Secure ASP.NET Core Blazor Server apps

This article explains how to secure Blazor Server apps as ASP.NET Core applications.

Blazor Server apps are configured for security in the same manner as ASP.NET Core apps. For more information, see the articles under ASP.NET Core security topics. Topics under this overview apply specifically to Blazor Server.

Blazor Server project template

The Blazor Server project template can be configured for authentication when the project is created.

Visual Studio

Follow the Visual Studio guidance in Tooling for ASP.NET Core Blazor to create a new Blazor Server project with an authentication mechanism.

After choosing the Blazor Server App template in the Create a new ASP.NET Core Web Application dialog, select Change under Authentication.

A dialog opens to offer the same set of authentication mechanisms available for other ASP.NET Core projects:

• No Authentication
• Individual User Accounts: User accounts can be stored:
  • Within the app using ASP.NET Core's Identity system.
  • With Azure AD B2C.
• Work or School Accounts
• Windows Authentication

Visual Studio Code

Follow the Visual Studio Code guidance in Tooling for ASP.NET Core Blazor to create a new Blazor Server project with an authentication mechanism:

dotnet new blazorserver -o {APP NAME} -au {AUTHENTICATION}

Permissible authentication values ({AUTHENTICATION}) are shown in the following table.

Authentication mechanism	Description
None (default)	No authentication
Individual	Users stored in the app with ASP.NET Core Identity
IndividualB2C	Users stored in Azure AD B2C
SingleOrg	Organizational authentication for a single tenant
MultiOrg	Organizational authentication for multiple tenants
Windows	Windows Authentication

Using the -o|--output option, the command uses the value provided for the {APP NAME} placeholder to:

• Create a folder for the project.
• Name the project.

For more information, see the dotnet new command in the .NET Core Guide.

Visual Studio for Mac

1. Follow the Visual Studio for Mac guidance in Tooling for ASP.NET Core Blazor.

2. On the Configure your new Blazor Server App step, select Individual Authentication (in-app) from the Authentication drop down.

3. The app is created for individual users stored in the app with ASP.NET Core Identity.

.NET Core CLI

Create a new Blazor Server project with an authentication mechanism using the following command in a command shell:

dotnet new blazorserver -o {APP NAME} -au {AUTHENTICATION}

Permissible authentication values ({AUTHENTICATION}) are shown in the following table.

Authentication mechanism	Description
None (default)	No authentication
Individual	Users stored in the app with ASP.NET Core Identity
IndividualB2C	Users stored in Azure AD B2C
SingleOrg	Organizational authentication for a single tenant
MultiOrg	Organizational authentication for multiple tenants
Windows	Windows Authentication

Using the -o|--output option, the command uses the value provided for the {APP NAME} placeholder to:

• Create a folder for the project.
• Name the project.

For more information:

• See the dotnet new command in the .NET Core Guide.

• Execute the help command for the Blazor Server template (blazorserver) in a command shell:

  dotnet new blazorserver --help
  

Scaffold Identity

For more information on scaffolding Identity into a Blazor Server project, see Scaffold Identity in ASP.NET Core projects.

Additional claims and tokens from external providers

To store additional claims from external providers, see Persist additional claims and tokens from external providers in ASP.NET Core.

Azure App Service on Linux with Identity Server

Specify the issuer explicitly when deploying to Azure App Service on Linux with Identity Server. For more information, see Introduction to authentication for Single Page Apps on ASP.NET Core.

Notification about authentication state changes

If the app determines that the underlying authentication state data has changed (for example, because the user signed out or another user has changed their roles), a custom AuthenticationStateProvider can optionally invoke the method NotifyAuthenticationStateChanged on the AuthenticationStateProvider base class. This notifies consumers of the authentication state data (for example, AuthorizeView) to rerender using the new data.

Implement a custom AuthenticationStateProvider

If the app requires a custom provider, implement AuthenticationStateProvider and override GetAuthenticationStateAsync:

using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.Authorization;

public class CustomAuthStateProvider : AuthenticationStateProvider
{
    public override Task<AuthenticationState> GetAuthenticationStateAsync()
    {
        var identity = new ClaimsIdentity(new[]
        {
            new Claim(ClaimTypes.Name, "mrfibuli"),
        }, "Fake authentication type");

        var user = new ClaimsPrincipal(identity);

        return Task.FromResult(new AuthenticationState(user));
    }
}

The CustomAuthStateProvider service is registered in Program.cs after the call to AddServerSideBlazor:

using Microsoft.AspNetCore.Components.Authorization;

...

builder.Services.AddServerSideBlazor();

...

builder.Services.AddScoped<AuthenticationStateProvider, CustomAuthStateProvider>();

Using the CustomAuthStateProvider in the preceding example, all users are authenticated with the username mrfibuli.

Additional resources

• Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app
• Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform
• Configure ASP.NET Core to work with proxy servers and load balancers: Includes guidance on:
  • Using Forwarded Headers Middleware to preserve HTTPS scheme information across proxy servers and internal networks.
  • Additional scenarios and use cases, including manual scheme configuration, request path changes for correct request routing, and forwarding the request scheme for Linux and non-IIS reverse proxies.

Blazor Server apps are configured for security in the same manner as ASP.NET Core apps. For more information, see the articles under ASP.NET Core security topics. Topics under this overview apply specifically to Blazor Server.

Blazor Server project template

The Blazor Server project template can be configured for authentication when the project is created.

Visual Studio

Follow the Visual Studio guidance in Tooling for ASP.NET Core Blazor to create a new Blazor Server project with an authentication mechanism.

After choosing the Blazor Server App template in the Create a new ASP.NET Core Web Application dialog, select Change under Authentication.

A dialog opens to offer the same set of authentication mechanisms available for other ASP.NET Core projects:

• No Authentication
• Individual User Accounts: User accounts can be stored:
  • Within the app using ASP.NET Core's Identity system.
  • With Azure AD B2C.
• Work or School Accounts
• Windows Authentication

Visual Studio Code

Follow the Visual Studio Code guidance in Tooling for ASP.NET Core Blazor to create a new Blazor Server project with an authentication mechanism:

dotnet new blazorserver -o {APP NAME} -au {AUTHENTICATION}

Permissible authentication values ({AUTHENTICATION}) are shown in the following table.

Authentication mechanism	Description
None (default)	No authentication
Individual	Users stored in the app with ASP.NET Core Identity
IndividualB2C	Users stored in Azure AD B2C
SingleOrg	Organizational authentication for a single tenant
MultiOrg	Organizational authentication for multiple tenants
Windows	Windows Authentication

Using the -o|--output option, the command uses the value provided for the {APP NAME} placeholder to:

• Create a folder for the project.
• Name the project.

For more information, see the dotnet new command in the .NET Core Guide.

Visual Studio for Mac

1. Follow the Visual Studio for Mac guidance in Tooling for ASP.NET Core Blazor.

2. On the Configure your new Blazor Server App step, select Individual Authentication (in-app) from the Authentication drop down.

3. The app is created for individual users stored in the app with ASP.NET Core Identity.

.NET Core CLI

Create a new Blazor Server project with an authentication mechanism using the following command in a command shell:

dotnet new blazorserver -o {APP NAME} -au {AUTHENTICATION}

Permissible authentication values ({AUTHENTICATION}) are shown in the following table.

Authentication mechanism	Description
None (default)	No authentication
Individual	Users stored in the app with ASP.NET Core Identity
IndividualB2C	Users stored in Azure AD B2C
SingleOrg	Organizational authentication for a single tenant
MultiOrg	Organizational authentication for multiple tenants
Windows	Windows Authentication

Using the -o|--output option, the command uses the value provided for the {APP NAME} placeholder to:

• Create a folder for the project.
• Name the project.

For more information:

• See the dotnet new command in the .NET Core Guide.

• Execute the help command for the Blazor Server template (blazorserver) in a command shell:

  dotnet new blazorserver --help
  

Scaffold Identity

Scaffold Identity into a Blazor Server project:

• Without existing authorization.
• With authorization.

Additional claims and tokens from external providers

To store additional claims from external providers, see Persist additional claims and tokens from external providers in ASP.NET Core.

Azure App Service on Linux with Identity Server

Specify the issuer explicitly when deploying to Azure App Service on Linux with Identity Server. For more information, see Introduction to authentication for Single Page Apps on ASP.NET Core.

Notification about authentication state changes

If the app determines that the underlying authentication state data has changed (for example, because the user signed out or another user has changed their roles), a custom AuthenticationStateProvider can optionally invoke the method NotifyAuthenticationStateChanged on the AuthenticationStateProvider base class. This notifies consumers of the authentication state data (for example, AuthorizeView) to rerender using the new data.

Implement a custom AuthenticationStateProvider

If the app requires a custom provider, implement AuthenticationStateProvider and override GetAuthenticationStateAsync:

using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.Authorization;

public class CustomAuthStateProvider : AuthenticationStateProvider
{
    public override Task<AuthenticationState> GetAuthenticationStateAsync()
    {
        var identity = new ClaimsIdentity(new[]
        {
            new Claim(ClaimTypes.Name, "mrfibuli"),
        }, "Fake authentication type");

        var user = new ClaimsPrincipal(identity);

        return Task.FromResult(new AuthenticationState(user));
    }
}

The CustomAuthStateProvider service is registered in Startup.ConfigureServices after the call to AddServerSideBlazor:

using Microsoft.AspNetCore.Components.Authorization;

...

services.AddServerSideBlazor();

...

services.AddScoped<AuthenticationStateProvider, CustomAuthStateProvider>();

Using the CustomAuthStateProvider in the preceding example, all users are authenticated with the username mrfibuli.

Additional resources

• Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app
• Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform
• Configure ASP.NET Core to work with proxy servers and load balancers: Includes guidance on:
  • Using Forwarded Headers Middleware to preserve HTTPS scheme information across proxy servers and internal networks.
  • Additional scenarios and use cases, including manual scheme configuration, request path changes for correct request routing, and forwarding the request scheme for Linux and non-IIS reverse proxies.

Blazor Server apps are configured for security in the same manner as ASP.NET Core apps. For more information, see the articles under ASP.NET Core security topics. Topics under this overview apply specifically to Blazor Server.

Blazor Server project template

The Blazor Server project template can be configured for authentication when the project is created.

Visual Studio

Follow the Visual Studio guidance in Tooling for ASP.NET Core Blazor to create a new Blazor Server project with an authentication mechanism.

After choosing the Blazor Server App template in the Create a new ASP.NET Core Web Application dialog, select Change under Authentication.

A dialog opens to offer the same set of authentication mechanisms available for other ASP.NET Core projects:

• No Authentication
• Individual User Accounts: User accounts can be stored:
  • Within the app using ASP.NET Core's Identity system.
  • With Azure AD B2C.
• Work or School Accounts
• Windows Authentication

Visual Studio Code

Follow the Visual Studio Code guidance in Tooling for ASP.NET Core Blazor to create a new Blazor Server project with an authentication mechanism:

dotnet new blazorserver -o {APP NAME} -au {AUTHENTICATION}

Permissible authentication values ({AUTHENTICATION}) are shown in the following table.

Authentication mechanism	Description
None (default)	No authentication
Individual	Users stored in the app with ASP.NET Core Identity
IndividualB2C	Users stored in Azure AD B2C
SingleOrg	Organizational authentication for a single tenant
MultiOrg	Organizational authentication for multiple tenants
Windows	Windows Authentication

Using the -o|--output option, the command uses the value provided for the {APP NAME} placeholder to:

• Create a folder for the project.
• Name the project.

For more information, see the dotnet new command in the .NET Core Guide.

Visual Studio for Mac

1. Follow the Visual Studio for Mac guidance in Tooling for ASP.NET Core Blazor.

2. On the Configure your new Blazor Server App step, select Individual Authentication (in-app) from the Authentication drop down.

3. The app is created for individual users stored in the app with ASP.NET Core Identity.

.NET Core CLI

Create a new Blazor Server project with an authentication mechanism using the following command in a command shell:

dotnet new blazorserver -o {APP NAME} -au {AUTHENTICATION}

Permissible authentication values ({AUTHENTICATION}) are shown in the following table.

Authentication mechanism	Description
None (default)	No authentication
Individual	Users stored in the app with ASP.NET Core Identity
IndividualB2C	Users stored in Azure AD B2C
SingleOrg	Organizational authentication for a single tenant
MultiOrg	Organizational authentication for multiple tenants
Windows	Windows Authentication

Using the -o|--output option, the command uses the value provided for the {APP NAME} placeholder to:

• Create a folder for the project.
• Name the project.

For more information:

• See the dotnet new command in the .NET Core Guide.

• Execute the help command for the Blazor Server template (blazorserver) in a command shell:

  dotnet new blazorserver --help
  

Scaffold Identity

Scaffold Identity into a Blazor Server project:

• Without existing authorization.
• With authorization.

Additional claims and tokens from external providers

To store additional claims from external providers, see Persist additional claims and tokens from external providers in ASP.NET Core.

Azure App Service on Linux with Identity Server

Specify the issuer explicitly when deploying to Azure App Service on Linux with Identity Server. For more information, see Introduction to authentication for Single Page Apps on ASP.NET Core.

Notification about authentication state changes

If the app determines that the underlying authentication state data has changed (for example, because the user signed out or another user has changed their roles), a custom AuthenticationStateProvider can optionally invoke the method NotifyAuthenticationStateChanged on the AuthenticationStateProvider base class. This notifies consumers of the authentication state data (for example, AuthorizeView) to rerender using the new data.

Implement a custom AuthenticationStateProvider

If the app requires a custom provider, implement AuthenticationStateProvider and override GetAuthenticationStateAsync:

using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.Authorization;

public class CustomAuthStateProvider : AuthenticationStateProvider
{
    public override Task<AuthenticationState> GetAuthenticationStateAsync()
    {
        var identity = new ClaimsIdentity(new[]
        {
            new Claim(ClaimTypes.Name, "mrfibuli"),
        }, "Fake authentication type");

        var user = new ClaimsPrincipal(identity);

        return Task.FromResult(new AuthenticationState(user));
    }
}

The CustomAuthStateProvider service is registered in Startup.ConfigureServices after the call to AddServerSideBlazor:

using Microsoft.AspNetCore.Components.Authorization;

...

services.AddServerSideBlazor();

...

services.AddScoped<AuthenticationStateProvider, CustomAuthStateProvider>();

Using the CustomAuthStateProvider in the preceding example, all users are authenticated with the username mrfibuli.

Additional resources

• Quickstart: Add sign-in with Microsoft to an ASP.NET Core web app
• Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform
• Configure ASP.NET Core to work with proxy servers and load balancers: Includes guidance on:
  • Using Forwarded Headers Middleware to preserve HTTPS scheme information across proxy servers and internal networks.
  • Additional scenarios and use cases, including manual scheme configuration, request path changes for correct request routing, and forwarding the request scheme for Linux and non-IIS reverse proxies.