Support Auth0 in Azure Static Web Apps for Blazor WebAssembly Apps

Learn how to support Auth0 in Azure SWA for your Blazor WebAssembly application.
Read more…

Brought to you by @andrea.chiarelli

What are your thoughts, folks? Share it in the comments!

Can you provide the info on how to call a protected Web API?

Hi @glondon,
Welcome to the Auth0 Community! :wave:

If you mean to call an API with an access token, I’m afraid you can’t unless you get rid of the built-in SWA authentication support.

While this is not explicitly stated in the documentation, there are a few threads about this problem (this, this, and this, for example).

As far as I understand, the reason for this is that the SWA architecture implements the BFF pattern, which by design doesn’t expose any token to the SPA.
The solution would be to not use the SWA authentication infrastructure and integrate authentication and authorization in the classical way.

Hi Andrea,

Thank you very much for your reply. Your guides have been a wonderful and needed addition to the Blazor community. They are the highest of quality.

That makes sense that SWA auth doesn’t expose access_token to the browser… but it’s confusing as BFF pattern should be used for Blazor WASM to hide tokens from browser, no? I thought Implicit flow was not a recommended approach anymore?

You can use things like Duende, or add another ASP.NET Core Web API to your project to act as a BFF… but those things seem like overkill.

Would appreciate any advice.

Hey @glondon,
Thanks for you kind words! :pray:

As you know, the desired security level of an application depends on multiple factors.
If you absolutely do not want to risk an access token falling into the wrong hands, the BFF pattern allows you to do so.
Of course, this comes at a cost. Whether it is worth the cost depends on the criticality of the application’s functionality and the data it handles.
In other words, it is an architectural decision.

P.S. You mentioned the Implicit flow but I’m not sure in what regard :thinking: