9 Securing Blazor applications

 

This chapter covers

  • Integrating with an external identity provider
  • Displaying UI based on a user’s authentication status
  • Restricting pages to authorized users
  • Authorizing users by role

Having the ability to customize and tailor the user’s experience in an application is almost a must-have nowadays. Although it’s possible to add a certain measure of customization by storing values in cookies or local storage, often the common approach is to have users create an account and sign in to the application—this is also far more secure.

Once a user is signed in, it opens all kinds of opportunities. In e-commerce sites, such as Amazon, users can view their previous orders, track current ones, and view tailored recommendations of products they might like. On news sites, users can create customized news feeds containing just the information they’re interested in seeing.

When allowing users to sign in to an application, there are two processes that must happen:

  • Authentication—The process of determining if someone is who they claim to be
  • Authorization—The process of checking if someone has the rights to access a resource

For example, a user can be authenticated (logged in) but not authorized to view a page in an application. This could be because the page is restricted to administrators and the user is not in that role.

9.1 Integrating with an identity provider: Auth0

9.1.1 Registering applications with Auth0

9.1.2 Customizing tokens from Auth0

9.1.3 Configuring Blazor WebAssembly to use Auth0

9.1.4 Configuring ASP.NET Core WebAPI to use Auth0

9.2 Displaying different UI fragments based on authentication status

9.2.1 Updating the Home feature

9.3 Prevent unauthorized users accessing a page

9.3.1 Securing API endpoints

9.3.2 Calling secure API endpoints from Blazor

9.4 Authorizing users by role

9.4.1 Adding roles in Auth0