Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backend for Frontend (BFF)

I have implemented many Blazor WASM ASP.NET Core hosted applications now for both Azure AD and Azure B2C authentication. I always implement security for this type of application now using the Backend for Frontend (BFF) security architecture and can remove the tokens from the client. This is also what I recommend. At present, no Microsoft templates exist for this and it takes too much effort to set this up every time I start a new project.

To fill this gap, I created two templates to speed up the development process:

The two separate Nuget packages were created, one for Azure AD and one for Azure B2C due to the restrictions and differences in the identity providers. Both packages use Microsoft.Identity.Web to authenticate and also use Microsoft Graph to access the profile data. I have included the typical security headers required using the NetEscapades.AspNetCore.SecurityHeaders Nuget package. The security headers and the CSP are setup ready for production deployment. (As best as Blazor allows)

Using the templates

You can install the Azure B2C template as follows:

dotnet new -i Blazor.BFF.AzureB2C.Template

and the Azure AD template with

dotnet new -i Blazor.BFF.AzureAD.Template

Then you can create a new project using the dotnet CLI

dotnet new blazorbffb2c -n YourCompany.MyB2cBlazor

or

dotnet new blazorbffaad -n YourCompany.MyADBlazor

You need to create the Azure App registrations for the applications as requires. If using Azure B2C, the user flow needs to be created. This is well documentation on the Microsoft.Identity.Web github repo. The Graph permissions also need to be added and configured in the app.settings.json. The app.settings.json have been configured with the values expected. Once all configured, you can run the application and also deploy this to an Azure Web App or whatever.

Each template implements an API call and a user profile view using the Microsoft Graph data.

If you have any comments, or ways of improving these templates, please create an issue or a PR in the github repo.

Links

https://github.com/damienbod/Blazor.BFF.AzureAD.Template

https://github.com/damienbod/Blazor.BFF.AzureB2C.Template

https://github.com/AzureAD/microsoft-identity-web

https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders

11 comments

  1. This is awsome! Thank you so much for these templates – I’ll definately be sure to try them out

  2. […] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… (Damien Bowden) […]

  3. […] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… (Damien Bowden) […]

  4. This is exactly what I needed, I don’t understand why this is missing from the Visual Studio templates.

    Martin

    1. Thanks Martin

  5. […] Azure Functions to access CosmosDB (Luis Beltran) Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… (Damien Bowden) How (and Why) You Should Use Speech-to-text (Sam Nasr) Templating HTML Emails in […]

  6. […] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… [#.NET #App Service #Azure #Azure AD #Azure B2C #dotnet #AzureAD #AzureB2C #Blazor #MicrosoftIdentity #OAuth2 #OIDC] […]

  7. Lars Erik · · Reply

    Thanks for the template! It would be great if you could explain why you recommend cookies instead of a token. Would you recommend this for all SPA apps that has a dedicated backend?

    1. Hi Lars thanks,

      yes, you can use cookies (Same site) and move the authentication to the trusted backend, this is what I recommend. BUT, for high load apps or cross domain with high load, I would still use tokens, this has more risk (tokens to rob in the client). The question is, which requirement is more important. I always try to use a dedicated backend for SPA now and move the security to the trusted backend. I can then authenticate the app as well and also add extra security features, if required. Azure does not support introspection or the revocation endpoint so you cannot invalidate the tokens, or logout an Azure SPA fully. BBF removes this problem.

      greeting Damien

  8. […] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: