.NET 8: What's New for Authentication and Authorization

Let’s explore the new features brought by .NET 8 to support authentication and authorization in your applications.
Read more…

:writing_hand:t2: Brought to you by @andrea.chiarelli

Great summary. It was very helpful. Thank you!

1 Like

The article is very useful, especially the section on simplifying custom authorization policies. The official article still refers to the previous method of creating AuthorizeAttribute, IAuthorizationPolicyProvider, IAuthorizationRequirement, and AuthorizationHandler<> (source: Create an ASP.NET Core app with user data protected by authorization | Microsoft Learn).

I’m confused about the description of the built-in login page in a Blazor app. The article describes it “Instead, they are Razor components, and the user authentication and management is performed by using the Identity API endpoints.”.

However, when I create a new Blazor Web App using the command “dotnet new blazor -au Individual”, I noticied that “Components/Account/Pages/Login.razor” is using the below way to create user, instead of calling the API endpoints.

    public async Task LoginUser()
        // This doesn't count login failures towards account lockout
        // To enable password failures to trigger account lockout, set lockoutOnFailure: true
        var result = await SignInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: false);
        if (result.Succeeded)
            Logger.LogInformation("User logged in.");

Could you please explain more here? Thanks.

BTW, In the new Blazor Web App created with the dotnet new blazor -au Individual command, I see that the calls to app.UseRouting() and app.UseAuthorization() are missing compared to a Blazor Server App created using the .NET 7 template:

// .net 7 Blazor Server App



// .net 8 Blazor Web App

// Not calling below:
// app.UseRouting()


Hope get some explains here as well. Thanks.

Hey @studev01,
Welcome to the Auth0 Community, and thank you for pointing out these issues.

Unfortunately, the reference in the article to the Identity API in the Blazor template is incorrect. Actually, the Blazor template uses directly the ASP.NET Core Identity classes. Sorry for that. I’m going to fix it soon.

Related to the differences with Blazor Server in .NET 7.0, the new Blazor model is different. Honestly, I need to explore it more in depth in the next few weeks.

Great, looking forward to see the new articles.

1 Like


I’m fairly new here, but on Reddit I saw a post from someone who asks for an OIDC example for the new combined format, which intrigued me, and decided to build a connection to Okta with the new Blazor Web App template found in Visual Studio 17.8 or higher.

Although I managed to authenticate, I think, today in the new Blazor Web template, I’m a litte confused the more I look into it, if I’m using Oauth2 or OpenId? In my program.cs I have “.AddOpenIdConnect”.

Can someone help me out with my project on Github, GitHub - DavyGevaert/OIDC_BlazorWebApp: OIDC with new Web Template Blazor

and provide me with a decent article between the difference between oauth2 and openid?

I apologize if I hijack this topic.

Hi @DavyGevaert,
Welcome to the Auth0 Community! :wave:

The new Blazor model is actually a bit tricky for authentication. There is a thread on this topic in this forum.
I’m planning on digging into it and writing an article in the next few weeks.

To quickly answer to your question about OIDC and OAuth2, OIDC is related to user authentication, so . AddOpenIdConnect adds support for authentication.
However, OIDC is built on top of OAuth2, which is related to delegated authorization. This means that using OIDC you can also request an additional token (access token) that lets you access OAuth2-protected APIs.

The following are introductory articles about OIDC and OAuth2:

I hope this can help.