expressappframework-402197-data-security-and-safety-security-system-authentication-oauth-and-custom-authentication-active-directory-and-oauth2-authentication-providers-in-blazor-applications.md
This topic demonstrates how to extend your ASP.NET Core Blazor application with external authentication methods such as Windows Authentication and OAuth providers (Google, Azure, and GitHub).
Important
The Template Kit generates the code shown in this help topic when you create an application. Follow this article if you want to implement the demonstrated functionality in an existing XAF solution.
Your application must use Standard Authentication. To enable Standard Authentication, select the cooresponding option in the Template Kit when you create a new application or follow the steps in the following help topic to enable it in an existing application: Use the Security System.
If you want to disable Standard Authentication after you add other types of authentication, navigate to the YourSolutionName.Blazor.Server folder, open the Startup.cs file, and comment out the AddPasswordAuthentication method call:
public class Startup {
// ...
public void ConfigureServices(IServiceCollection services) {
// ...
services.AddXaf(Configuration, builder => {
// ...
builder.Security
// ...
// .AddPasswordAuthentication()
// ...
});
// ...
}
// ...
}
In the MySolution.Blazor.Server\Properties\launchSettings.json file, set windowsAuthentication to true. You can also set anonymousAuthentication to false to hide the logon page and always use Windows authentication:
In the MySolution.Blazor.Server\Startup.cs file, call the AddWindowsAuthentication method in the security builder to add Windows Authentication. You can also automatically create a user object with a predefined role when a user attempts to log on for the first time:
You can specify a page where to redirect unauthorized users. To do this, create a Razor component with the @page directive and specify its route in your Active Directory configuration:
Windows Authentication in ASP.NET Core
In the MySolution.Blazor.Server\Startup.cs file, extend the default cookie-based authentication scheme with the following external schemes:
In the MySolution.Blazor.Server\Services folder, create the CustomAuthenticationProvider class that implements the IAuthenticationProviderV2 interface:
Navigate to the YourSolutionName.Blazor.Server folder. Register the CustomAuthenticationProvider class in the Startup.cs file:
Register your application in the corresponding developer account and obtain the Client ID and Application Secret token:
An XAF ASP.NET Core Blazor application automatically tries to log in the user if there is only one authentication method enabled and it is not password authentication. Automatic login is disabled if two or more authentication schemes are registered (for example, if you allow users to log in with either Google or GitHub), or if password authentication is enabled.
If you use an OpenID provider (such as Microsoft Entra ID) to authenticate users, you can force the lifetime of an authentication session to match that of an ID token issued during the authentication process. Set the OpenIdConnectOptions.UseTokenLifetime option to true:
File: MySolution.Blazor.Server/Startup.cs
// ...
public class Startup {
// ...
public void ConfigureServices(IServiceCollection services) {
// ...
authentication.AddMicrosoftIdentityWebApp(options => {
// ...
options.UseTokenLifetime = true;
}, openIdConnectScheme: "AzureAD", cookieScheme: null);
}
}
When you enable this option, users must re-authenticate after their ID token expires (after a user refreshes the browser tab). In the time period between the current session’s expiration and the next authentication, users can continue to interact with the application. Note that some features will not work if they require HTTP requests to the server. For example, images will not be loaded and dashboards may not respond to user interaction.
Deployment Recommendations for XAF Blazor UI Applications
Actions for additional authentication schemes registered in AuthenticationBuilder are displayed below the Log In button. To customize these Actions, follow the steps described in this section.
Navigate to the YourSolutionName.Module\Controllers folder and create a Window Controller.
In the OnActivated method, get AdditionalLogonActionsController.
Use the Actions property to access the collection of the Controller’s Actions.
Navigate to the YourSolutionName.Blazor.Server folder and open the YourSolutionNameBlazorApplication.cs file. Override the CreateLogonWindowControllers method and add AdditionalLogonActionsCustomizationController to the collection of Controllers activated for the Logon window:
Edit the Localization->Captions->LogInWithActionCaption item in the Blazor Application Model to modify the localization value for the external authentication caption (“Log In with” in en-US localization):
The image below illustrates the result.
Note
In Blazor applications, an external authentication action caption contains the “Log In with” substring (or its localized version) only if a single action is available. Otherwise, only the external authentication method’s name is displayed.
See Also
Active Directory and OAuth2 Authentication Providers in WinForms Applications