Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
707 questions
How to Decouple Front-End from Back-End with Secure APIs for User Management in Blazor Web App (.NET 8)
Laurent Guigon
286
Reputation points
Hello,
I'm used to creating Blazor Web App projects in .NET 8 with "individual accounts" and interactive render mode set to Auto, with per-page interactivity. The advantage of this setup is that all the account management mechanics are scaffolded, requiring minimal adjustments to meet specific needs.
However, I now need to decouple the front-end from the back-end and use secure APIs, with one of these APIs dedicated to everything handled by Microsoft.AspNetCore.Identity. This API should ensure security across the application—offering all available services (scaffolding, etc.) when integrating account management into the Web App—and also secure other APIs (microservices).
Note: Initially, a single API will serve as the presentation layer for multiple services to avoid dealing with API gateways, as my team is not yet fully familiar with microservices architecture.
My issue is that I have never worked this way before and am not sure how to proceed. I have found many examples on YouTube, but none that closely match what I’m aiming to achieve. The MSDN documentation also hasn’t provided a concrete example for this setup.
Could you guide me on how to approach this? Ideally, I would like my "Users" project to be general enough to be reused in other applications, while also offering all the services, like page scaffolding, similar to what’s available when creating a web app with user accounts.
Thank you in advance.
{count} votes
-
AgaveJoe 28,536 Reputation points2024-10-31T15:31:51.84+00:00 The "individual account" template uses Razor Pages which is a server side application and technically decoupled from the front-end Blazor application that runs in the browser. The connection between the two applications is they share a domain. This allows the authentication cookie to work.
I think you want a separate Identity server that handles different types of clients. Logins for user-agents (browsers), authentication for code clients, and authorization for APIs.
Read the Identity Server documentation to see if that's what you're looking for. Unfortunately the new software is no longer open.
https://identityserver4.readthedocs.io/en/latest/
Other options are Azure
Authentication and authorization in Azure App Service and Azure Functions
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 66,226 Reputation points2024-11-01T01:26:23.4833333+00:00 as stated, individual accounts only supports frontend authentication via cookies. If the front end server is trusted it can call protected api services, typically via a service account. It can pass the user name as part of the payload, but the api must trust the frontend to verify.
In addition individual accounts is not designed to be a single sign on solution.
Oauth is the typical solution for api and sso.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 24%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETW%3C/text%3E%3C/svg%3E)
Tiny Wang-MSFT 2,731 Reputation points Microsoft Vendor2024-11-01T02:33:10.2333333+00:00 Hi Laurent, according to your description, you are about to migrate to "microservices architecture", we usually use SSO structure in this scenario as microservices architecture always means distributed hosting. It will bring trouble for ensuring consistency if we still use the cookie + session mode and that's why we usually use OAuth protocol. It requires an external identity platform to manage users and their sign-in state, as well as the credential (known as access token) for accessing APIs in different servers.
You also had a description "The advantage of this setup is that all the account management mechanics are scaffolded" so that please allow me to share Azure AD/Microsoft Entra ID with you. This is the identity cloud platform from Microsoft, all user management task are on the cloud instead of local database. If you are creating a Blazor server app in .Net 6/7, you can choose "Microsoft Identity Platform" instead of "Individual Account" to scaffold the codes for you. This option hasn't ready for .Net 8 blazor web app in VS 2022. However, if you are planning to work on .Net 8 Blazor web assembly app (microservices architecture always use a separate single-page application), VS 2022 also has this option.
Sign in to comment
Sign in to answer