Reputation: 775
Blazor WebAssembly - Best practices for User Accounts and Identity Server
I am trying to create a basic User Management module in my software and I have followed this guide to create the module:
I suppose this is the best practice recommended by Microsoft. However, I do not understand the following:
- Are parts of the Authorization Server-Side handled? I want to make sure no parts (or minimum) are server side rendered and authorization should mainly take place in the API calls since I am using Blazor WebAssembly. So I am wondering why we can specify .cshtml files etc, as I thought that was server-side rendered code.
- In the guide they are making several references to IdentityServer (seems to be a third party software component). The application I am building is a commercial one. Am I obliged to buy a license for IdentityServer? If yes, is there an Microsoft recommended free way to do the same thing?
- What is the difference between IdentityServer and IdentityServer4?
- What I am trying to do in the end is a Microsoft best practice module that lets an Admin creates and handle users that has different roles and that access to different part of the Blazor WebAssembly project. Maybe there is some other straight forward way to do this? What is the best practice today?
Upvotes: 5
Views: 1464
Answers (1)
Reputation: 546
Authentication and authorization should always be handled by the backend because the frontend can always be manipulated or emulated. If you follow these instructions, authorization will be fully handled by the server side. The login and logout functionality will redirect you to razor pages running on the server. When the user is authenticated, a JWT is created and sent to your Blazor application. This token can then be used to send authentication information along with subsequent HTTP requests. It's a bit tricky to get this approach up and running, but it works well.
The identity server used in these examples is part of ASP.NET.
IdentityServer and IdentityServer4 are referring to the IdentityServer that is included in ASP.NET.
You may also use Cookie-based authentication and create a Web API to handle login/logout and provide user information. It is easy to set-up and to provide Blazor UIs for authentication. Make sure to have an encrypted connection when using this approach because you need to send login information via HTTP request.
Anyway, I personally would stick to the Microsoft recommendations and use JWT.
Upvotes: 2
Related Questions
- Blazor WebAssembly Authentication with IdentityServer4, Asp.Net Core Identity and custom provider without Entity Framework
- Blazor IdentityServer Authenthentication
- Authentication and Authorisation Best Practice in Blazor Webassembly
- Identity Server scaffolding and Blazor WebAssembly
- Blazor WebAssembly with IdentityServer 4 Customize Identity
- Authentication and Authorization in Blazor WebAssembly with Database First Approach
- How do I authenticate a user in serverside controller in a blazor webassembly project?
- Blazor best practices with Identity model
- Configure blazor wasm and separate identityserver4
- Blazor(server-side) with IdentityServer4