Take a look at the new features for authentication and authorization included in .NET 9.0!
Read more…
Brought to you by @andrea.chiarelli
1 Like
Share your thoughts about these new features!
Hi Andrea, thanks for the article.
Just to be clear regarding Authentication State Serialization for Blazor Web Apps, does this mean we can simply delete the following classes from your .NET 8 example Syncing the Authentication State :
UserInfo
PersistingRevalidatingAuthenticationStateProvider
PersistentAuthenticationStateProvider
and simply replace them with the new serialization/deserialization methods, as per your article?
AddAuthenticationStateSerialization
AddAuthenticationStateDeserialization
Hi @grantcolley,
Yes! You can get rid of those classes and use the builtin ones
1 Like
Hi @andrea.chiarelli ,
Thanks for your great article.
When using an external API for credentials (with JWT) in a Blazor WebApp globally InteractiveAuto mode, I need to create a custom AuthenticationStateProvider to manage the authentication state. In this scenario, even when using AddAuthenticationStateSerialization and AddAuthenticationStateDeserialization, components in Interactive WebAssembly mode attempt to retrieve the authentication state from the GetAuthenticationStateAsync() method override in the CustomAuthenticationStateProvider. In other words, they do not utilize the deserialized persistent authentication state.
I read your article, ‘Add Auth0 Authentication to Blazor Web Apps,’ where you used Auth0. However, in my project, I intend to use an external API and JWT for credentials.
Do you have any suggestions or ideas on how to handle this?
Hi @mshahabfar,
Thank you for reading my article 
and welcome to the Auth0 Community!
Sorry, I’m not sure I correctly understand your question. Are you saying that AddAuthenticationStateSerialization and AddAuthenticationStateDeserialization are not working as expected? 
Also, is your application using InteractiveAuto mode or Interactive WebAssembly mode?
If you can share some code, I can try to help.
To call an external API, I suggest using the approach shown in this article.
Hi @andrea.chiarelli
Thank you for your reply.
I think I did not explain my problem clearly. Let me try to provide a more detailed and precise explanation.
As you know the Visual Studio 2022 Blazor WebApp sample template for Auto Interactive render mode with Individual Accounts as authentication type uses ASP.NET Core Identity. In this setup, it generates a set of pages in a static server-side rendering mode, also known as Prerendering mode, and utilizes ASP NET Core Identity classes such as SignInManager and UserManager to handle authentication. It does not create a custom AuthenticationStateProvider (as all related tasks appear to be handled internally). Instead, it uses AddAuthenticationStateSerialization() and AddAuthenticationStateDeserialization() to transfer the authentication state from Prerendering mode to Interactive rendering mode.
I want to use a similar approach but with an external (remote) API for authentication. This means my Blazor WebApp project will not include ASP NET Core Identity. Instead, I will retrieve a JWT from an external API when the user successfully authenticates. I would like to follow the VS template’s approach by keeping my login and register Razor pages in static server-side rendering mode and transferring the authentication state to Interactive rendering mode using the mentioned serialization methods.
But it seems that to manually notify the Authentication State change or also store a JWT in local storage or a cookie, I need to create a custom AuthenticationStateProvider. However, when my Blazor app is in interactive mode, it attempts to retrieve the authentication state from the overridden GetAuthenticationStateAsync() method in my custom provider, rather than using the already persisted state provided by AddAuthenticationStateSerialization().
Please review the sample project I have shared with you at the following link :
my sample project
Thank you for your assistance!
Hey @mshahabfar,
Thank you for providing additional context.
Honestly, this is a scenario I’m not used to. At a very first look, I assume you should be allowed to do this (i.e., build your custom authentication state and ask its serialization and deserialization), but frankly AddAuthenticationStateSerialization() and AddAuthenticationStateDeserialization() are pretty new and I don’t know if they have any limitations and/or bugs right now.
I would need to analyze and debug your code to see if there is something wrong with it and I hope to do it in the next few days.
However, I noticed a few things that left me puzzled in your Program.cs:
- Is this line working without specifying any middleware, authentication scheme or options?:
builder.Services.AddAuthentication();
-
Why are you calling both
AddAuthorizationCore()here andAddAuthorization()here? -
Why two different registrations of the same
CustomAuthenticationStateProviderclass (here and here)?
Not sure if they have an impact on the behavior of the code, but they don’t look like a standard approach.
Hey @andrea.chiarelli ,
Thank you for your time.
Like the official Visual Studio Blazor template, I want my login page to be in static server-side rendering mode (prerendering). One way to transfer the authentication state from prerendering to interactive rendering mode is by using the persisting component state. The Visual Studio template uses this approach with ASP NET Core Identity. However, they don’t provide samples demonstrating the use of an external API for this purpose (e.g., JWT).
In most cases, local storage is introduced as a solution, but this method doesn’t work for me because my login page exists only in prerendering mode. Therefore, I am looking for a way to adapt JWT-based remote authorization using the persisting component state approach. In Blazor 9.0, this process has been simplified with the introduction of AddAuthenticationStateSerialization() and AddAuthenticationStateDeserialization().
Yes, I am aware there are some issues in my sample code, but those sections are planned for a later step. At the moment, my focus is on finding a way to transfer the authentication state to the interactive rendering mode.
Thank you
I figured out my problem using the approach I intended. Now I can handle user authentication using an external API that returns a JWT (access token) upon successful authentication. The login Razor page of my Blazor WebApp project (in auto-rendering mode) is a static SSR page. The authentication state is then transferred to the interactive rendering mode using the new Blazor 9.0 APIs: AddAuthenticationStateSerialization() and AddAuthenticationStateDeserialization().
Here is my solution as a minimal repo, which demonstrates how these features can be implemented.
Awesome! Thank you for sharing @mshahabfar