / OpenId specifications and implementing everything manually – which is very unsatisfactory and I was unhappy with the risk I was taking in potentially introducing a security flaw – even though I got it to “work”.
EDIT: This SO post is similar to what I implemented. Microsoft Identity Local User Accounts and MSAL
I can’t believe how hard it has been to just get to this level of understanding, and still not have a solid working concept that does what I want it to do that is supported by documented acceptable techniques and not just my kludge at implementing everything manually.
Right now it appears to me that if I want to use as much out of the box / documented functionality as possible, I suspect that I should use ASP.NET Core Identity and work out how to integrate the ASP.net razor pages into my Web Api, Blazor Server and and Blazor WASM apps. However, this appears to be a backward step since Microsoft.Identity.Web / MSAL seems to be so much better suited to Blazor and seems to be the direction that MS is going.
If anyone can point me to some current examples of how this can be done, I would be very thankful.
I think I have found at least a partial answer to my question. The key problem I faced was how to capture the callback event from Microsoft.Identity.Web so that I can persist / retrieve info to/from the database during the authentication event. I was hung up on the ASP.NET Core Identity method of doing that.
I found the following SO post that provides information on how to respond to the OnTokenValidated event using Microsoft.Identity.Web. Microsoft.Identity.Web: OnTokenValidated event not triggered
Having access to this event means that I will be able to implement what I need to do at the database level and move on.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
I am currently looking into splitting up a .Net Core project and I am not sure on which technologies to employ.
Lets say that I wanted to create a website where authenticated users could look op book titles:
I would like the project structured like this:
.Net Core web application using MVC (All UI in here)
.Net Core Wep api for authentication users (Authenticating users against database here)
.Net Core wep api for Book titles (return titles if user is validated)
Application flow would be the following:
User goes to UI web page and is met by login-screen. User enters username/password and then UI will send a login request to the Authentication-API. Authentication API should return some sort of data that the UI can store in the users session to verify that the user is validated for the next period of time.
When the user want's to get the book titles, the WEB UI should send the existing authentication data to Book Titles API. The book title api should then verify that the user is still authenticated and return the book titles if so.
My question is, what is "best practice" in regards to this setup. I have read a lot of different things about JWT tokens/JWE, Cookies and so forth, and I am having a bit of trouble finding my way in it.
Could my Authentication API use Identity framework, and could that information be passed around to other API's or should I use cookie authentication and how would do that?
In the project future I would like to be able to create an App that should also be able to access the Authentication and Book title API's not worrying about the .Core UI project.
Is there anyone out there who can point me in the correct direction here or have some good recent articles/references I could look into.
Best regards
I understand your thoughts around designing the solution. The things you have mentioned above looks appropriate and do not see any issues. But I would like to recommend few things when it comes to selecting the right authentication framework
If you are thinking to integrate your application with some IDP like google or okta etc then you need to define the protocol you will be using. One of most popular is OIDC.
Look for some of standard flows for you application. If you are having client-server architecture, you can opt for either implicit flow (less recommended due to security issues ) or authorization code flow
.Net has very nice support on using OIDC for application.
When using the OIDC, you are eligible for session store, access_toke which is Shot TTL token and can be used between application to communicate with each other.Know more about it here
The complete authentication process with right flow and integrated application will be taken care by IDP, you just need right configuration, library/framework support to do it.
Using OIDC also give you benefit to not fall into any OWASP issues.
On top of that you just need to deal with authorization logic which is very common and application specific
One of IDP you can try for free and on cloud is Okta
Another option if you are using your own authentication framework,
You can implement you own identity server framework
Check this articles Using .net core with identity server. You can host you identity server or expose API of same using your application.
Git hug link for IdentityServer4
You can find a ready made solution with sample projects using this solution on below git repository:
IdentityServer4 Implementation with ASP.NET Core
You can find there an auth server which authenticates the username/password and gives back token. That token is used to access an MVC app as well as a secure API.
I have been trying for weeks to implement JWT authorisation in my .NET Core web app and have found myself following a lot of guides that I don't think are relevant to my use case. These guides talk a lot about scopes etc, and I don't think I need that level of complexity for my use case.
A lot of the guides talk about using things like OpenIddict or Identity Server to setup and configure something that the user can authorise against, but in these settings it seems like a seperate project is required to house the identity provider, and then my new asp net core application has to somehow hook into that for use. I'm also trying to get things like refresh tokens to work so the user doesn't have to log in over and over again.
The "client side" of my app will be Xamarin (for mobile) and Angular (for web).
In a single web application (a single .net core application) how can I use .NET Core Identity with JWT or OAuth? What is the minimum level of configuration required to achieve this?
ThisSimple JWT project
This is not asp.net core .This is just asp.net mvc project but this really simple and basic one. by watching this code, you will be clear how to implement JWT. Thanks
I've read some article on token based authentication in Asp.Net Core. I'm new to Asp.Net Core and Token based Authentication. Can anyone help me with that? Some code will be helpful for me. I'm using latest version of visual studio community 2017.
There is an excellent tutorial already written here
Also, IdentityServer4 have a lot of tutorials that show you how to configure identity server (to generate tokens) and how to secure your web api (token based authentication).