Reputation: 221
Blazor default role provider
I have set up a Blazor application in .NET Core 3.1 and I'm implementing authentication/authorization, but it is clear I just don't have a great understanding of how default authentication works.
I set up an "AuthorizeView" tag as follows, fully expecting it to fail:
<AuthorizeView Context="auth" Roles="Admin">
<Authorized>
Content
</Authorized>
<NotAuthorized>
You do not have access to this page.
</NotAuthorized>
</AuthorizeView>
but instead it works fine. I am able to see the "Content" section, despite the fact I have not set up ANY authorization. I'm assuming this defaults back to something like Windows Authentication (which is what I'm using in my Blazor app) but I'm not specifying to use AD Authorization anywhere.
Can anyone point me to where I would go, or help me understand, how this is working by default and where it is pulling this "Admin" role from?
Upvotes: 0
Views: 499
Answers (1)
Reputation: 45596
You can control and limit access to your resources using authorization. You can control access depending on the roles of the user, claims and authorization policy.
Using the AuthorizeView above and setting the Roles attribute to "Admin", you tell Blazor that if the user belongs to the Admin role, he is authorized to access the content within Authorized element.
I guess that you've set your Blazor app to authenticate users accessing your app by selecting Windows Authentication, when creating your app, right ?
When you try to access your app, you are asked to provide your credentials which are passed from IIS (express) to your app...
Roughly speaking a Claims Principle( or Windows Principle) object is created by Blazor and passed to an object named ServerAuthenticationStateProvider as an AuthenticationState object. This object, meaning the AuthenticationState object is also provided to the AuthorizeView whose base class AuthorizeViewCore contains the logic to call the IAuthorizationService, passing it the claims principle. Now the authorization service inspect the Claims Principle object, what claims it has, what roles it has, and of course it looks for a role claim with the value "Admin", if found, true is returned, and at the end of the pipe line it is decided that you are allowed to access the restricted content.
where it is pulling this "Admin" role from
From your Windows AD if you've one or from windows user accounts, etc. Remember, you told the wizard that you want to use Windows authentication (this is my supposition, otherwise everything I've said may be wrong).
You had better go to the docs and acquaint yourself with services like AuthenticationStateProvider, ServiceAuthenticationStateProvider ,etc.
Upvotes: 1
Related Questions
- Role-based authorization in Blazor WebAssembly .Net5 MsalAuthentication
- Dynamic Role based Authorization in Blazor Server
- Blazor - Identity Add roles on application startup
- Authorize with roles is not working in .NET 5.0 Blazor Client app
- Blazor Role based Authorization - No service for type 'Microsoft.AspNetCore.Identity.RoleManager'
- Blazor authentication role based
- Blazor server side role or claim based authorization when using windows login
- Blazor Displaying roles from users ASP.NET
- Use Authorization Roles and Policies in Blazor WebAssembly with Identity?
- Blazor role based authentication