dotnet
Correct implementation of custom AuthenticationStateProvider in server-side Blazor
Thank you for all the help you may bring. For the past several days I been trying to implement a simple log-in form on my daughter blazor-server page using Identity, Authentication and Authorization,
I have read the MS documentation (https://docs.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-6.0) did read several tutorials and watched several videos and I'm impressed with the level of confusion created around this topic, everybody including MS have their own idea on how to do things, and it will worth mentioning that even experienced developers prefer to use the pre-factored Identity pages of the VS template than "monkey with that" as they said... so for me, a newbie, its just confusing... I can't understand why MS can't provide a guide step by step for blazor-server, with clear examples on how to maintain state (after sign-in), etc... because some say, use session to keep state, use browser storage, and others say do it through javascript to API... and what MS says?
MS in their documentation say I should use AuthenticationStateProvider but later I see there's a ServerAuthenticationStateProvider and even people using another one called RevalidatingServerAuthenticationStateProvider... I have to say that I tried to use the "server version" and my authentication just don't work... so I came back to the first one.
The most clear tutorial came from https://www.youtube.com/watch?v=BmAnSNfFGsc and even this guy is confused... as he says we should use:
app.UseAuthentication(); app.UseAuthorization();
but I noticed I don't have to use them, it works without that... see? everybody is saying "use this and that" but there's not a real explanation on why things should be done... The documentation has failed in this case because it explains how to implement a custom AuthenticationStateProvider but not on how to create and call a method to change this user and call NotifyAuthenticationStateChanged, I was braking my head around that...
I hope this can help and lead to better techniques to explain clearly how to secure blazor-server pages... if you can provide clearly the steps to others will be fine, I can provide what I have also, is that ok?
@sipi41 Were you able to try starting from the "new project" template with the auth options enabled? This will give you a preconfigured site that has auth.
Also to clarify, AuthenticationStateProvider isn't something you can store state inside. It's something that tells your application what the authentication state of the user is (i.e., whether they are logged in, and who they are logged in as).
Another thing to note is that, for Blazor Server, the authentication is really the same as regular ASP.NET Core authentication. It's the same system and holds the same state. So you can follow any docs or tutorials for ASP.NET Core and it will take effect for the Blazor Server parts of your application.
I hope this helps you move forwards. Please let us know if not. And in that case, please give more details of what specifically you're trying to do and which part of it doesn't work.
Hi @sipi41. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.
@SteveSandersonMS thank you for your reply. I would like to clarify something:
-
Yes, most of the tutorials show how to create a new blazor site with auth enabled, but what this basically do is create a bunch of .cshtml pages that in the majority of cases are not needed, for example, not all websites are like facebook, we don't invite people to join, and this does not resolve one important question: why do we have to implement partially .cshtml pages in our single page application?
-
Yes its true, as you said: "AuthenticationStateProvider isn't something you can store state inside" but the use of NotifyAuthenticationStateChanged is not shown on any of the documentation examples, in other words, in the vague examples provided in the official MS docs, a fake user is created at the beginning when implementing GetAuthenticationStateAsync for the first time, then what? missing pieces all over...
-
You said: "for Blazor Server, the authentication is really the same as regular ASP.NET Core authentication" and this is not true (at least in old versions of .net core). In previous mvc core projects, I had to use app.UseAuthentication and app.UseAuthorization, not in this project... I never had to use AuthenticationStateProvider, state was also saved automatically on a cookie...
I'm about to finish the approach with the help of the tutorial mentioned in the original post, maybe this could help somebody else. PLEASE fix the docs, I repeat, there's a lot of confusion regarding this, if you don't believe me check the tutorials and videos offered on the internet, everybody have their own ideas... and that is not because they are dumb or not experienced but because the docs are so confusing.
We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.
Thanks for contacting us.
We're moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.
@mkArtakMSFT ... Some of @sipi41's feedback and suggestions have been incorporated into the Blazor Server docs, including suggestions from several other PU issues. The docs now incorporate many helpful remarks that @javiercn, @SteveSandersonMS, and @davidfowl made to devs in PU issues, including @javiercn sample code for common advanced use cases. When I'm finished with updates to the Security node, I recommend an exhaustive PU review of all of the new content and updated older content. I'm still at least a month away from finishing, and I'll keep you posted.
Thanks for your feedback, @sipi41. The Blazor Server docs didn't receive the same level of attention as the Blazor WebAssembly security docs, which had to cover novel approaches for the novel SPA-featured framework. I had hoped to reach this node in early 2022, but other priorities prevented it. Now, I have time to work on the node. You can see now how some of your feedback was addressed ...
- https://learn.microsoft.com/aspnet/core/blazor/security/server/ — Especially note ...
- The enhanced opening paragraphs.
- The new Notification about authentication state changes section.
- The new Inject AuthenticationStateProvider for services scoped to a component section.
- The new Additional security abstractions section, which includes general information on
ServerAuthenticationStateProviderandRevalidatingIdentityAuthenticationStateProvider(we might add example derivations later for custom use cases).
- https://learn.microsoft.com/aspnet/core/blazor/security/server/additional-scenarios — Especially note the new Circuit handler to capture users for custom services section.
Beyond those improvements, there were also a host of ...
- Phrasing improvements.
- Article and API doc cross-links added.
- Better examples with more cut-'n-paste, fully-working code examples.
- Organizational improvements.
- Improved section headings.
- Improved versioning (e.g.,
Program.csvs.Startup.cs, NRTs and IDE null static analysis, type inference for thenewkeyword at 5.0+, etc.).
... and this isn't the end of the process for the Blazor Server docs in the Security node. After I'm finished reacting to feedback left for the PU and on doc issues, we'll probably have an exhaustive PU review so that the team can get my 🦖 RexHacks™ 🦖 out of the docs! 🙈😄 The updates will continue for another month or so, so more improvements are on the way 🏃.
@guardrex Thank you for the improvements in the documentation. This is very important for many users.
Just to add a comment. I totally agree with @sipi41, especially for point number 1. I hope one day it will be different. That one day, it will not be necessary to use .cshtml pages and use .razor pages instead.
Thanks for contacting us.
We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.
