Security and Authorization

Radzen provides security support out of the box. It relies on ASP.NET Core Identity and needs a MS SQL server, MySQL, Oracle or PostgreSQL data source to be configured in order to persist the users and roles.

The built-in security support provides the following features:

  • Login and registration of new users.
  • Optional email confirmation during user registration.
  • Ability to define custom user roles.
  • Specify the level of access for pages - everybody, authenticated users or members of a role.
  • Adding custom properties to the user entity.

Quick video

Enable security

To enable security in Radzen follow these steps.

  1. Click the security link at the top right corner (next to data).
  2. Select Default from the providers dropdown.
  3. Check the Auto generate pages for user and role management if you want Radzen to create login, register, user and role management pages.
  4. Pick an existing MS SQL Server, MySQL, Oracle or PostgreSQL data source from the available list. You will have to add at least one in order to use the security feature of Radzen.
  5. Click the Save button.

Specify the access of a page

When security is enabled Radzen will allow you to specify which users can access a page. If a user doesn’t have access to certain page it will not appear in the application navigation. If the user enters that page URL manually in the browser he or she will see a generated unauthorized page.

  1. Click the edit button of any page.
  2. Pick the access level from the Access dropdown. The available options are:
    • Everybody - everyone can access this page - anonymous and authenticated users.
    • Authenticated - only users that have logged in can access that page.
    • Roles defined in the application - only members of the specified role(s) can access that page. If the application hasn’t been run or there are no roles defined yet you will only see Everybody and Authenticated.
  3. Click Save

The least restrictive role is taken under consideration when determining the current access rules. For example if a page is configured to be accessible to Everybody and the Marketing role it would end up being accessible by all users.

In-Development security

During development you can use a special account for testing. Log in with admin as both username and password. This account is only available during development when the ASPNETCORE_ENVIRONMENT environment variable is set to Development. It also belongs to all roles defined by the application and has full access as a result.

After deployment the account is no longer available! Be sure to either allow user registration (done by default if you allow Radzen to generate security pages) or create at least one user account during development.

Adding roles

An authorized user can add roles from the Roles page accessible from the top right-hand application menu.

By default all authenticated (logged-in) users have access to the role management pages. Make sure you restrict the access to those pages for production applications. Create an Administrator role and allow only member of this role to access the role management pages.

Adding users

A Radzen application starts with no users apart from the development-only special admin account.

By default all authenticated (logged-in) users have access to the user management pages. Make sure you restrict the access to those pages for production applications. Create an Administrator role and allow only member of this role to access the user management pages.

There are two ways to add users to an application

  1. By allowing user registration (enabled by default).
  2. Manually adding users from the Users page accessible from the top right-hand menu.

Extensibility

Enable security for the OData service generated by Radzen from your database

To apply security to the generated OData service (in Angular or Blazor WebAssembly applications) you need to use the Authorize attribute and specify AuthenticationSchemes to “Bearer” (for Angular applications) or “IdentityServerJwtBearer” (for Blazor WebAssembly applications).

By default the OData controllers are not decorated with the Authorize attribute. You can decorate them by using a partial class:

using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Identity;

namespace [ApplicationName].Controllers.[DataSourceName]
{
    // For Blazor WebAssembly [Authorize(AuthenticationSchemes="IdentityServerJwtBearer")]
    [Authorize(AuthenticationSchemes="Bearer")]
    public partial class OrdersController
    {
    }
}
Imports Microsoft.AspNetCore.Authorization
Imports Microsoft.AspNetCore.Identity

Namespace _
    <Authorize(AuthenticationSchemes:="Bearer")>
    Public Partial Class OrdersController
    End Class
End Namespace

or globally using Startup.OnConfigureServices:

public partial class Startup
{
    partial void OnConfigureServices(IServiceCollection services)
    {
        var policy = new AuthorizationPolicyBuilder()
        {
          AuthenticationSchemes = new [] {"Bearer"} // or "IdentityServerJwtBearer" for Blazor WebAssembly
        }
        .RequireAuthenticatedUser()
        .Build();

        services.AddMvc(options =>
        {
            options.Filters.Add(new AuthorizeFilter(policy)); // or options.Filters.Add(new CustomAuthorizeFilter(policy)); for Blazor WebAssembly
        });
    }

    /* for Blazor WebAssembly
    public class CustomAuthorizeFilter : AuthorizeFilter
    {
        public CustomAuthorizeFilter(AuthorizationPolicy policy): base(policy)
        {
            //
        }

        public override Task OnAuthorizationAsync(AuthorizationFilterContext context)
        {
            if(context.HttpContext.Request.Path.Value.StartsWith("/odata"))
            {
                return base.OnAuthorizationAsync(context);
            }

            return Task.CompletedTask;
        }
    }
    */
}
Public Partial Class Startup
    Partial Private Sub OnConfigureServices(ByVal services As IServiceCollection)
        Dim policy = New AuthorizationPolicyBuilder() With {
            .AuthenticationSchemes = {"Bearer"}
        }.RequireAuthenticatedUser().Build()
        services.AddMvc(Sub(options) options.Filters.Add(New AuthorizeFilter(policy)))
    End Sub
End Class

Extend the application user

Shows how to add propperties to the ApplicationUser and map them to a column in the AspNetUsers table.

Get the current user

Shows how to get the current user in server-side code and perform runtime security checks.

Custom password policy

By default, ASP.NET Core Identity requires that passwords contain an uppercase character, lowercase character, a digit, and a non-alphanumeric character and must be at least six characters long. Please check Custom security password policy article for more info how to customize it.

Custom UserStore/RoleStore and UserManager

If the applications needs custom security (e.g. the database has existing user and role tables) check this sample. It shows how to connect custom user and role tables with Radzen. The implementation is in CustomSecurity.cs

Blazor WebAssembly IdentityServer API authorization

Security for client-side (WebAssembly) Blazor applications is using API authorization with IdentityServer. By default Radzen will generate IdentityServer Development Key for both server\appsettings.Development.json and server\appsettings.Production.json, if you want to change that you can edit server\appsettings.Production.json before deploying your app.

Services authorization

Radzen can access services with following authorizations:

  • OData: HTTP Basic, OAuth, API Key and Azure AD

  • Swagger and Rest: OAuth, API Key

Custom query parameters are supported for both OAuth and Azure AD authorizations.