Secure Whole App

[aherrick]

How can this security be tweaked so that the root WASM "App" cannot even load until the user has authenticated? Not just when visiting /fetchdata.

So on load if not authenticated auto redirect to authentication. Could this be something added to the docs?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 9816eaee-5eff-c3c8-5d58-e2c02c760a00
• Version Independent ID: 60992d09-2a04-1d10-4c85-9642b20ff0e3
• Content: Secure an ASP.NET Core Blazor WebAssembly hosted app with Azure Active Directory
• Content Source: aspnetcore/security/blazor/webassembly/hosted-with-azure-active-directory.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @guardrex
• Microsoft Alias: riande

[guardrex]

Hello @aherrick ... Good ❓ ...

The only thing that I'm aware of today is to add ...

@using Microsoft.AspNetCore.Authorization
@attribute [Authorize]

... to all of your routable components. That should do the trick.

I tried it in a layout component, but that didn't work. It seems one would add it to all of their regular (Page folder) components. If the app is a hybrid RP/MVC with routable components, then one would do both: Set up a filter for the pages and views and set up the @attribute for all directly routable components. The unroutable components embedded in pages/views would go along for the ride with the filter on the pages/views.

I'm not aware of a global approach, since filters don't work for components.

I'm not aware if using the AuthorizeView component inside of the App component would work ... haven't tried it myself. If you want to try that, see if you can place it inside of <Found> and around the AuthorizeRouteView component or try wrapping the entire Router component with it. Report back if you try it and it 👍 or 💥. 👂

If the @attribute approach is correct, I think that we should call it out where it's discussed ...

https://docs.microsoft.com/en-us/aspnet/core/security/blazor/?view=aspnetcore-3.1#authorize-attribute

@aherrick, these issues are usually looked at on Fridays.

Artak, do you agree with my suggestion? ... or do you have a different (better) approach?

NOTE TO SELF Add the namespace to that @attribute [Authorize] section! 😈 Sneaky Code™️ 😈

[aherrick]

Hey @guardrex I believe I tried the AuthorizeView component inside and wasn't seeing that working.

The only thing I've seen working is to add @Attribute to each page, which I really don't want to have to do.

Hopefully others have some thoughts. Thanks!!

[guardrex]

Sure thing ... Artak will see this soon and let us know if he knows of anything else.

If not, I can at least document this approach as the way to go today.

[guardrex]

btw ... There's work going on for this for the ASP.NET Core doc set's general coverage at #18825. The cross-linked engineering issue addresses using the imports file to apply the attribute (instead of placing it into every component) and another approach using a fallback policy. When I get to this issue (hopefully not too far out), I'll see about addressing all of the available approaches.