Securing Blazor WebAssembly Apps

Learn how to secure Blazor WebAssembly applications with Auth0.
Read more

Brought for you by @andrea.chiarelli

Securing Blazor WebAssembly Apps1176×1056 119 KB

What are you thoughts guys? Share it in the comments!

Thanks for the article!

What is the best way to add additional custom parameters to the login url?

In Blazor server side you could modify a property in the OnRedirectToIdentityProvider event in options.Events when adding open id connect authentication in startup.cs to add these parameters but I don’t see a way to do this in wasm…

Hi @afrank,
The current implementation of Microsoft.AspNetCore.Components.WebAssembly.Authentication doesn’t support passing additional parameters, as documented by this issue.
This is the reason why you need to use a default audience to work around passing the audience parameter.

Thanks for the answer @andrea.chiarelli!

Hopefully they will add this in the future.

Hi @andrea.chiarelli the post was great. Can you write one to access de profile and claims? When there will be a SDK for blazor in Auth0?

First thank you for the article. A couple questions:
The issue you mentioned about Blazor’s inability to provide additional query arguments at login would seem to suggest it is not possible to specify a particular Auth0 connection at login. Is there some way you can see to work around this and log in with a specified connection?
When I log out the application appears to have logged me out but if I select the login link again I’m immediately authenticated again without actually going through the login process. Something appears to be preserved in the application state that is not being cleared by logout. Any thoughts?

I’m sure Andrea will try to address that once he’s online. Thanks for all the input!

Hey @dane.vinson,
The Authentication.razor component implements logout by disconnecting the client from Auth0.
However, as highlighted in a note in the article, it seems that in some circumstances the HTTP request to the logout endpoint doesn’t happen.
I think it is a Blazor issue because this behavior is random on my side.

Hi @lprada, thanks for appreciating it
I will take into account your suggestion for a future blog post.
Regarding an Auth0 SDK for Blazor, as far as I know, currently there is no plan for this.

In working through this article I’ve found that when I assign the RemoteAuthenticationOptions.ProviderOptions.ResponseType to “code” I get a 401 response with the message “There was an error trying to log you in: ‘’”. If I do not assign the ResponseType (defaults to token?) the login succeeds, however, after successful login attempts access my API fail at the TryGetToken method. Inspection of the AccessTokenResult shows it’s Status is RequiredRedirect. Any thoughts on what I can try here?

Hey there @dane.vinson!

I’m sure Andrea will address that once he’s back from vacation.

Hey @dane.vinson, that behavior looks quite weird. Are you getting the same error even running the complete project attached to the article?

When I created the Auth0 app I created it as a Regular Web Application instead of a Single Page Application. I updated that and got past the previous issues (though at this point I’m still getting a 401 when I call a method on the Web API).

I’ve downloaded the completed project, updated the “Authority” and “ApiIdentifier” appsettings in the API project with my Auth0 authority and API identifier then updated the “Authority” and “ClientId” appsettings in the client project with my Auth0 authority and my application’s ClientId. I can log in with the client but I get 401 when trying to access the quiz endpoint. Also, after the 401 error in the browser I get a second, content type is not supported error, i.e. “The provided ContentType is not supported; the supported types are ‘application/json’ and the structured syntax suffix ‘application/+json’”.

I discovered that the Default Audience that I’d provided in my Domain Settings did not actually save. I was finally able to get it to save after three consecutive times entering and saving and now both your POC and mine are working.

Thanks for providing all that context @dane.vinson!

Hey @dane.vinson, happy to hear you found the reason of the issue.

Thanks for the guide! I have tried following it as closely as possible and after double checking I’m not quite sure why my implementation is failing logins, similarly to dane.vinson. After logging in through the universal login, I get redirected back to my app but am met with no change to the access control component and a message saying “There was an error logging you in”. In the debug log I see two 401 errors, but I’m not sure why. If anyone has any clues I would appreciate the assistance!

Hi @gonsalvg, welcome to Auth0 Community!

Have you checked that your default audience is correctly saved on the Auth0 dashboard? That was the issue for dane.vinson.

Otherwise, please check more info in the logs in the Auth0 dashboard and/or share with us a detailed track of the HTTP request and response originating the issue.
We will try to understand what is going on.