Great tutorial! I noticed that in your demo application it showed ApplicationUser rather than the default IdentityUser. Was the ApplicationUser inherited from IdentityUser with some customer fields? If that was the case, did you have to manually update every IdentityUser to ApplicationUser in all generated identity related files under the Account folder, such as IdentityComponentsEndpointRouteBuilderExtensions, etc? I am trying to figure out how to create a customer ApplicationUser by inheriting from IdentityUser in a Blazor app, which led me to your video.
Thanks for this video. Auth is one topic that ive struggled with the most in trying to start a new real world project. Your explanations are super helpful! Especially since we have the need to uave kultiple apps share the same set of users
Thank you for the video aways very informative! What if I have a custom user table cominng from a legacy project that I want to use in the blazor server app? Let's say the table have just username, password and a Role in it without even the email. Is it possible to use the default implementation just by overridig some parts and in case wich ones? Or I have to create my custom Authentication from scratch?
Given that the .net 8 blazor auth covers so much would you recommend using this out of the box setup over doing it from scratch like you previously did with the .net 6 blazor auth?
When the authentication and authorization infrastructure are implemented in the blazor web app, then we are forced to develop the whole business layer within the same blazor web app. Things get complicated when I want to separate the blazor web app from the logic and move the logic into a separate web api service. I've tried the jwt approach but I can't see how it can work with the authorizedview tags in Blazor. Plus the jwt has its flaws that you don't have a simple logout implementation
I'm not sure why you want to do this. It makes no sense to use an API with Blazor. Also cookie based auth is in my opinion safer than jwt auth. Can you please give some context on why you want an API and jwt so badly?
@@Codewrinkles because my blazor app might be only one among other types of clients that will consume my system. Perhaps I'd like to add mobile client or allow 3rd party to consume my web api
"Perhaps I want a mobile app or to expose an API"... that's usually not a pwrhaps. Thats a clear business requirement from the beginning in 99% of the times. I worked last 8 years developing enterprise apps and never hsppened to me that these requirements just pop up. Also literally never did we need to expose an API publicly. What I'm trying to say is that you seemingly base some decisions on edge cases and try to make this a general approach. Instead the genersl approach should be to not use APIs, except only for the cases where it's really neefed. If we did buy a hammer (API dev knoeledge) we shouldn't see everything around as a nail.
@@Codewrinkles It's possible that you are talking about two different use cases. In big corporations you have you may have a single use cases app that you know what will do from the beginning due to a defined user base (internal apps) but for example when you are starting a brand new product (startup idea) and you still don't know what it's possibilities will be (when implementing lean management methodology) it's crucial to have that flexibility for change and decoupling. I think that you shouldn't be lock down or be discourage from using product like Blazor in different use cases then enterprise especially when looking at .Net problems with adoption by new developers and companies.
Can you clarify how the RevalidatintServerAuthinecationStateProvider pass the athuninctaion state to the client in template with individuals accounts and interactive auto
Well, Yes. But for now, the next video on Wednesday will be about how to add Google Authentication to Blazor SSR and what possible problems you could encounter. I think I'll try to go through working with most of the major IdPs and do some videos on that. But that will also depend on how good these videos will perform. If I see that there is not enough interest in these topics, I will probably look elsewhere with my content.
@@Codewrinkles I think you are doing us all a huge favor with your work. Authentication/Authorization is a key problem. I am looking forward to all of your videos on this topic. Also I think Authorization/Authentication is not a pick one solution and that will work for all scenarios issue. It is great to have multiple options available. With that being said, I think Azure AD (or now Entra ID) is a great tool you want to have in your toolbox, especially if you want to use Blazor in an Enterprise environment.
Well, for the first 2 hours after upload this is my second worst performing in the last 365 days :)) So it seems it's not a topic that would raise interest. Let's see how the next one on adding google authentication will perform.
Do Blazor videos tend to do worse than API videos? I imagine there would be more interest in the latter since it is less specific. Personally I'm interested in how someone with more knowledge than me would implement Azure Entra as an IdP in a Minimal Web API project, along with exposing admin functionality for inviting users to a tenant & modifying user claims, etc. Thanks for the videos!
yes - I hear it from contractors recently however MS gave us here ready to go solution included with the templates Seems like ADB2C is much more straightforward for intra and internet domains within larger complex networks
Thank you for your video. But may i know, why with the default project setup(interactive server, individual identity), the session cookie still alive, when I just close the tab or web browser? When I open again the home page, it shows the login condition as same before?
This is a constant issue for me when trying to search for information about this part. Like yes i can create the authorization at this point, and i have all that but i am really confused about how to use the cookie data to track which user is logged in... Im a student so this is a student question really.. But in the web app that we are making, in blazor we need to make a site for a car rental company, and im just currious of how i keep track of the logged in user, like i want to see only the logged in users orders and order history, i want to be able to klick on a car and be sent to a booking site where we can just klick the rent car and have the logged in users informatin already inserted in the form except for the period of which the car should be rented. Its a piece of information that seems really hard to find for some reason...
How do you handle 500+ claims for user permissions to avoid the header size limit? I'm currently working on a similar project and would love to hear about different strategies or experiences from the community. Any insights or advice would be greatly appreciated!
So now we can use that Identity User Accessor and we don't need to do the whole initial state and downloading everything from httpcontext only at the start of the application? Or does this only work for SSR and on SS we still need the old way?
Is there a way to ONLY use external authentication is this type of project? I simply have a single IDP that I need to authenticate against with OIDC. I've managed to accomplish that but I have two problems: 1- Is there a way to implement refresh tokens? 2- Logout is broken. It just won't remove the cookie no matter what I do. A tutorial on how to do that would be greatly appreciated.
Hello, I'm new to blazor framework, i created a Project of type blazor web app with dotnet 8 wich include both server and client project, and i added authentication and Authorization with jwt bearer and i save the token in browser, but i encountering a proplem when refrech a component with Attribute autorize, it's gives error 401 unautorize while oninizlation of the component i retrive the authentication state but it's give 401. And btw the rendermode on the component ia interactiveServer with prerender false, so can any one help me with this problem 🙏
It would be really helpfull if you would provide a github link in the video descriptions. A lot of times it's easyer to understand when you can freely scroll throwgh the code.
I could go through the entire codebase 3 times within the length of this video........but that means no ads n profit for the author..it's inevitable that the github link will never be posted.
Hi, how would you go around publishing this application and still use this way of login, do i need to migrate the user db context? Great video, have been looking for something like this!
Excellent video. I dont understand well the email thing. When i want to implement a real email confirmation, I overwrite the IdentityNoOpEmailSender clas and thats it?
The biggest problem of this structure is the SSR and cookie issue. It is not possible to use any component that uses interactiveserver mode on the login and registration pages, which causes various problems. Another problem is this; Since the pages in the account section are SSR, we can use cookies, and for example, after writing any information of the logged-in member into the cookie, we cannot access this cookie from other Blazor components. As an alternative, I tried using ProtectedLocalStorage, but it does not allow writing any information to ProtectedLocalStorage after the user logs in. Even if we solve this problem by adding a component and directing the user here, deleting the contents written to ProtectedLocalStorage in the logout section is still a problem.
I'm not sure why this is a problem. In my opinion that's exactly how modern Blazor apps should be written: most of the components should be SSR. You just add interactivity where you need to peak into button clicks and other such events.
Also, you can access the cookie via the HttpContext.Identity in every single SSR component. Page components in Blazor should all be by default SSR in my opinion.
I think I explained it wrong. For example, let's go with the default template. Let's imagine a recaptcha component running in interactiveserver mode, we cannot add it to the login or registration page. Or let's imagine a scenario like this: We want to temporarily keep the some information of the logged in user in a session and use it on all pages. We cannot do this in this template. (at least I tried but couldn't)@@Codewrinkles
For the recaptcha I think you can model it as a form post similar to how the login button for external providers is implemented. Create a minimal api endpoint for it and do a redirect with all the info already on the page. It's just an initial idea, I'm not sure if it's accurate. But I think going in thid direction would help to solve such problems.
Thanks for the EXCELLENT video explaining .Net 8 Blazor Authentication. You make it feel so simple! But I need to go a bit further. I have 3 applications and need to have a common Login Authentication and need to jump from one app to another. If I logout from on app then it has to logout on the others too (the same way you explained on the different tabs). How can I achieve this please? JP
It's awesome that this code works as SSR and no connection is made (Server) and no data downloaded (WebAssembly) during Authentication/Authorization process
Hi , i like what you are doing , Please a i have a question , i have a APi that handle generating authentication with jwt access token , and all my logic is in this API , i want to use blazor as frontend with rendermodeAuto, how to use the JWT in this case? for WASM si I have no probleme , but with Blazor RenderModeAutho i am lost Thank you
Do you use the API only for authentication purposes? I think I would want to get rid of the API entirely and handle auth through Blazor SSR. I am personally against the idea of using Rendermode Auto. I'm not sure if it's wrong or not. But my approach is to keep everything as much SSR as possible. And when I need interactivity, I add InteractiveServer since I think it's overkill to have another project just to serve as a host for the WebAssembly stuff.
Codewrinkles ambassador members and higher get access to the source code. Make sure to get the membership and then go to the "Membership" tab on the channel and you will find instructions on how to get the source code.
Thank you for your Video. I would like to inform you, that the RevalidatingServerAuthenticationStateProvider doesn't work in Blazor 8. You opened the other session in the same browser in the second Tab. But please, open the other session in different Browser (Firefox, Edge). You will see, that the logout doesn't change anything in the other session. ValidateAuthenticationStateAsync is not called.
It works only in the same instance of the browser window, is the same effect if you open a private or anonymous browser window. That’s the expected behavior.
![Felix "Unfair" | [Stray Kids : SKZ-PLAYER]](http://i.ytimg.com/vi/Oswujxm2Ag0/mqdefault.jpg)
![Noob To Max With DRAGON REWORK In Blox Fruits [FULL MOVIE]](http://i.ytimg.com/vi/LnBMOinoOvA/mqdefault.jpg)
![Blazor Authentication and Authorization Tutorial [Blazor Authentication Without Identity]](/img/1.gif)
You're welcome! I've been searching for someone to explain this to us for a while. Keep explaining thoroughly. Thank you very much again.
Great tutorial!
I noticed that in your demo application it showed ApplicationUser rather than the default IdentityUser. Was the ApplicationUser inherited from IdentityUser with some customer fields? If that was the case, did you have to manually update every IdentityUser to ApplicationUser in all generated identity related files under the Account folder, such as IdentityComponentsEndpointRouteBuilderExtensions, etc? I am trying to figure out how to create a customer ApplicationUser by inheriting from IdentityUser in a Blazor app, which led me to your video.
Thanks for this video. Auth is one topic that ive struggled with the most in trying to start a new real world project. Your explanations are super helpful! Especially since we have the need to uave kultiple apps share the same set of users
Thank you for the video aways very informative! What if I have a custom user table cominng from a legacy project that I want to use in the blazor server app? Let's say the table have just username, password and a Role in it without even the email. Is it possible to use the default implementation just by overridig some parts and in case wich ones? Or I have to create my custom Authentication from scratch?
Given that the .net 8 blazor auth covers so much
would you recommend using this out of the box setup over doing it from scratch like you previously did with the .net 6 blazor auth?
How would we show a countdown timer before the session terminates? Say at like 10 seconds left
When the authentication and authorization infrastructure are implemented in the blazor web app, then we are forced to develop the whole business layer within the same blazor web app. Things get complicated when I want to separate the blazor web app from the logic and move the logic into a separate web api service. I've tried the jwt approach but I can't see how it can work with the authorizedview tags in Blazor. Plus the jwt has its flaws that you don't have a simple logout implementation
I'm not sure why you want to do this. It makes no sense to use an API with Blazor. Also cookie based auth is in my opinion safer than jwt auth. Can you please give some context on why you want an API and jwt so badly?
@@Codewrinkles because my blazor app might be only one among other types of clients that will consume my system. Perhaps I'd like to add mobile client or allow 3rd party to consume my web api
"Perhaps I want a mobile app or to expose an API"... that's usually not a pwrhaps. Thats a clear business requirement from the beginning in 99% of the times. I worked last 8 years developing enterprise apps and never hsppened to me that these requirements just pop up. Also literally never did we need to expose an API publicly. What I'm trying to say is that you seemingly base some decisions on edge cases and try to make this a general approach. Instead the genersl approach should be to not use APIs, except only for the cases where it's really neefed. If we did buy a hammer (API dev knoeledge) we shouldn't see everything around as a nail.
@@Codewrinkles It's possible that you are talking about two different use cases. In big corporations you have you may have a single use cases app that you know what will do from the beginning due to a defined user base (internal apps) but for example when you are starting a brand new product (startup idea) and you still don't know what it's possibilities will be (when implementing lean management methodology) it's crucial to have that flexibility for change and decoupling. I think that you shouldn't be lock down or be discourage from using product like Blazor in different use cases then enterprise especially when looking at .Net problems with adoption by new developers and companies.
@@Codewrinklesi think to share the same api with multiple platforms.
Can you clarify how the RevalidatintServerAuthinecationStateProvider pass the athuninctaion state to the client in template with individuals accounts and interactive auto
When we have a global Authorize attribute, what other pages in the Account area would need an AllowAnonymous attribute?
Thank you. This makes it easier to understand.
Any link to the example you went over in the video?
Great video, thanks for this.
Just out of curiosity, have you considered trying Azure AD B2C for authentication/authorization?
Well, Yes. But for now, the next video on Wednesday will be about how to add Google Authentication to Blazor SSR and what possible problems you could encounter. I think I'll try to go through working with most of the major IdPs and do some videos on that. But that will also depend on how good these videos will perform. If I see that there is not enough interest in these topics, I will probably look elsewhere with my content.
@@Codewrinkles I think you are doing us all a huge favor with your work. Authentication/Authorization is a key problem. I am looking forward to all of your videos on this topic.
Also I think Authorization/Authentication is not a pick one solution and that will work for all scenarios issue. It is great to have multiple options available. With that being said, I think Azure AD (or now Entra ID) is a great tool you want to have in your toolbox, especially if you want to use Blazor in an Enterprise environment.
Well, for the first 2 hours after upload this is my second worst performing in the last 365 days :)) So it seems it's not a topic that would raise interest. Let's see how the next one on adding google authentication will perform.
Do Blazor videos tend to do worse than API videos? I imagine there would be more interest in the latter since it is less specific. Personally I'm interested in how someone with more knowledge than me would implement Azure Entra as an IdP in a Minimal Web API project, along with exposing admin functionality for inviting users to a tenant & modifying user claims, etc.
Thanks for the videos!
yes - I hear it from contractors recently however MS gave us here ready to go solution included with the templates
Seems like ADB2C is much more straightforward for intra and internet domains within larger complex networks
Thank you for your video. But may i know, why with the default project setup(interactive server, individual identity), the session cookie still alive, when I just close the tab or web browser? When I open again the home page, it shows the login condition as same before?
This is a constant issue for me when trying to search for information about this part. Like yes i can create the authorization at this point, and i have all that but i am really confused about how to use the cookie data to track which user is logged in...
Im a student so this is a student question really..
But in the web app that we are making, in blazor we need to make a site for a car rental company, and im just currious of how i keep track of the logged in user, like i want to see only the logged in users orders and order history, i want to be able to klick on a car and be sent to a booking site where we can just klick the rent car and have the logged in users informatin already inserted in the form except for the period of which the car should be rented.
Its a piece of information that seems really hard to find for some reason...
How do you handle 500+ claims for user permissions to avoid the header size limit? I'm currently working on a similar project and would love to hear about different strategies or experiences from the community. Any insights or advice would be greatly appreciated!
The ValidateAuthenticationStateAsync in the RevalidatingAuthenticationStateProvider in 8.0.X is never called,why?
So now we can use that Identity User Accessor and we don't need to do the whole initial state and downloading everything from httpcontext only at the start of the application? Or does this only work for SSR and on SS we still need the old way?
Is there a possibility of adding roles to this authentication? If so, how would you go about adding roles?
Is there a way to ONLY use external authentication is this type of project? I simply have a single IDP that I need to authenticate against with OIDC. I've managed to accomplish that but I have two problems: 1- Is there a way to implement refresh tokens? 2- Logout is broken. It just won't remove the cookie no matter what I do. A tutorial on how to do that would be greatly appreciated.
Hello, I'm new to blazor framework, i created a Project of type blazor web app with dotnet 8 wich include both server and client project, and i added authentication and Authorization with jwt bearer and i save the token in browser, but i encountering a proplem when refrech a component with Attribute autorize, it's gives error 401 unautorize while oninizlation of the component i retrive the authentication state but it's give 401. And btw the rendermode on the component ia interactiveServer with prerender false, so can any one help me with this problem 🙏
It would be really helpfull if you would provide a github link in the video descriptions. A lot of times it's easyer to understand when you can freely scroll throwgh the code.
I could go through the entire codebase 3 times within the length of this video........but that means no ads n profit for the author..it's inevitable that the github link will never be posted.
Hi, how would you go around publishing this application and still use this way of login, do i need to migrate the user db context?
Great video, have been looking for something like this!
Why not from within Visual Studio Identity Management? Everything is ready
Do you have any tutorial for blazor web app with mix interactivity and keycloak?
Did you find any tutorial?
Excellent video. I dont understand well the email thing. When i want to implement a real email confirmation, I overwrite the IdentityNoOpEmailSender clas and thats it?
No, you just implement the interface in your own class with the real thing.
The biggest problem of this structure is the SSR and cookie issue.
It is not possible to use any component that uses interactiveserver mode on the login and registration pages, which causes various problems.
Another problem is this; Since the pages in the account section are SSR, we can use cookies, and for example, after writing any information of the logged-in member into the cookie, we cannot access this cookie from other Blazor components.
As an alternative, I tried using ProtectedLocalStorage, but it does not allow writing any information to ProtectedLocalStorage after the user logs in.
Even if we solve this problem by adding a component and directing the user here, deleting the contents written to ProtectedLocalStorage in the logout section is still a problem.
I'm not sure why this is a problem. In my opinion that's exactly how modern Blazor apps should be written: most of the components should be SSR. You just add interactivity where you need to peak into button clicks and other such events.
Also, you can access the cookie via the HttpContext.Identity in every single SSR component. Page components in Blazor should all be by default SSR in my opinion.
I think I explained it wrong.
For example, let's go with the default template.
Let's imagine a recaptcha component running in interactiveserver mode, we cannot add it to the login or registration page.
Or let's imagine a scenario like this: We want to temporarily keep the some information of the logged in user in a session and use it on all pages.
We cannot do this in this template. (at least I tried but couldn't)@@Codewrinkles
For the recaptcha I think you can model it as a form post similar to how the login button for external providers is implemented. Create a minimal api endpoint for it and do a redirect with all the info already on the page. It's just an initial idea, I'm not sure if it's accurate. But I think going in thid direction would help to solve such problems.
I will investigate this myself after my vacation and will probably create a video with my findings.
Thanks for the EXCELLENT video explaining .Net 8 Blazor Authentication. You make it feel so simple!
But I need to go a bit further. I have 3 applications and need to have a common Login Authentication and need to jump from one app to another. If I logout from on app then it has to logout on the others too (the same way you explained on the different tabs). How can I achieve this please?
JP
why we are not receiving an email ?
It's awesome that this code works as SSR and no connection is made (Server) and no data downloaded (WebAssembly) during Authentication/Authorization process
Hi , i like what you are doing ,
Please a i have a question ,
i have a APi that handle generating authentication with jwt access token , and all my logic is in this API , i want to use blazor as frontend with rendermodeAuto, how to use the JWT in this case?
for WASM si I have no probleme , but with Blazor RenderModeAutho i am lost
Thank you
Do you use the API only for authentication purposes? I think I would want to get rid of the API entirely and handle auth through Blazor SSR. I am personally against the idea of using Rendermode Auto. I'm not sure if it's wrong or not. But my approach is to keep everything as much SSR as possible. And when I need interactivity, I add InteractiveServer since I think it's overkill to have another project just to serve as a host for the WebAssembly stuff.
@@Codewrinkles Not just for authentication but also for business logic, Blazor is juste for frontend no logic.
@@Codewrinkles that approach just doesn't scale.
hi - can we get the code? thanks
Codewrinkles ambassador members and higher get access to the source code. Make sure to get the membership and then go to the "Membership" tab on the channel and you will find instructions on how to get the source code.
Thank you for your Video. I would like to inform you, that the RevalidatingServerAuthenticationStateProvider doesn't work in Blazor 8. You opened the other session in the same browser in the second Tab. But please, open the other session in different Browser (Firefox, Edge). You will see, that the logout doesn't change anything in the other session. ValidateAuthenticationStateAsync is not called.
It works only in the same instance of the browser window, is the same effect if you open a private or anonymous browser window. That’s the expected behavior.
This playlist need role management.
First to like and first to comment ...master
You were really fast. Hope you find this video useful!