Is Razor's AuthorizeView-component dependent on the existence of a default authentication scheme?

Yakup Ipek 0

When a default authentication scheme is not provided during registration of the authentication service the user does not get authenticated, hence the items contained within the authorize-view-component do not get rendered.

Hence my question: Does authorization via the AuthorizeView-component only work when a default authentication scheme is provided?

My attempts to solve it differently, like calling RequireAuthorization on endpoints.MapBlazorHub() did break the logic of the AuthorizeView-component as the NotAuthorized component does not work in this case.

1 answer

Bruce (SqlWork.com) 57,886 Reputation points

2023-08-10T17:30:32.74+00:00

the AuthorizeView component does not require authentication, it only display content based on the current state.

a Blazor app is a single http request. this request is either authorized or not, so the authorization state is the same for the life of the app. its either authorized or not. if you require authorization at startup it will always be authorized.

a typical scenario is the blazor app starts as not authorized. the AuthorizeView comports will show only public content. there should be a login option in the unauthorized content. when clicked, it redirects to the login page (unloading the blazor app). after a successful login, the login page redirects back to the Blazor app page. this reloads the Blazor app with an authenicated request. Now the AuthorizeView will display authorized content.

note: Blazor has added support to update the authentication state while running. so if using custom authentication, not oauth (which always requires a redirect), you should be able to login/logout without the unload. there is no built in support for this scenario (but AuthorizeView supports), and while a little complex is doable. Besides building Blazor components to login/login out you will need a custom AuthenticationStateProvider that the component call to update the authentication status.
Please sign in to rate this answer.
Yakup Ipek 0 Reputation points

2023-08-11T08:18:31.86+00:00

Thank you Bruce for your explanation.

can you provide me an example for where to configure the authorization for the single http request. For example doing it in the razor page _Host.cshtml via an attribute (providing the authorization policy - matching the one provided to the AuthorizeView-Component's Policy attribute) does not help, unless the authentication scheme required by the authorization policy is set as the default scheme.

I've checked the logs (in the scenario where the authentication scheme is not set as the default scheme, but the Authorize-Attribute is set in the _Host.cshtml razor page): initially the authentication succeeds, however subsequent rerendering (assuming initiated through the hub) fails, therefore I get to see the items placed into the NotAuthorized-component, so at a certain point subsequent rerenderings do not meet the policy's requirements (to be specific the DenyAnonymousAuthorizationRequirement)

Due to disclosure reasons I can provide you only these lines from the log, showing the rerendering:

[10:12:25 DBG] Begin invoke JS interop '2': 'Blazor._internal.attachWebRendererInterop' (Microsoft.AspNetCore.Components.Server.Circuits.RemoteJSRuntime)

[10:12:25 DBG] Created circuit dsI3vAzXwr0Ex7iXHusHvTQj3UppCJqNnpeJGd6Pldg for connection 3ULnz-1TqpdJ7ezHKH7o2A (Microsoft.AspNetCore.Components.Server.Circuits.CircuitFactory)

[10:12:25 DBG] Circuit initialization started. (Microsoft.AspNetCore.Components.Server.Circuits.CircuitHost)

[10:12:25 DBG] Opening circuit with id 'dsI3vAzXwr0Ex7iXHusHvTQj3UppCJqNnpeJGd6Pldg'. (Microsoft.AspNetCore.Components.Server.Circuits.CircuitHost)

[10:12:25 DBG] Circuit id 'dsI3vAzXwr0Ex7iXHusHvTQj3UppCJqNnpeJGd6Pldg' connected using connection '3ULnz-1TqpdJ7ezHKH7o2A'. (Microsoft.AspNetCore.Components.Server.Circuits.CircuitHost)

[10:12:25 DBG] Initializing root component 0 (...............) (Microsoft.AspNetCore.Components.RenderTree.Renderer)

[10:12:25 DBG] Rendering component 0 of type .............. (Microsoft.AspNetCore.Components.RenderTree.Renderer)

Could it be that the JS Interops require the default scheme?

Bruce (SqlWork.com) 57,886 Reputation points

2023-08-11T18:54:17.3466667+00:00

With blazor server, the components builds the render tree on the server. It then uses jsinterop to send the render tree changes to the client, which updates the client render tree, then the dom.

you don’t explain your issue, but it’s probably not related to the render tree processing.

if you where using WASM then the AuthorizeView processing would be client side, but you are using server.

AuthorizeView just looks at HttpContext.User which is created before the blazor server app starts.

The AuthorizeView only supports one policy. If you have more than one policy, specify in the AuthorizeView. You can define an AuthorizeView for each policy.

Yakup Ipek 0 Reputation points

2023-08-12T14:27:18.3666667+00:00

thank you Bruce. I am getting to a point where I start to understand the logic of blazor.

I am just curious why in my setup the default scheme seems to be required.

For more context in my StartUp.cs I have the following line.

serviceCollection.AddAuthentication().AddCookie();

The razor component has a page attribute which leads the fallback page being rendered _Host.cshtml, within the fallback page I am being navigated to the razor component containting the AuthorizeView. The _Host.cshtml contains

@attribute [Authorize(Policy = "CookiePolicy")]

The CookiePolicy is being added through the

AuthorizationPolicy CookiePolicyBuilder= new AuthorizationPolicyBuilder() .RequireAuthenticatedUser() .AddAuthenticationSchemes(CookieAuthenticationDefaults.AuthenticationScheme) .Build(); serviceCollection.AddAuthorization(options => { options.AddPolicy("CookiePolicy", CookiePolicyBuilder); });

So when I access the razor component the log file reports:

Microsoft.AspNetCore.Hosting.Diagnostics: Information: Request starting HTTP/1.1 GET https://....:.../...- - [13:31:51 INF] Request starting HTTP/1.1 GET https://....:.../... - - (Microsoft.AspNetCore.Hosting.Diagnostics) [13:31:51 DBG] The host '......' is excluded. Skipping HSTS header. (Microsoft.AspNetCore.HttpsPolicy.HstsMiddleware) [13:31:51 DBG] 1 candidate(s) found for the request path '/...' (Microsoft.AspNetCore.Routing.Matching.DfaMatcher) [13:31:51 DBG] Endpoint 'Fallback {*path:nonfile}' with route pattern '{*path:nonfile}' is valid for the request path '/...' (Microsoft.AspNetCore.Routing.Matching.DfaMatcher) [13:31:51 DBG] Request matched endpoint '/_Host' (Microsoft.AspNetCore.Routing.EndpointRoutingMiddleware) [13:31:51 DBG] AuthenticationScheme: Cookies was successfully authenticated. (Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationHandler) [13:31:51 DBG] Authorization was successful. (Microsoft.AspNetCore.Authorization.DefaultAuthorizationService) ... [13:31:54 DBG] Initializing component 12 (Microsoft.AspNetCore.Components.Authorization.AuthorizeView) as child of .... (....) (Microsoft.AspNetCore.Components.RenderTree.Renderer) Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Information: Authorization failed. These requirements were not met: DenyAnonymousAuthorizationRequirement: Requires an authenticated user.

So at the end I briefly get to see the content of the AuthorizeView (it recognizes the request as being correctly authorized), however after a few seconds the rerendering reports that the authorization fails.

I just dont understand the reason.

The following line just solves my problem, but this just confirms my assumption that the whole authorization process in razor component is dependent on the default authentication scheme.

serviceCollection.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme).AddCookie();

Nevertheless, thank you Bruce.

Bruce (SqlWork.com) 57,886 Reputation points

2023-08-15T20:08:35.01+00:00

if your app defines multiple schemes, than a request can have more than one active scheme. in this case you typically use policies to pick the scheme to authorize with. if you create a custom scheme like you are, you need to define a policy for it. as the AuthorizeView only supports one policy, you need to define its policy, in your case the custom one.

note: cookie and bearer token support have predefined schemes

Yakup Ipek 0 Reputation points

2023-08-16T12:04:59.27+00:00

Hi Bruce,

as you assumed I added multiple schemas so I used a policy to determine which schema to use, yet I am facing the same problem. I have created a small project in case I miss something, but I still face the same problem.

My Program.cs looks like this:

public static void Main(string[] args) { var builder = WebApplication.CreateBuilder(args); builder.Logging.AddDebug(); builder.Logging.AddConsole(); // Add services to the container. builder.Services.AddRazorPages(); builder.Services.AddServerSideBlazor(); builder.Services.AddSingleton<WeatherForecastService>(); var policy = new AuthorizationPolicyBuilder().RequireAuthenticatedUser().AddAuthenticationSchemes(CookieAuthenticationDefaults.AuthenticationScheme).Build(); builder.Services.AddAuthentication().AddCookie(); builder.Services.AddAuthorization(options => { options.DefaultPolicy = policy; options.AddPolicy("FooBla", policy); }); var app = builder.Build(); // Configure the HTTP request pipeline. if (!app.Environment.IsDevelopment()) { app.UseExceptionHandler("/Error"); } app.UseStaticFiles(); app.UseRouting(); app.UseAuthentication(); app.UseAuthorization(); app.MapBlazorHub(); app.MapFallbackToPage("/_Host"); app.Run(); }

The Login.cshtml:

@page "/login" @model BlazorApp1.Pages.LoginModel @{ }

The Login.cshtml.cs:

public class LoginModel : PageModel { public IActionResult OnGet() { var claims = new List<Claim> { new Claim(ClaimTypes.Name, "John Smith"), new Claim("sub", "John Smith"), }; var claimsPrincipal = new ClaimsPrincipal(new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme)); var authProperties = new AuthenticationProperties { IsPersistent = true, IssuedUtc = DateTime.UtcNow, ExpiresUtc = DateTime.UtcNow.AddHours(12), AllowRefresh = true, RedirectUri = this.Url.Content("~/"), }; this.HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, claimsPrincipal, authProperties); return this.LocalRedirect(this.Url.Content("~/")); } }

The _Host.cshtml

@page "/" @namespace BlazorApp1.Pages @using Microsoft.AspNetCore.Authorization; @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers @attribute [Authorize(Policy = "FooBla")] @{ Layout = "_Layout"; } <component type="typeof(App)" render-mode="ServerPrerendered" />

The App.razor

<CascadingAuthenticationState> <Router AppAssembly="@typeof(App).Assembly"> <Found Context="routeData"> <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" /> <FocusOnNavigate RouteData="@routeData" Selector="h1" /> </Found> <NotFound> <PageTitle>Not found</PageTitle> <LayoutView Layout="@typeof(MainLayout)"> <p role="alert">Sorry, there's nothing at this address.</p> </LayoutView> </NotFound> </Router> </CascadingAuthenticationState>

And the Index.razor

@page "/" <AuthorizeView Policy="FooBla"> <Authorized> <PageTitle>Index</PageTitle> <h1>Hello, world!</h1> Welcome to your new app. <SurveyPrompt Title="How is Blazor working for you?" /> </Authorized> <NotAuthorized> <h1>Not Authorized!!!!</h1> </NotAuthorized> </AuthorizeView>

I navigate at first to the /login page, so that the cookie gets created and afterwards the user gets redirected to the page /, where the Index.razor gets rendered.

The authorization succeeds initially, fails after that immediately.

Bruce (SqlWork.com) 57,886 Reputation points

2023-08-16T22:09:37.8833333+00:00

HttpContext.SignInAsync() does not work with Blazor apps. the method is used to build a cookie and redirect for the current response. But the response of the HttpContext passed to a Blazor app has already completed, so it has no way to send the cookie and redirect to the browser.

to create the cookie, you need a MVC action or razor page your Blazor code can redirect to (unloading the blazor app), that creates the cookie and redirects back to the Blazor app (reloading the app). typically rather than trying to pass the credential to page via a query string, the external pages do the login.

create a blazor server app with individual accounts authentication. It will add the login pages to your site via a razor page library. you can then see how login works. hint, you can use scaffolding to generate custom pages rather the compiled ones in the library.

https://learn.microsoft.com/en-us/aspnet/core/security/authentication/scaffold-identity?view=aspnetcore-7.0&tabs=visual-studio

it appears you are trying to have the blazor app host the login page and update the user principal rather than external razor pages. To do this you create a custom AuthenticationStateProvider service, and supply a backdoor method for the blazor code to call to update the user principal and claims. As you will also have a custom authentication provider (neither cookie or bearer), you may need a custom authentication scheme and add it as a policy.

Yakup Ipek 0 Reputation points

2023-08-17T13:17:27.4266667+00:00

Thank you Bruce.

I've created the blazor app with individual accounts authentication and scaffolded, so that I can inspect the login mechanism.

I've inspected the method call AddDefaultIdentity<IdentityUser> on github (https://github.com/dotnet/aspnetcore/blob/main/src/Identity/UI/src/IdentityServiceCollectionUIExtensions.cs) which was added through the project template in Visual Studio.

builder.Services.AddDefaultIdentity<IdentityUser>( options => options.SignIn.RequireConfirmedAccount = true).AddEntityFrameworkStores<ApplicationDbContext>();

On GitHub Microsoft defines the extension method as follows:

public static IdentityBuilder AddDefaultIdentity<TUser>(this IServiceCollection services, Action<IdentityOptions> configureOptions) where TUser : class { services.AddAuthentication(o => { o.DefaultScheme = IdentityConstants.ApplicationScheme; o.DefaultSignInScheme = IdentityConstants.ExternalScheme; }) .AddIdentityCookies(o => { }); return services.AddIdentityCore<TUser>(o => { o.Stores.MaxLengthForKeys = 128; configureOptions?.Invoke(o); }) .AddDefaultUI() .AddDefaultTokenProviders(); }

When I omit the DefaultScheme the whole authentication process fails. Applying the same steps I've mentioned earlier I can reproduce the exact same behaviour. Initially authorized, immediatelly afterwards the authorization fails.

I think that for the authorization logic to operate correctly I need to follow Microsoft's setup by specifying the default scheme.

So basically it's not a timing issue with the HttpContext I'd say, but more a (explicit) requirement of the framework.

I'd happy if you could share your thoughts.

Kind regards

Bruce (SqlWork.com) 57,886 Reputation points

2023-08-17T18:39:41.86+00:00

say you have cookie and bearer schemes. the cookie scheme replies with a redirect when authentication required. the bearer token return a status 401.

when a request requires authentication, but no authentication is found, it needs to know which scheme to use to request authentication. in the typical cookie, bearer scenario, you create two policies. then for each endpoint you specify the policy. say bearer for api/json calls, and cookie for html pages.

see setting the defaults for different authentications actions (Signin, SignOut, Challenge)

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.authentication.authenticationoptions?view=aspnetcore-7.0

the DefaultUI() library uses SignIn and SignOut actions. these need to know which schema to use if its not the well known cookie scheme. if you want it to use a custom scheme, you need to update its settings so it knows about the custom scheme.

the AuthorizeView does not request authentication, it just loads components based on the authentication state.

again the HttpContext passed to a Blazor app is disconnected from any request/response. The blazor code can only read values from it.

Yakup Ipek 0 Reputation points

2023-08-18T08:58:34.25+00:00

Hi Bruce,

thank you for sharing your thoughts and the examples you provide.

You stated

when a request requires authentication, but no authentication is found, it needs to know which scheme to use to request authentication. in the typical cookie, bearer scenario, you create two policies. then for each endpoint you specify the policy. say bearer for api/json calls, and cookie for html pages.

By it needs to know, do you refer to the Microsoft.AspNetCore.Authorization.DefaultAuthorizationService or blazor app in general?

I understand that by specifying the default schemes the system knows which scheme to apply when no authentication scheme is provided. By using policies we can further define requirements, pass arguments to the requirements and so on.

I also understand now, that the HttpContext is not altered by blazor. The blazor app gets the HttpContext, at this stage the request either fulfills the AuthorizeView-components authorization requirements or not. If for instance the policy passed as an attribute to the AuthorizeView-component requires a cookie-authenticated user, then the http request passed to the loaded blazor app needs to fulfill this requirement in order for the user to be able to see the Authorized content of the AuthorizeView-component.

When I inspect the logs at debug level, I get to see the log messages regarding the render tree, hub calls, authorization attempts or RemoteJSRuntime. At several stages I encounter this log message

Microsoft.AspNetCore.Authorization.DefaultAuthorizationService: Debug: Authorization was successful.

This means that the Authorization service evaluates at certain stages the authorization state. Expired cookies can be detected and the authorization state can be updated which makes sense.

My hopefully final questions :)

Does the Blazor App evaluate the authorization state of the current circuit by calling the authentication handler?

If yes, does it know the authentication handler through the default schemes we set during configuration of the authentication service?

If yes, is there another way to let blazor know the scheme to use besides the argument we pass to the AddAuthentication method call through a literal or the action object we pass to configure the AuthenticationOptions instance?

If no, why are log messages with regards to the authorization produced?

Thank you :)

Bruce (SqlWork.com) 57,886 Reputation points

2023-08-22T18:16:36.57+00:00

the blazor app just looks at the Authentication state passed in the http context. if the blazor app supports unauthenticated access, which can load a component which requires authorization access, the navigation code needs the login redirect url. this is stored in the policies. so, it needs to know which policy to get the login url from. unless specified in the authorization attribute, it uses the default policy.

Yakup Ipek 0 Reputation points

2023-08-23T07:36:32.52+00:00

Thank you for your answer.

I'd appreciate it if you addressed my questions specifically. Your explanation is general which makes it hard for me to comprehend.

I'd be happy if you implemented a small project with the configuration I provided and then helped me to understand the log messages.
Sign in to comment

Share via

Is Razor's AuthorizeView-component dependent on the existence of a default authentication scheme?

1 answer