.NET 8 "Blazor Web App" Authentication and AllowAnonymous #51101

oliverw · 2023-10-03T13:57:05Z

oliverw
Oct 3, 2023

I have implemented Azure AD B2C authentication in a .NET 8 "Blazor Web App" (the new hybrid-islands template). The default should be to require authentication for everything except Blazor Pages (not Razor Pages) whitelisted using: @attribute [AllowAnonymous] (I don't have @attribute [Authorize] in _Imports.razor). Global auth is enforced through the FallbackPolicy (see below).

Contrary to my experiments with Blazor Server in .NET 7. This actually works - kind of. The home page is indeed accessible as anonymous user, BUT all all CSS styles and Javascript is missing. I believe this is because according to my own debugging observations, even requests to static resource go through the DenyAnonymousAuthorizationRequirement handler added by the FallbackPolicy. Which flat out denies those requests if the user is authenticated. I have no real idea how to fix this or what the recommended approach is.

Program.cs:

var initialScopes = builder.Configuration["DownstreamApi:Scopes"]?.Split(' ');

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
        .EnableTokenAcquisitionToCallDownstreamApi(initialScopes)
            .AddMicrosoftGraph(builder.Configuration.GetSection("DownstreamApi"))
            .AddInMemoryTokenCaches();
builder.Services.AddControllersWithViews()
    .AddMicrosoftIdentityUI();

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = options.DefaultPolicy;
});

Home.razor:

@page "/"
@attribute [AllowAnonymous]

<PageTitle>Index</PageTitle>

<h1>Hello, world!</h1>

georg-jung · 2024-02-08T15:51:56Z

georg-jung
Feb 8, 2024

@oliverw Did you find a solution since?

1 reply

zacuke Feb 17, 2025

Remove the options.FallbackPolicy = options.DefaultPolicy; - but then you are responsible for adding [Authorize] attribute to all the necessary pages.

demayer · 2024-10-08T20:17:29Z

demayer
Oct 8, 2024

Same problem here.
Thinking it would narrow down the problem, I have reduced the web app to server-side only.
E.g. an AuthorizeView works fine, even with a Policy and Resource.
As soon as I add the @Attribute [AllowAnonymous] to the landing page, the app freezes. E.g. Button clicks don't fire anymore.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

.NET 8 "Blazor Web App" Authentication and AllowAnonymous #51101

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

.NET 8 "Blazor Web App" Authentication and AllowAnonymous #51101

Uh oh!

Uh oh!

oliverw Oct 3, 2023

Replies: 2 comments · 1 reply

Uh oh!

georg-jung Feb 8, 2024

Uh oh!

zacuke Feb 17, 2025

Uh oh!

Uh oh!

demayer Oct 8, 2024

oliverw
Oct 3, 2023

Replies: 2 comments 1 reply

georg-jung
Feb 8, 2024

demayer
Oct 8, 2024