33

I am playing with Blazor and created a web app that is server hosted. I have to put an authorize line on top of the page like this @attribute [Authorize] to ensure the user is logged in.

It seems like I have to add this line to each page individually. Is there a global setting that protects ALL the pages in the app, except for the login page of course.

Uwe Keim
  • 39,551
  • 56
  • 175
  • 291
Franky
  • 1,262
  • 2
  • 16
  • 31
  • Can't you just put your Authorize component in the Layout Page? The default MVC login system doesn't use that layout page, I'm pretty sure. – Bennyboy1973 Sep 10 '21 at 09:47

3 Answers3

46

I believe that will work... Place the following code snippet in the _Imports.razor file

@using Microsoft.AspNetCore.Authorization
@attribute [Authorize]

In that case, when the Index page is hit, the user will be redirected to the Login page. If you want to perform authentication before the Blazor App is being render, add the code snippet from above in the _Host.cshtml file

Add the @attribute [AllowAnonymous] to specific pages you want to exculde from authentication, as for instance, the Index page.

enet
  • 41,195
  • 5
  • 76
  • 113
  • Wow, that worked! Never would've thought to add it to the _imports file. Thanks! – Franky Mar 15 '20 at 01:17
  • Awesome, I was about to look for a solution for this also. – bitshift May 29 '20 at 20:29
  • @Sebazzz, how do you know it doesn't work ? Did you try it? No, you didn't ! Did you read the comments above yours ? Just for the records, a page must always be a component. – enet Feb 01 '21 at 16:13
  • 1
    Its an old thread and it's working fine for the situation asked. But I am curious to ask a follow-up questions here. Is it possible to dynamically add Authorize attribute in _imports.razor? Because we don't want authentication to enable in development environment. I couldn't ad any @code block inside _imports.razor – Jaish Mathews May 16 '21 at 17:43
  • 1
    This won't work unless you also add @attribute [AllowAnonymous] to the Authentication.razor page. Reference here: https://github.com/dotnet/AspNetCore.Docs/issues/20689 Please update the answer to include this information! – chrisbuttacavoli Mar 30 '23 at 19:20
7

You can do this by adding a authorization fallback policy :

services.AddRazorPages();

services.AddAuthorization(options =>
{
    options.FallbackPolicy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
});

The fallback authentication policy requires all users to be authenticated, except for Razor Pages, controllers, or action methods with an authentication attribute.

That means that you can use the attributes for Example @attribute [Authorize] (attributes) to customize Authentication and Authorization.

Silvan
  • 285
  • 3
  • 10
2

Edit: I actually found a problem with the first solution where it would not allow me to have any endpoint or page that did not require authorization. I did find this link and it works like a charm.

I was looking for a solution for this myself and found the following link. So far it seems to work as expected.

New solution:

//RedirectToLogin
@inject NavigationManager NavigationManager
@code{

protected override async Task OnInitializedAsync()
{
    var returnUrl = "~/" + NavigationManager.ToBaseRelativePath(NavigationManager.Uri);
    NavigationManager.NavigateTo($"Identity/Account/Login?returnUrl={returnUrl}", forceLoad:true);
}

//App.razor
<AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)">
    <NotAuthorized>
        <RedirectToLogin />
    </NotAuthorized>
    <Authorizing>
        <p>Authorizing...</p>
    </Authorizing>
</AuthorizeRouteView>

//this in the page I want authorization for
@attribute [Authorize]

Old solution: I put the following in my ConfigureServices:

// Add a default AuthorizeFilter to all endpoints
services.AddRazorPages()
    .AddMvcOptions(options => options.Filters.Add(new AuthorizeFilter()));
Beathan
  • 21
  • 3