Blazor Authentication with JSON Web Tokens
HTML-код
- Опубликовано: 29 сен 2024
- We've seen a ASP.NET backend with an Angular frontend. What if we want C# all the way through? Here's how we do it in Blazor.
Source code available at: github.com/Jas...
Server code available at: github.com/Jas...
Topics include:
- Creating HttpClient through an HttpClientFactory
- Using appsettings.json in Blazor WASM
- Accessing Session Storage with the Blazored.SessionStorage package
- Decomposing JWTs in .NET
- Using events to update the DOM in Blazor
- Using a DelegatingHandler to augment HTTP requests
- Avoiding cyclic dependency injection
Which front end do you prefer - Angular or Blazor? Let me know.
Source code available at: github.com/JasperKent/Blazor-Wasm-Authentication
Server code available at: github.com/JasperKent/WebApi-Authentication
Remember to subscribe at ruclips.net/channel/UCqWQzlUDdllnLmtgfSgYTCA
And if you liked the video, click the 👍.
Thanks for the video. I never knew that I can get the token from the class again. I always have written a custom parser for that. Thanks for showing that. Also l have a question. Instead of using DelegatingHandler for auth state, can't we use use the AuthenticationStateProvider for that as that also directly control the blazor AuthorizeView component
Yep - that's for a future video.
Where would you normally keep that JWT token? Keeping it in the session be easily found and decrypted to extract information from it.
Is there a way to keep it only in memory completely invisible (using WASM)?
It couldn't be decrypted, because the secret to decode it is kept on the server. Even if it could be decrypted, there's no sensitive information in there. The risk of having the JWT stolen is that it could be used to gain access to a secure server. Moreover, Session and Local storage are only available to the user of the machine, so are safe for a personal, password protected machine. On a public machine, however, they shouldn't be stored in Local storage, and the user should remember to close the browser to clear session storage. Storage in memory is safest, but least convenient.
Great stuff, thanks! Just moving from Angular to Blazor so this helps alot :)
huge help. i'll be implementing something like this. thank you
I am assuming that you're designing this for Client side and not Server side? If it's running server side you created your authorization service as a singleton, which from my understanding is global to ALL connected clients. Would that not mean the JWT token would be accessible to all the users since you are caching it in the Service?
Absolutely. This is Blazor WASM only.
thanks. is there any video for auth on blazor web server ??
I'll put it on the list.
Thanks
Can you add Refresh Token ?
Thanks
So many people asking for this. It's on the list
Also Maui Blazor Authentication with JSON Web Tokens
@@cissemy I'm not sure there's anything significantly different in MAUI Blazor than here.
@@CodingTutorialsAreGo Yes please for refresh token.
Thank you very much!!
Yes to download the code. Is this for .net 8 or .net 7?
This one is 7.
Thanks. This all makes sense to me, which in itself is a minor miracle!! Would there be a lot of difference if using Blazor Server rather than WASM?
Yes, it would be quite different for Server. I'll try to get round to doing a video on that.
@@CodingTutorialsAreGo thanks for the reply. I've just re-watched the Part 1 and Part 2 videos regarding securing the API itself. Very informative the way you added it to an existing project. If creating a new API and using one of the templates with Identity authentication/authorisation would that result in the same JWT token based system or is your approach different/enhanced/minimal compared to what MS gives you out of the box so to speak?
@@AthelstanEngland If you go for Microsoft Identity Platform for the authentication, then it uses JWTs, but they are issued by Microsoft, not by you application itself as I've done here.
@@CodingTutorialsAreGo hi and thanks for the confirmation. Yep, just this morning I decided to create a project using Identity Platform to see what happened and yep it wanted Azure login and all sorts. I deleted and went back to you videos!
Thanks
Is this the right way to do this?