Improve documentation for blazor authentication #47490
Comments
dotnet-issue-labeler
bot
added
the
area-blazor
|
@MarvinKlein1508 thanks for contacting us.
Can you clarify what you mean by this?
With regards to Blazor Server, authentication happens "before" the app starts, so using LDAP is similar to how you would do it for an MVC / Razor Pages app. If you need to refresh claims/roles, then you need to provide your own AuthenticationStateProvider The mechanism you use to get "refreshed" credentials depends on the type of auth you are using, either your auth system gives you an API to retrieve them, or they come in some other way (connection or a cookie), in which case, you need an extra "session" endpoint defined in the app that the browser can ping regularly to push a notification into the circuit. You can keep a registry of available circuits with a circuit handler and a singleton service to "dispatch" a notification to a given circuit.
I am assuming this means two different authentication schemes, like Microsoft accounts and something else. Neither of this is dealt with at the Blazor level.
With that said, the team is making investments in this area for .NET 8.0, so I am going to let other folks chime in. |
Sure. I'm doing this right now. As you can see I'm authenticating the user in a seperate .cshtml file.
My main problem here is that I've never worked with MVC before and I only did some basic forms using razor pages. I'm developing apps using Blazor. It's hard for a developer to learn all three concepts just to do the same thing in one framework. That's why I'm thinking that you should provide detailed tutorials in the docs for the Blazor framework itself. Unlucky for me, I didn't get paid to spent hours of hours learning new concepts. I think when I choose a framework, I should be able to do everything with it without learning another framework. Don't get me wrong, it's obviously good that I can mix multiple frameworks together but it makes developing with the framework much harder for new people. I'm working for 5 years now with Blazor Server and outside of the login mechanismn I've never needed anything else besides of my Blazor components.
I've tried this before but I couldn't figure out how to access my set claims here in order to receive my user form the database. Is it also possible to check if the users got deleted in the database and delete all claims within this approach?
In my case all necessary data is stored within the database. I can fetch all I'll need by using my UserService.GetAsync(int userId) method.
What I mean by this are two ways of authentication. For example:
As you can see in my previously mentioned file, I'm doin this right now in a POST request from a razor page all in once. I'm pretty sure there is a much easier way to achive this. The implementation I'm having now only exists because I've copied it from the scaffolding templates. I didn't find anything near this in the docs.
Yes I've seen this docs. But I'm not not using neither Identity nor AAD. Many small companies want to check against a small database or their local LDAP. You wouldn't believe how many companies in Europe don't use cloud services. My main problem why I can't use Identity is the lack of local LDAP support. @javiercn could you also tell me if it's possible within Blazor server to create a login form and login the user just with using blazor components? Thanks for all your explanations and time! :) |
MarvinKlein1508
changed the title
So, if I understood correctly, what you want is to build an Auth system completely using Blazor Server, without MVC/Razor pages in the picture? The challenge here comes down to "remembering" whether the user has a valid session in the system. That's normally done with an HTTP only cookie in the browser. Otherwise, an XSS attack could steal your cookie. Unfortunately, Blazor Server can't set cookies because it is not a web app in the traditional sense, which is why auth is handled "outside" the Blazor app.
If you have an identifier for your currently logged-in user (provided that the ID is in the ClaimsPrincipal), and you can query a database, then you should be able to write a custom You can use RevalidatingAuthenticationStateProvider to do it. There are more details here |
If you do not care about the user being "logged-in" after they come back from closing the tab, then you can do everything with Blazor Server and a custom AuthenticationStateProvider. The only challenge for Blazor Server is to setup a cookie to "remember" that the user is logged in, which is what the approach I mentioned above was for. The facts are, that approach is possible, but complicated (from a security point of view), hence why we recommend you authenticate and establish the session in a traditional way, as that is a test and tried path. |
Yes I don't want to switch between frameworks to achive this. Also it is not clear for me from the docs that I'll need to do this using MVC and razor pages.
I don't know much about the security aspect of this. But couldn't you just set a cookie using JavaScript?
public override Task<AuthenticationState> GetAuthenticationStateAsync()
{
var identity = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Name, "mrfibuli"),
}, "Custom Authentication");
var user = new ClaimsPrincipal(identity);
return Task.FromResult(new AuthenticationState(user));
}I literally have no idea how I can access the claims here. How do I get the UserId from my claim to read data for it? |
Can I do this with two registered providers as well? For example:
I will take a look into it. This one sounds really promising.
Just out of curiosity: which data does this cookie hold? Couldn't I manually set a cookie with username and a token and check for it in my custom AuthenticationProvider? |
No, the cookie needs to be set by the server as part of an HTTP response. |
|
@MarvinKlein1508 if you create your own AuthenticationStateProvider, you can inject services to check against the database. services.AddScoped<AuthenticationStateProvider, CustomProvider>();
services.AddScoped<CustomProvider>(sp => (CustomProvider)sp.GetRequiredService<AuthenticationStateProvider>());
public class CustomProvider : AuthenticationStateProvider
{
private Task<AuthenticationState> _authenticationStateTask;
public CustomProvider(<<Dependencies>>)
{
}
public async Task<...> CheckRolesAsync(...)
{
var authState = await _authenticationStateTask;
var user = authState.User;
var id = // Get the ID for your user from the claims principal you created on LoginCore
// Check against your Db(s) using that ID.
// Produce whatever response you want based on that.
}
public override Task<AuthenticationState> GetAuthenticationStateAsync()
=> _authenticationStateTask;
public async Task Login(...)
{
// Trigger the login process
_authenticationStateTask = LoginCore(...)
// Signal the UI that you are authenticating the user
NotifyAuthenticationStateChanged(_authenticationStateTask);
// Return the result so that your component can act accordingly
return _authenticationStateTask;
}
LoginCore(...)
{
// Validate credentials
return new AuthenticationState(new ClaimsPrincipal(...));
}
}Here is some pseudo-code. Hope that helps |
mkArtakMSFT
added
the
✔️ Resolution: Answered
|
@mkArtakMSFT I don‘t think this should be closed allready. @javiercn left it open to let other people join in. As you can see from all my questions, the docs should be much more detailed. It would be nice if you can reopen it and add the docs label. |
ghost
locked as resolved and limited conversation to collaborators
Is there an existing issue for this?
Is your feature request related to a problem? Please describe the problem.
I find questions regarding the authentication progress in blazor apps quite often all over the internet. At least twice a week I see people asking about this stuff on StackOverFlow.
The docs for blazor authentication can be found here. But in my opinion those are not very good documented. For example I still have not figured out after 4 years how to refresh my user claims with updated roles.
The documentation should include some basic tutorials on how to implement authentification in both Blazor Server and Blazor WebAssembly.
One common example I find a lot of people asking about is how to check against a local Active Directory. In my use case for example I'll need to check first in database if login credentails of a non AD account has been entered if not then I'm checking for AD. If the user is found, I create it in my database.
That's also the reason why I cannot use ASP.NET Core Identity (maybe I'm missing something here, then feel free to tell my about this magic).
I still don't know if I can do authentication without the usage of Razor Pages or MVC.
Describe the solution you'd like
I would highly appreciate if you can create simple demo projects showcasing all types of authentification in both Blazor Server and Blazor WebAssembly
Additional context
No response
The text was updated successfully, but these errors were encountered: