Blazor Serverside => Authentication without Identity Scaffolding POSSIBLE?

0
votes

i am working on a blazor server side project(for and to learn for future projects at work). I am trying to implement a authentication in the application like in the asp.net core apps => with httpcontext.SignInAsync(CookieDefaults.AuthenticationScheme,principal); but i literally can't find anything about that => Is Cookie or JWT Auth even possible or better to say logical on a blazor server side application?

my project structure : Database/API <= Blazor App

I am thinking about Jwt Auth with my API and store the jwt token with LocalStorageService => but how do i tell my blazor app that i am authorized when i have a valid jwt token?

can i implement a custom authorizefilter? and should the filter check with the api if the token is still valid?

Kinda confused right now, blazor is really amazing and i think its the real future framework, but the authentication is kinda hard to understand for me

fyi: I would prefer to not use Identity if possible I have no Code atm, because i am still working myself into blazor and trying stuff etc.

2
asp.net-coreauthenticationjwtblazorblazor-server-side

2 Answers

0
votes

Authentication in Blazor Server Apps can happen by either registering a Cookie or JWT Authentication Handler. Because Blazor Server runs inside an ASP.NET Core app Cookie Authentication is simpler. You can to this by adding a Cookie AuthenticationHandler inside the ConfigureServices Method inside Startup.cs:

services.AddAuthentication()
     .AddCookies();

You then also need to instruct the Middleware to inspect incoming Request wheter they have a valid Cookie so that then the ClaimsPrincipal property on the HttpContext can be set:

app.UseAuthentication();

By using this configuration every User that requests your app with a Cookie you issued to them by calling SignInAsync from a controller is authenticated. You cant append a Cookie to a Http response inside a Razor Component because the Response has already finished (all changes are send over the WebSockets Connection). You then can use the built in AuthorizeView component to only render content to authenticated users. Without further configuration every user that you issued a cookie to is authenticated.

You can also use JWT authentication. As it is the case with Cookies ASP.NET Core has also built-in middleware to achieve that. In such case I would build a custom AuthenticationProvider that implements the abstract class AuthenticationStateProvider. Inside the GetAuthenticationStateAsync() method you retrieve the token from LocalStorage. You then need to check its validity so the according AuthenticationState can be returned (Its has a property of type ClaimsPrincipal).

You can build your own Authorization Filter and check for the tokens validity.

0
votes

First, Yes it is possible but why would you want to rebuild what is there. you may just put your system in a vulnerable state if you don't do it correctly.

Second, The question needs to be a lot clearer for it to get answered properly.

thrid, Jwt token is possible I just finish building my system with jwt token.

Fouth, Jwt token storage more can store information with in it. and can be validated by the API and read by the client