Introduction To Blazor Authentication in .NET 8
Vložit
- čas přidán 1. 07. 2024
- Blazor Authentication can be a tricky subject in .NET 8. The reason for this is that authentication has drastrically changed when compared to how we implement it in earlier versions, no matter if Blazor WebAssembly or Blazor Server. Therefore in this video my aim is to walk you through what has changed and explain you exactly how authentication works in Blazor in .NET 8. We'll also tackle some common practical tasks like implementing a redirect to login and what could potentially go wrong there.
Join this channel to get source code access and other perks:
/ @codewrinkles
Also follow me here:
✅Blog: codewrinkles.com/
✅Facebook: / danpatrascutech
✅Instagram: / danpatrascutech
✅TikTok: / danpatrascutech
✅Newsletter: codewrinkles.eo.page/newsletter
Content
1. Intro: 00:00
2. Authentication setup: 00:25
3. Middleware GOTCHA! 02:15
4. Authentication endpoints: 03:12
5. Email and Redirection services: 04:43
6. Revalidating Authentication State: 06:04
7. User registration: 09:06
8. Blazor Login Functionality: 11:46
9. See it in action: 12:48
10. Redirect to Login in Blazor: 14:00
11. Revalidating Authentication in action: 16:20 - Věda a technologie
You're welcome! I've been searching for someone to explain this to us for a while. Keep explaining thoroughly. Thank you very much again.
Thanks for this video. Auth is one topic that ive struggled with the most in trying to start a new real world project. Your explanations are super helpful! Especially since we have the need to uave kultiple apps share the same set of users
Thank you. This makes it easier to understand.
Given that the .net 8 blazor auth covers so much
would you recommend using this out of the box setup over doing it from scratch like you previously did with the .net 6 blazor auth?
Thank you for the video aways very informative! What if I have a custom user table cominng from a legacy project that I want to use in the blazor server app? Let's say the table have just username, password and a Role in it without even the email. Is it possible to use the default implementation just by overridig some parts and in case wich ones? Or I have to create my custom Authentication from scratch?
Thank you for your video. But may i know, why with the default project setup(interactive server, individual identity), the session cookie still alive, when I just close the tab or web browser? When I open again the home page, it shows the login condition as same before?
Thanks for the EXCELLENT video explaining .Net 8 Blazor Authentication. You make it feel so simple!
But I need to go a bit further. I have 3 applications and need to have a common Login Authentication and need to jump from one app to another. If I logout from on app then it has to logout on the others too (the same way you explained on the different tabs). How can I achieve this please?
JP
So now we can use that Identity User Accessor and we don't need to do the whole initial state and downloading everything from httpcontext only at the start of the application? Or does this only work for SSR and on SS we still need the old way?
When we have a global Authorize attribute, what other pages in the Account area would need an AllowAnonymous attribute?
Hi, how would you go around publishing this application and still use this way of login, do i need to migrate the user db context?
Great video, have been looking for something like this!
It would be really helpfull if you would provide a github link in the video descriptions. A lot of times it's easyer to understand when you can freely scroll throwgh the code.
Is there a possibility of adding roles to this authentication? If so, how would you go about adding roles?
How do you handle 500+ claims for user permissions to avoid the header size limit? I'm currently working on a similar project and would love to hear about different strategies or experiences from the community. Any insights or advice would be greatly appreciated!
Can you clarify how the RevalidatintServerAuthinecationStateProvider pass the athuninctaion state to the client in template with individuals accounts and interactive auto
Any link to the example you went over in the video?
Hello, I'm new to blazor framework, i created a Project of type blazor web app with dotnet 8 wich include both server and client project, and i added authentication and Authorization with jwt bearer and i save the token in browser, but i encountering a proplem when refrech a component with Attribute autorize, it's gives error 401 unautorize while oninizlation of the component i retrive the authentication state but it's give 401. And btw the rendermode on the component ia interactiveServer with prerender false, so can any one help me with this problem 🙏
Is there a way to ONLY use external authentication is this type of project? I simply have a single IDP that I need to authenticate against with OIDC. I've managed to accomplish that but I have two problems: 1- Is there a way to implement refresh tokens? 2- Logout is broken. It just won't remove the cookie no matter what I do. A tutorial on how to do that would be greatly appreciated.
The ValidateAuthenticationStateAsync in the RevalidatingAuthenticationStateProvider in 8.0.X is never called,why?
This is a constant issue for me when trying to search for information about this part. Like yes i can create the authorization at this point, and i have all that but i am really confused about how to use the cookie data to track which user is logged in...
Im a student so this is a student question really..
But in the web app that we are making, in blazor we need to make a site for a car rental company, and im just currious of how i keep track of the logged in user, like i want to see only the logged in users orders and order history, i want to be able to klick on a car and be sent to a booking site where we can just klick the rent car and have the logged in users informatin already inserted in the form except for the period of which the car should be rented.
Its a piece of information that seems really hard to find for some reason...
Excellent video. I dont understand well the email thing. When i want to implement a real email confirmation, I overwrite the IdentityNoOpEmailSender clas and thats it?
No, you just implement the interface in your own class with the real thing.
Great video, thanks for this.
Just out of curiosity, have you considered trying Azure AD B2C for authentication/authorization?
Well, Yes. But for now, the next video on Wednesday will be about how to add Google Authentication to Blazor SSR and what possible problems you could encounter. I think I'll try to go through working with most of the major IdPs and do some videos on that. But that will also depend on how good these videos will perform. If I see that there is not enough interest in these topics, I will probably look elsewhere with my content.
@@Codewrinkles I think you are doing us all a huge favor with your work. Authentication/Authorization is a key problem. I am looking forward to all of your videos on this topic.
Also I think Authorization/Authentication is not a pick one solution and that will work for all scenarios issue. It is great to have multiple options available. With that being said, I think Azure AD (or now Entra ID) is a great tool you want to have in your toolbox, especially if you want to use Blazor in an Enterprise environment.
Well, for the first 2 hours after upload this is my second worst performing in the last 365 days :)) So it seems it's not a topic that would raise interest. Let's see how the next one on adding google authentication will perform.
Do Blazor videos tend to do worse than API videos? I imagine there would be more interest in the latter since it is less specific. Personally I'm interested in how someone with more knowledge than me would implement Azure Entra as an IdP in a Minimal Web API project, along with exposing admin functionality for inviting users to a tenant & modifying user claims, etc.
Thanks for the videos!
yes - I hear it from contractors recently however MS gave us here ready to go solution included with the templates
Seems like ADB2C is much more straightforward for intra and internet domains within larger complex networks
Why not from within Visual Studio Identity Management? Everything is ready
why we are not receiving an email ?
Do you have any tutorial for blazor web app with mix interactivity and keycloak?
Did you find any tutorial?
First to like and first to comment ...master
You were really fast. Hope you find this video useful!
When the authentication and authorization infrastructure are implemented in the blazor web app, then we are forced to develop the whole business layer within the same blazor web app. Things get complicated when I want to separate the blazor web app from the logic and move the logic into a separate web api service. I've tried the jwt approach but I can't see how it can work with the authorizedview tags in Blazor. Plus the jwt has its flaws that you don't have a simple logout implementation
I'm not sure why you want to do this. It makes no sense to use an API with Blazor. Also cookie based auth is in my opinion safer than jwt auth. Can you please give some context on why you want an API and jwt so badly?
@@Codewrinkles because my blazor app might be only one among other types of clients that will consume my system. Perhaps I'd like to add mobile client or allow 3rd party to consume my web api
"Perhaps I want a mobile app or to expose an API"... that's usually not a pwrhaps. Thats a clear business requirement from the beginning in 99% of the times. I worked last 8 years developing enterprise apps and never hsppened to me that these requirements just pop up. Also literally never did we need to expose an API publicly. What I'm trying to say is that you seemingly base some decisions on edge cases and try to make this a general approach. Instead the genersl approach should be to not use APIs, except only for the cases where it's really neefed. If we did buy a hammer (API dev knoeledge) we shouldn't see everything around as a nail.
@@Codewrinkles It's possible that you are talking about two different use cases. In big corporations you have you may have a single use cases app that you know what will do from the beginning due to a defined user base (internal apps) but for example when you are starting a brand new product (startup idea) and you still don't know what it's possibilities will be (when implementing lean management methodology) it's crucial to have that flexibility for change and decoupling. I think that you shouldn't be lock down or be discourage from using product like Blazor in different use cases then enterprise especially when looking at .Net problems with adoption by new developers and companies.
@@Codewrinklesi think to share the same api with multiple platforms.
This playlist need role management.
Hi , i like what you are doing ,
Please a i have a question ,
i have a APi that handle generating authentication with jwt access token , and all my logic is in this API , i want to use blazor as frontend with rendermodeAuto, how to use the JWT in this case?
for WASM si I have no probleme , but with Blazor RenderModeAutho i am lost
Thank you
Do you use the API only for authentication purposes? I think I would want to get rid of the API entirely and handle auth through Blazor SSR. I am personally against the idea of using Rendermode Auto. I'm not sure if it's wrong or not. But my approach is to keep everything as much SSR as possible. And when I need interactivity, I add InteractiveServer since I think it's overkill to have another project just to serve as a host for the WebAssembly stuff.
@@Codewrinkles Not just for authentication but also for business logic, Blazor is juste for frontend no logic.
@@Codewrinkles that approach just doesn't scale.
The biggest problem of this structure is the SSR and cookie issue.
It is not possible to use any component that uses interactiveserver mode on the login and registration pages, which causes various problems.
Another problem is this; Since the pages in the account section are SSR, we can use cookies, and for example, after writing any information of the logged-in member into the cookie, we cannot access this cookie from other Blazor components.
As an alternative, I tried using ProtectedLocalStorage, but it does not allow writing any information to ProtectedLocalStorage after the user logs in.
Even if we solve this problem by adding a component and directing the user here, deleting the contents written to ProtectedLocalStorage in the logout section is still a problem.
I'm not sure why this is a problem. In my opinion that's exactly how modern Blazor apps should be written: most of the components should be SSR. You just add interactivity where you need to peak into button clicks and other such events.
Also, you can access the cookie via the HttpContext.Identity in every single SSR component. Page components in Blazor should all be by default SSR in my opinion.
I think I explained it wrong.
For example, let's go with the default template.
Let's imagine a recaptcha component running in interactiveserver mode, we cannot add it to the login or registration page.
Or let's imagine a scenario like this: We want to temporarily keep the some information of the logged in user in a session and use it on all pages.
We cannot do this in this template. (at least I tried but couldn't)@@Codewrinkles
For the recaptcha I think you can model it as a form post similar to how the login button for external providers is implemented. Create a minimal api endpoint for it and do a redirect with all the info already on the page. It's just an initial idea, I'm not sure if it's accurate. But I think going in thid direction would help to solve such problems.
I will investigate this myself after my vacation and will probably create a video with my findings.
hi - can we get the code? thanks
Codewrinkles ambassador members and higher get access to the source code. Make sure to get the membership and then go to the "Membership" tab on the channel and you will find instructions on how to get the source code.
Thank you for your Video. I would like to inform you, that the RevalidatingServerAuthenticationStateProvider doesn't work in Blazor 8. You opened the other session in the same browser in the second Tab. But please, open the other session in different Browser (Firefox, Edge). You will see, that the logout doesn't change anything in the other session. ValidateAuthenticationStateAsync is not called.
It works only in the same instance of the browser window, is the same effect if you open a private or anonymous browser window. That’s the expected behavior.