Authentication works in Blazor Web Asm but not Blazor Server

Hugh Gleaves 1 Reputation point
2022-08-20T19:26:55.537+00:00

Any experts here on Blazor Server and authentication?
I have a test app with authentication that works fine as a Blazor WebAsm app and I want to replicate that in a Blazor Server app.
The core bits n pieces are in place and seems to get invoked, but no matter what I do, pages with @attribute [Authorize] are never accessible, always behave as if user is not authenticated the auth is custom operation where we simply pull a cookie by name and convert that to a JWT this works fine in BWA but as I say, not in BSA.

Here's the core if what is in the BWA Program.cs 

            builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).ad  
                   .AddJwtBearer(options =>  
                   {  
                       //options.Authority = "something";  
                       options.TokenValidationParameters = new TokenValidationParameters  
                       {  
                           ValidateIssuer = true,  
                           ValidateAudience = true,  
                           ValidateLifetime = true,  
                           ValidateIssuerSigningKey = true,  
                           ValidIssuer = configuration["Jwt:ValidIssuer"],  
                           ValidAudience = configuration["Jwt:ValidAudience"],  
                           IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(configuration["Jwt:SecretKey"]))  
                       };  
  
                       options.Events = new JwtBearerEvents  
                       {  
                           OnMessageReceived = context =>  
                           {  
                               context.Token = context.Request.Cookies["lti_security_token"];  
                               return Task.CompletedTask;  
                           },  
                       };  
                   });

That same code seems to execute on the Blazor Server app (the lambda for example, gets hit when the site is accessed). But no matter what I do the checks for user being authenticated always show them as not authenticated.

For example pages decorated with @attribute [Authorize] say the user is not authenticated and this code in a page too, also says not authenticated: 

@code {  
    private WeatherForecast[]? forecasts;  
  
    protected override async Task OnInitializedAsync()  
    {  
        forecasts = await ForecastService.GetForecastAsync(DateTime.Now);  
    }  
}

Basically I grab a cookie and convert it to a JWT, works absolutely fine in Web Asm, can see the claims and everything fine.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,158 questions
Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,386 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 55,601 Reputation points
    2022-08-22T15:33:33.247+00:00

    blazor server authentication does not use JWT. It uses standard azure cookie authentication. if a login is required after the blazor server app is loaded via the signal/r connection, the blazor server redirects to the login page via javascript interop (unloading the blazor app), the user logins and is redirected back ti the blazor app. this time the blazor app is loaded with the new credentials.

    note: server blazor just uses the httpcontext from the request to create the signal/r channel. this httpcontext is valid until the channel is closed. Blazor server only uses JWT tokens, if the application is going a call an external api that requires one.

    0 comments