8

I'm currently writing a (Server side) Blazor application that includes the default AzureAD Authentication.

This works well for authenticated users - challenging on the entrance (_Host.cshtml) file, redirecting and then back once authenticated.

I need to have a couple of pages not requiring authentication - I don't want the user being challenged and redirected to Microsoft.

What is the correct way to do this? I have experimented with the AllowAnonymousAttribute, the AllowAnonymousToPage razor pages options, nothing seems to stop the challenge.

Any help would be greatly appreciated!

Below is my setup for Authentication (ConfigureServices):

public void ConfigureServices(IServiceCollection services)
{
    services.AddAuthentication(AzureADDefaults.AuthenticationScheme)
        .AddAzureAD(options => Configuration.Bind("AzureAd", options));

    services.AddControllersWithViews(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
});

    services.AddRazorPages();
    services.AddServerSideBlazor();
    services.AddTelerikBlazor();
}

And then the appropriate part in Configure:

app.UseAuthentication();
app.UseAuthorization();

app.UseEndpoints(endpoints =>
{
    endpoints.MapControllers();
    endpoints.MapBlazorHub();
    endpoints.MapFallbackToPage("/_Host");
});
Improve this question
1

2 Answers 2

Reset to default
9

I found what I had to do was add the following to _Hosts.cshtml

@using Microsoft.AspNetCore.Authorization
@attribute [AllowAnonymous]

Once I did this authorization was no longer required on any of the pages by default and I could then add it to the pages where I wanted to require it.

For example if you wanted to secure the Counter.razor page just add an Authorize attribute to the top:

@attribute [Authorize]

So now if you tried to access the counter page you will get a Not authorized message.

If you want to remove the counter link when the user is not logged in modify the NavMenu.razor and surround the Counter link with an <AuthorizeView> </AuthorizeView> as so:

<AuthorizeView>
    <li class="nav-item px-3">
        <NavLink class="nav-link" href="counter">
            <span class="oi oi-plus" aria-hidden="true"></span> Counter
        </NavLink>
    </li>
</AuthorizeView>

Ideally I would have liked to just opt out of authorization for the index page and have everything else secured by default but I could not find a way to get that to work. If I tried adding the @attribute [AllowAnonymous] to the Index.razor page it seemed to ignore it.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks for your answer @LarryDev , I've discovered that removing the AuthorizeFilter (in Startup.cs) specifically the RequireAuthenticatedUser method as this sets it site-wide does the trick. Then simply putting the AuthorizeAttribute on each Razor page (components aren't used in routing). This way the AllowAnonymousAttribute is not required on the __Hosts page.
2

First, you will need to disable authentication on all pages. This can be done by commenting the fallback policy out in "Program.cs".

builder.Services.AddAuthorization(options => 
{
    // By default, all incoming requests will be authorized according to the default policy
    //options.FallbackPolicy = options.DefaultPolicy;
});

Then, on your individual razor pages, add the following code:

<AuthorizeView>
    <Authorized>
        @*code for authenticated users here*@
        I am logged in
    </Authorized>
    <NotAuthorized>
        @*code for unauthenticated users here*@
        Please log in
    </NotAuthorized>
</AuthorizeView>

This will allow you to retain complete functionality of all components and functions within you app.

I do not recommend adding the following to your "_Host.cshtml" file as this causes buttons and components to longer function/display correctly

@using Microsoft.AspNetCore.Authorization
@attribute [AllowAnonymous]

Hope this helps. I am using Blazor server with dotnet 6.

Improve this answer

1 Comment

While this might work, I don't think the solution is proper - you're essentially saying unauthorized = anonymous - this is incorrect and will also cause a blowout in your code structure on the anonymous side.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.