aspnetcore: Blazor Server Side AADB2C AllowAnonymous Not working in latest template
Is there an existing issue for this?
- I have searched the existing issues
Describe the bug
In the latest template for Blazor Server Side with Microsoft Identity platform. program.cs has:
builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy
options.FallbackPolicy = options.DefaultPolicy;
});
So now all pages will direct to login. However, if I want to define a landing page that doesn’t require login with
@Attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous], it doesn’t work. Page still gets redirected to login.
Maybe this is related to https://github.com/dotnet/aspnetcore/issues/37064 and dotnet/aspnetcore#23157
cc: @guardrex per https://github.com/dotnet/AspNetCore.Docs/issues/24473
Expected Behavior
Pages marked with Attribute AllowAnonymous should not be redirected to login if not logged in
Steps To Reproduce
-Start a project with Blazor Server Side with Microsoft Identity Platform. -Fill in all the required AADB2C configs -Launch the site to see if AADB2C is setup correctly. clean up (logout) -go to index.razor or fetchData.razor and add @Attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous] -Launch site. It still requires AADB2C login on index,razor or fetchData.razor
Exceptions (if any)
No response
.NET Version
6.0.100
Anything else?
No response
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 5
- Comments: 30 (6 by maintainers)
I guess it depends on your application, but it’s not easier if 99% of your app needs to be secured, and only a single page needs to allow anonymous.
Unfortunately my company had to skip Blazor because of this issue. As a CTO, I cannot afford to rely on “authorize everything + deny specific pages only” if you take security seriously.
Previously I’ve also offered help to fix this for .NET in general, but as you can see on the conversation history, it didn’t go well.
We’re looking forward to Blazor authentication story improvements. Until then, we’ll use other technologies.
@yandoldonov You can put the
@attribute [Authorize]directive within an_Imports.razorfile in the Pages directory and that way you would avoid having to set it on every page.That + AllowAnonymous on the _Host.cshtml should do what you want (I believe).