2

I'm trying to authorize all pages by default and allow anonymous access to the index page. But when I run my app the user is required to login to view the index page. I'm using Azure AB B2C for authorization in a Blazor Server .NET 6 project. Here is my Program.cs file. Can someone explain what I'm doing wrong?

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.Identity.Web;
using Microsoft.Identity.Web.UI;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Web;
using BlazorB2C.Data;

var builder = WebApplication.CreateBuilder(args);

builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAdB2C"));

builder.Services.AddControllersWithViews()
    .AddMicrosoftIdentityUI();

builder.Services.AddRazorPages(options =>
{
    options.Conventions.AllowAnonymousToPage("/Index");
})
    .AddMvcOptions(options => { })
    .AddMicrosoftIdentityUI();

builder.Services.AddAuthorization(options =>
{
    options.FallbackPolicy = options.DefaultPolicy;
});

builder.Services.AddServerSideBlazor()
    .AddMicrosoftIdentityConsentHandler();

builder.Services.AddSingleton<WeatherForecastService>();

var app = builder.Build();

if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();

app.UseStaticFiles();

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

app.MapControllers();
app.MapBlazorHub();
app.MapFallbackToPage("/_Host");

app.Run();
Alex
  • 1,681
  • 2
  • 11
  • 18
  • 3
    Does this answer your question? [Require authorization on ALL Blazor pages](https://stackoverflow.com/questions/60687879/require-authorization-on-all-blazor-pages) – Adam Dunkerley Jun 03 '22 at 12:44
  • 1
    `options.Conventions.AllowAnonymousToPage` can only works for cshtml file. Be sure your Index is `Index.cshtml` instead of `Index.razor`. Reference: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/razor-pages-authorization?view=aspnetcore-5.0#allow-anonymous-access-to-a-page – Rena Jun 06 '22 at 08:45

1 Answers1

0

I believe the answer to this will lie in the fact that

builder.Services.AddRazorPages(options =>
{
    options.Conventions.AllowAnonymousToPage("/Index");
})

Is specifically for Razor Pages. So this does not work for, for example, MVC Controllers. I don't think MVC controllers have a direct fluent equivalent, but you can achieve the same effect with

[AllowAnonymous]
public IActionResult Index()
{
    return View();
}

There will probably be an equiavalent for Blazor (though I've never used it)

I think you should also be able to change the overall policy to a custom one if that met your goals more, replacing options.DefaultPolicy with your own custom policy

builder.Services.AddAuthorization(options =>
            {
                // By default, all incoming requests will be authorized according to 
                // the default policy
                options.FallbackPolicy = options.DefaultPolicy;
            });
Paul Devenney
  • 889
  • 6
  • 18