CODEWITHSUNDEEP
azureauthenticationazure-active-directoryblazorblazor-server-side
m.t.bennett
m.t.bennett

Reputation: 1320

Blazor using Azure AD authentication allowing anonymous access

I'm currently writing a (Server side) Blazor application that includes the default AzureAD Authentication.

This works well for authenticated users - challenging on the entrance (_Host.cshtml) file, redirecting and then back once authenticated.

I need to have a couple of pages not requiring authentication - I don't want the user being challenged and redirected to Microsoft.

What is the correct way to do this? I have experimented with the AllowAnonymousAttribute, the AllowAnonymousToPage razor pages options, nothing seems to stop the challenge.

Any help would be greatly appreciated!

Below is my setup for Authentication (ConfigureServices):

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => Configuration.Bind("AzureAd", options));

    services.AddControllersWithViews(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
});

    services.AddRazorPages();
    services.AddServerSideBlazor();
    services.AddTelerikBlazor();
}

And then the appropriate part in Configure:

app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
    endpoints.MapBlazorHub();
    endpoints.MapFallbackToPage("/_Host");
});

Upvotes: 8

Views: 4232

Answers (2)

Max Welzig
Max Welzig

Reputation: 21

First, you will need to disable authentication on all pages. This can be done by commenting the fallback policy out in "Program.cs".

builder.Services.AddAuthorization(options => 
{
    // By default, all incoming requests will be authorized according to the default policy
    //options.FallbackPolicy = options.DefaultPolicy;
});

Then, on your individual razor pages, add the following code:

<AuthorizeView>
    <Authorized>
        @*code for authenticated users here*@
        I am logged in
    </Authorized>
    <NotAuthorized>
        @*code for unauthenticated users here*@
        Please log in
    </NotAuthorized>
</AuthorizeView>

This will allow you to retain complete functionality of all components and functions within you app.

I do not recommend adding the following to your "_Host.cshtml" file as this causes buttons and components to longer function/display correctly

@using Microsoft.AspNetCore.Authorization
@attribute [AllowAnonymous]

Hope this helps. I am using Blazor server with dotnet 6.

Upvotes: 2

LarryDev
LarryDev

Reputation: 128

I found what I had to do was add the following to _Hosts.cshtml

@using Microsoft.AspNetCore.Authorization
@attribute [AllowAnonymous]

Once I did this authorization was no longer required on any of the pages by default and I could then add it to the pages where I wanted to require it.

For example if you wanted to secure the Counter.razor page just add an Authorize attribute to the top:

@attribute [Authorize]

So now if you tried to access the counter page you will get a Not authorized message.

If you want to remove the counter link when the user is not logged in modify the NavMenu.razor and surround the Counter link with an <AuthorizeView> </AuthorizeView> as so:

<AuthorizeView>
    <li class="nav-item px-3">
        <NavLink class="nav-link" href="counter">
            <span class="oi oi-plus" aria-hidden="true"></span> Counter
        </NavLink>
    </li>
</AuthorizeView>

Ideally I would have liked to just opt out of authorization for the index page and have everything else secured by default but I could not find a way to get that to work. If I tried adding the @attribute [AllowAnonymous] to the Index.razor page it seemed to ignore it.

Upvotes: 8

Related Questions