5

I am trying to create a basic User Management module in my software and I have followed this guide to create the module:

https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/hosted-with-identity-server?view=aspnetcore-5.0&tabs=visual-studio

I suppose this is the best practice recommended by Microsoft. However, I do not understand the following:

  1. Are parts of the Authorization Server-Side handled? I want to make sure no parts (or minimum) are server side rendered and authorization should mainly take place in the API calls since I am using Blazor WebAssembly. So I am wondering why we can specify .cshtml files etc, as I thought that was server-side rendered code.
  2. In the guide they are making several references to IdentityServer (seems to be a third party software component). The application I am building is a commercial one. Am I obliged to buy a license for IdentityServer? If yes, is there an Microsoft recommended free way to do the same thing?
  3. What is the difference between IdentityServer and IdentityServer4?
  4. What I am trying to do in the end is a Microsoft best practice module that lets an Admin creates and handle users that has different roles and that access to different part of the Blazor WebAssembly project. Maybe there is some other straight forward way to do this? What is the best practice today?
Smith5727
  • 402
  • 4
  • 15

1 Answers1

2

  1. Authentication and authorization should always be handled by the backend because the frontend can always be manipulated or emulated. If you follow these instructions, authorization will be fully handled by the server side. The login and logout functionality will redirect you to razor pages running on the server. When the user is authenticated, a JWT is created and sent to your Blazor application. This token can then be used to send authentication information along with subsequent HTTP requests. It's a bit tricky to get this approach up and running, but it works well.

  2. The identity server used in these examples is part of ASP.NET.

  3. IdentityServer and IdentityServer4 are referring to the IdentityServer that is included in ASP.NET.

  4. You may also use Cookie-based authentication and create a Web API to handle login/logout and provide user information. It is easy to set-up and to provide Blazor UIs for authentication. Make sure to have an encrypted connection when using this approach because you need to send login information via HTTP request.

    Anyway, I personally would stick to the Microsoft recommendations and use JWT.

Thomas Erdösi
  • 534
  • 3
  • 15