dotnet
Add Microsoft Identity Platform auth option to the Blazor Web App template
We don't currently support the Microsoft Identity Platform auth option with the Blazor Web App template. We should add it.
Thanks for contacting us.
We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.
Seeing this moved to .Net 9 is disappointing. Once again templates won't have a simple and functional way to have a working configuration with Azure ID/Entra, and the current status of the documentation for .Net 8 is also poor, since pages with the details shown for .Net 7 have been removed.
https://vladislavantonyuk.github.io/articles/Microsoft-Identity-Platform-Authentication-in-Blazor-Web-Application
You can also find a template here: https://www.nuget.org/packages/VladislavAntonyuk.DotNetTemplates/3.0.247-pre4
https://vladislavantonyuk.github.io/articles/Microsoft-Identity-Platform-Authentication-in-Blazor-Web-Application
You can also find a template here: https://www.nuget.org/packages/VladislavAntonyuk.DotNetTemplates/3.0.247-pre4
Unless I'm missing something this is just the server rendering solution. It doesn't support the other render modes such as Auto.
For now, it is the component with InterectiveServerRenderMode only. For Auto, you need to add code to the Client project. Something like this https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-azure-active-directory-b2c?view=aspnetcore-7.0
I guess the question is how we cover both scenarios that may happen when using auto: the first access is server-side Blazor, the following accesses should be WASM, so the auth workflow changes depending on the render mode or am I missing anything?
I guess the question is how we cover both scenarios that may happen when using auto: the first access is server-side Blazor, the following accesses should be WASM
This is the kind of guidance I am missing as well @danroth27
I guess the question is how we cover both scenarios that may happen when using auto: the first access is server-side Blazor, the following accesses should be WASM, so the auth workflow changes depending on the render mode or am I missing anything?
That's correct although the the transfer to WASM could be at any point and in an advanced scenario it may even go back. I think it needs keeping in sync between the two modes using something like the PersistingRevalidatingAuthenticationStateProvider implemented in the template.
I did notice the HttpClient call for the Weather was also removed from the templates https://github.com/dotnet/aspnetcore/issues/51204. I suspect this was for similar reasons. The HttpClient could be called from Client (WASM) or Server (which is a little wasteful) so you need to register HttpClient on both. Then when you add Authentication and Authorization you have to keep them in sync without using the HttpContext on the server. I know there is the alternative of two implementations of a weather service one for Client and one for Server but code wise that isn't ideal if you are migrating from WASM with WebAPI backend and looking to quickly get the benefits of Auto mode.
It doesn't appear trivial to implement authentication and authorization that works in Auto mode and the templates have neglected to demonstrate it. Essentially anyone using any kind of Auth (most projects?) or HttpClient can't automatically move to Auto mode.
If the templates won't be updated soon, some example projects with Authentication and Authorization scenarios would be great. Ideally I would ideally like to see a Microsoft Identity (Entra) login that works in Auto mode and can make HttpClient calls from Client or Server to an APi using authorization. Additionally it would be great if the project demonstrated adding additional claims in code and [AllowAnonymous] attribute applied on some pages. Some changes appear to have happened around AllowAnonymous to make this work?
@peterthorpe81 if you look at what happens in the new blazor web app when auto and identity with local user accounts are used, you'll see that the server app manages all the authentication work, and the client (wasm) synchronizes the authentication state with the server app.
Following this logic, auth in auto mode with Microsoft Identity Platform may be done following a similar logic. 🤔
@peterthorpe81 if you look at what happens in the new blazor web app when auto and identity with local user accounts are used, you'll see that the server app manages all the authentication work, and the client (wasm) synchronizes the authentication state with the server app.
Following this logic, auth in auto mode with Microsoft Identity Platform may be done following a similar logic. 🤔
Yes this is what I have been looking at but I don't seem to be able to get a config that works in both render modes. I think one of the differences is that local accounts are authenticated within your site using the scaffolded pages. Microsoft Identify Platform is going out to an external site so the redirect loses the state.
@peterthorpe81 agreed. One less than ideal way is to have the server authenticate with AD, then store the information in the cookie to pass it to the client, but that means the SPA workflow of AD is ignored entirely also when in WASM mode, which I do not think is a great solution.
I think if we can get a template for just Interactive Server Per Page/Component, that would be great for now.
I think if we can get a template for just Interactive Server Per Page/Component, that would be great for now.
Interactive server should have not changed (see the old template). It is just a web app. Similarly, setting up a hosted WASM web-app. The main difference is when using auto mode (but after a few tests, it seems also in this case changes may not be too deep).
I think if we can get a template for just Interactive Server Per Page/Component, that would be great for now.
Interactive server should have not changed (see the old template). It is just a web app. Similarly, setting up a hosted WASM web-app. The main difference is when using auto mode (but after a few tests, it seems also in this case changes may not be too deep).
The key point from my perspective, is that the "old" template only allows choosing .NET 6/7. If one wants to remain on a "supported" version, the only option seems to be to go through the upgrade steps involved ... which is just nowhere near as simple as it has been for previous releases. Further, Visual Studio IntelliSense is breaking when using newer razor components. I've submitted a separate issue via VS for that.
This issue really breaks Blazor quite a bit for me. In my opinion, authentication with microsoft identity is cruicial for blazor applications, which (at least in my case) are usually small webapps hostet on azure. If there is no template to use this (from an azure-architectural viewpoint) tightly coupled technologies togehter to create a minimal webapp, then this will massivley slow down development of prototypes, which will lead me to consider using other webapp frameworks to build upon. And I don't think that I am alone with this opinion. Please at least provide a timeline for such anupdated template.
Switched from ASP.NET Identity to Microsoft Identity because of Duende debacle. Now switching back lol, hope my users don't complain too much. I watched the dotnet conf, I don't think it was made clear enough to me that Asp.net Identity no longer depends on Duende?
Is there an ETA for this for .Net 8, or is it permanently moved to .Net 9?
I have no idea how this feature could have been missed? or is MS only targeting Blazor auto for Independent accounts for dotnet 8 & has a plan to expand it to Identity Platform in 9.0? I can't seem to make it work or find any reliable templates online either.
@sundeep22 take a look at this unofficial sample: https://github.com/dudley810/dotnet8identityopenid It should give you an idea on how to use AD/Entra.
@sundeep22 take a look at this unofficial sample: https://github.com/dudley810/dotnet8identityopenid It should give you an idea on how to use AD/Entra.
Thanks, will give it a shot!
I think as a minimum we need a page with guidance on how to manually configure the Azure Auth/Cache options to allow us to use Auto. I have been following along with @danroth27 talks with growing enthusiasm. To find out there is no MIP template option is a huge letdown. Especially, given .NET 9 is unlikely to be LTS.
This is a make or break issue for us. Our team was considering Blazor .NET 8 for a new web application, but without proper Entra ID support I can't see going this way. ASP.NET Core with React seems like a much more viable solution IMHO. We were seriously burned by Maui last year, and Blazor .NET 8 has a similarly bad smell.
Thanks for contacting us.
We're moving this issue to the .NET 9 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s).
If we later determine, that the issue has no community involvement, or it's very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues.
To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.
Hey there! This might help some of you ( https://www.reddit.com/r/Blazor/s/hhj6PGvuJ8 )
I got to auto mode to work with Azure ad by applying the existing .Net 7 authentication in server side project. To get the client-side project to work with authentication I followed the following documentation here: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-8.0
Essentially you just need to add "builder.Services.AddCascadingAuthenticationState();" in the server project and "builder.Services.AddOptions();
builder.Services.AddAuthorizationCore();" in client project.
"In a server-side Blazor app, services for options and authorization are already present, so no further steps are required."
- credits: hkstc305 @ reddit
Hey there! This might help some of you ( https://www.reddit.com/r/Blazor/s/hhj6PGvuJ8 )
I got to auto mode to work with Azure ad by applying the existing .Net 7 authentication in server side project. To get the client-side project to work with authentication I followed the following documentation here: https://learn.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-8.0
Essentially you just need to add "builder.Services.AddCascadingAuthenticationState();" in the server project and "builder.Services.AddOptions(); builder.Services.AddAuthorizationCore();" in client project.
"In a server-side Blazor app, services for options and authorization are already present, so no further steps are required."
- credits: hkstc305 @ reddit
If you have auto or wasm render modes or application, what you suggest is not sufficient. Your application will lose the authentication state it has acquired when working in server mode, and the client won't have consistent information. See https://github.com/dudley810/dotnet8identityopenid for a working example. The documentation you linked for .Net 8 does not provide details on this use case.
In a pure server-side Blazor situation, the app behaves just like a server app, so after registering the "web app" in AD, everything works as usual. A pure WASM application also works exactly as before: register it in AD as SPA, register the API for jwt auth, and it works. It becomes more complex when using pre-rendering of pages that need API calls.
I think it would be useful for those who have provided feedback, thus far, to specify if their projects were-going-to-use/are-using Server mode, WASM or Auto. It would be a shame if those with Server mode Blazor Web projects are skipping the stack completely just because of this lack of functionality in the template. I'm almost exclusively dealing with Blazor Server projects but I managed to port the Microsoft.Identity code from .NET 7 templated project to allow for EntraID authentication in a Blazor Web .NET 8 Project in Server Mode, it took a few hours but it was relatively simple.
I think, from the feedback here already, it's evident that we're going to see a whole generation of bespoke apps each with their own authentication implementation (and all the security risks associated with that) just because of this lack of functionality in this template, I think those who were investigating the Auto mode in particular will be especially impacted due to the complexity. .NET developers will be dealing with the fallout from all these bespoke issues, with smaller projects from smaller teams, for years to come and I doubt it will be start to be resolved until the next .NET LTS is released as that is what happened last time .NET Project Templates had missing functionality like this.
Could this issue be addressed before .Net 9, with an update containing updated templates, instead of stating it will be "considered" for .Net 9, one year away, considering the impact it has?