Azure ADlink

Radzen Blazor Studio allows you to easily add Azure AD security to your Blazor application. This allows you to:

• Application users can login via their Azure AD credentials.
• Application developers can implement authorization via Azure AD groups - allow members of certain groups to access certain pages.

Add securitylink

To add ASP.NET Core Identity security to your app:

1. Click the Add security button just above file explorer. This starts the Add Security wizard.
2. Pick Azure AD from the available options. Click Next.
3. Enter your Azure AD application details in the Configure Security step.

You can get the ClientID and TenantID of your application from the Azure Portal in App Registrations.

Add https://localhost:5000/signin-oidc as a Redirect URI in your Azure AD app registration. Remember to also register the final Redirect URI after deploying your application.

Also enable access and id tokens.

Important: user and role (group) management happens in the Azure portal. Radzen Blazor Studio does not generate login and user management pages for Azure AD security.

Specify page accesslink

When security is enabled Radzen Blazor Studio will allow you to specify which users can access a page. If a user doesn’t have access to certain page it will not appear in the application navigation. If the user enters that page URL manually in the browser they will see a generated unauthorized page.

By default pages created in Radzen Blazor Studio allow access to Everyone - both authenticated and anonymous users.

To specify who can access a page:

1. Create the groups in the Azure AD portal and assign them to users by following the official instructions.
2. Open the page in design mode.
3. Make sure no component is selected (which is by default). If there is a selected component click in an empty space in the page designer.
4. Pick Authenticated to allow only authenticated users to view this page (users that have logged in).
5. Type the name of the group that you want to have access to this page e.g. Administrator.

The code generated for this example is:

@attribute [Authorize(Roles="Administrator")]

Important: If you assign a group to a user make sure they log out fro the application and log in again to see the changes.

Secure controllerslink

Radzen Blazor Studio applications use various controllers to access data over HTTP - AccountController for login, registration, ApplicationUsersController and ApplicationRolesController to manage users and roles. Blazor WASM expose a database as a OData controller. By default only ApplicationRolesController and ApplicationUsersController disallow anonymous access.

To require authorized access you need to decorate the controllers with the Authorize attribute.

Allow authenticated userslink

To disable anonymous access and allow any logged-in user edit the controller code and add [Authorize] before the class declaration.

/* snip */
using Microsoft.AspNetCore.Authorization;

namespace [Namespace].Server.Controllers.[Database]
{
    [Authorize] // -> Allow any authenticated user. Disallow anonymous access.
    [Route("odata/Northwind/Orders")]
    public partial class OrdersController : ODataController
    {
      /* snip */
    }
}

Important: Do not add the Authorize attribute to the AccountController class as it will effectively disable login and registration.

Allow specific roleslink

To allow only certain roles specify the Roles property during decoration:

/* snip */
using Microsoft.AspNetCore.Authorization;
namespace [Namespace].Server.Controllers.[Database]
{
    [Authorize(Roles="Administrator,Sales")] // -> Allow only members of the Administrator or Sales role
    [Route("odata/Northwind/Orders")]
    public partial class OrdersController : ODataController
    {
      /* snip */
    }
}

APIlink

Radzen Blazor Studio generates a service called SecurityService and makes it available in all pages as the Security property. This service allows you to:

Get the current userlink

The User property is an instance of the ApplicationUser class.

var name = Security.User.Name;

Check if a user is a member of a rolelink

The IsInRole method checks if the current user is a member of the specified role(s).

var isAdmin = Security.IsInRole("Administrator");
var isUserOrAdministartor = Security.IsInRole("Administrator", "User");

Check if the user is authenticatedlink

The IsAuthenticated method checks if the current user is authenticated (has logged in).

var isAuthenticated = Security.IsAuthenticated();

Logout the current userlink

The Logout method redirects to the /Account/Logout action which logs the current user out and redirects to the login page.

Security.Logout();

Troubleshootinglink

The user is always redirected to the login page in productionlink

This could happen if:

• Your server does not have a SSL certificate installed or it is not valid (expired, misconfigured etc).
• The application is accessed over http and your server isn't configured to redirect automatically to https. Azure AD requires applications to work over https.

The user is always redirected to the login page in developmentlink

This could happen if there isn't a valid development certificate installed. You may also see the following exception:

The ASP.NET Core developer certificate is not trusted

Follow the official Microsoft documentation for further instructions.