ASP.NET Core supports the configuration and management of security in Blazor apps.
Security scenarios differ between Blazor Server and Blazor WebAssembly apps. Because Blazor Server apps run on the server, authorization checks are able to determine:
- The UI options presented to a user (for example, which menu entries are available to a user).
- Access rules for areas of the app and components.
Blazor WebAssembly apps run on the client. Authorization is only used to determine which UI options to show. Since client-side checks can be modified or bypassed by a user, a Blazor WebAssembly app can’t enforce authorization access rules.
Blazor WebAssembly authentication
Add the following:
- A package reference for
Microsoft.AspNetCore.Components.Authorizationto the app’s project file.
Microsoft.AspNetCore.Components.Authorizationnamespace to the app’s
To handle authentication, use of a built-in or custom AuthenticationStateProvider service is covered in the following sections.
For more information on creating apps and configuration, see Secure ASP.NET Core Blazor WebAssembly.
Blazor Server authentication
Blazor Server apps operate over a real-time connection that’s created using SignalR. Authentication in SignalR-based apps is handled when the connection is established. Authentication can be based on a cookie or some other bearer token.
The built-in AuthenticationStateProvider service for Blazor Server apps obtains authentication state data from ASP.NET Core’s
HttpContext.User. This is how authentication state integrates with existing ASP.NET Core authentication mechanisms.
For more information on creating apps and configuration, see Secure ASP.NET Core Blazor Server apps.