I have implemented many Blazor WASM ASP.NET Core hosted applications now for both Azure AD and Azure B2C authentication. I always implement security for this type of application now using the Backend for Frontend (BFF) security architecture and can remove the tokens from the client. This is also what I recommend. At present, no Microsoft templates exist for this and it takes too much effort to set this up every time I start a new project.
To fill this gap, I created two templates to speed up the development process:
The two separate Nuget packages were created, one for Azure AD and one for Azure B2C due to the restrictions and differences in the identity providers. Both packages use Microsoft.Identity.Web to authenticate and also use Microsoft Graph to access the profile data. I have included the typical security headers required using the NetEscapades.AspNetCore.SecurityHeaders Nuget package. The security headers and the CSP are setup ready for production deployment. (As best as Blazor allows)
Using the templates
You can install the Azure B2C template as follows:
dotnet new -i Blazor.BFF.AzureB2C.Template
and the Azure AD template with
dotnet new -i Blazor.BFF.AzureAD.Template
Then you can create a new project using the dotnet CLI
dotnet new blazorbffb2c -n YourCompany.MyB2cBlazor
or
dotnet new blazorbffaad -n YourCompany.MyADBlazor
You need to create the Azure App registrations for the applications as requires. If using Azure B2C, the user flow needs to be created. This is well documentation on the Microsoft.Identity.Web github repo. The Graph permissions also need to be added and configured in the app.settings.json. The app.settings.json have been configured with the values expected. Once all configured, you can run the application and also deploy this to an Azure Web App or whatever.
Each template implements an API call and a user profile view using the Microsoft Graph data.
If you have any comments, or ways of improving these templates, please create an issue or a PR in the github repo.
Links
https://github.com/damienbod/Blazor.BFF.AzureAD.Template
https://github.com/damienbod/Blazor.BFF.AzureB2C.Template
https://github.com/AzureAD/microsoft-identity-web
https://github.com/andrewlock/NetEscapades.AspNetCore.SecurityHeaders
Software Engineering 
This is awsome! Thank you so much for these templates – I’ll definately be sure to try them out
Thanks John
[…] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… (Damien Bowden) […]
[…] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… (Damien Bowden) […]
This is exactly what I needed, I don’t understand why this is missing from the Visual Studio templates.
Martin
Thanks Martin
[…] Azure Functions to access CosmosDB (Luis Beltran) Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… (Damien Bowden) How (and Why) You Should Use Speech-to-text (Sam Nasr) Templating HTML Emails in […]
[…] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… [#.NET #App Service #Azure #Azure AD #Azure B2C #dotnet #AzureAD #AzureB2C #Blazor #MicrosoftIdentity #OAuth2 #OIDC] […]
Thanks for the template! It would be great if you could explain why you recommend cookies instead of a token. Would you recommend this for all SPA apps that has a dedicated backend?
Hi Lars thanks,
yes, you can use cookies (Same site) and move the authentication to the trusted backend, this is what I recommend. BUT, for high load apps or cross domain with high load, I would still use tokens, this has more risk (tokens to rob in the client). The question is, which requirement is more important. I always try to use a dedicated backend for SPA now and move the security to the trusted backend. I can then authenticate the app as well and also add extra security features, if required. Azure does not support introspection or the revocation endpoint so you cannot invalidate the tokens, or logout an Azure SPA fully. BBF removes this problem.
greeting Damien
[…] Blazor WASM hosted in ASP.NET Core templates with Azure B2C and Azure AD authentication using Backen… […]
Thanks for the template, it really helps! I want to call several microservices via grpc from the BFF. What do you suggest for AuthN/Z? Do you recommend persisting the cookie to share between apps? https://docs.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-6.0
Thanks again!
Jon