Correct implementation of custom AuthenticationStateProvider in server-side Blazor

[sipi41]

Thank you for all the help you may bring. For the past several days I been trying to implement a simple log-in form on my daughter blazor-server page using Identity, Authentication and Authorization,

I have read the MS documentation (https://docs.microsoft.com/en-us/aspnet/core/blazor/security/?view=aspnetcore-6.0) did read several tutorials and watched several videos and I'm impressed with the level of confusion created around this topic, everybody including MS have their own idea on how to do things, and it will worth mentioning that even experienced developers prefer to use the pre-factored Identity pages of the VS template than "monkey with that" as they said... so for me, a newbie, its just confusing... I can't understand why MS can't provide a guide step by step for blazor-server, with clear examples on how to maintain state (after sign-in), etc... because some say, use session to keep state, use browser storage, and others say do it through javascript to API... and what MS says?

MS in their documentation say I should use AuthenticationStateProvider but later I see there's a ServerAuthenticationStateProvider and even people using another one called RevalidatingServerAuthenticationStateProvider... I have to say that I tried to use the "server version" and my authentication just don't work... so I came back to the first one.

The most clear tutorial came from https://www.youtube.com/watch?v=BmAnSNfFGsc and even this guy is confused... as he says we should use:
app.UseAuthentication(); app.UseAuthorization();
but I noticed I don't have to use them, it works without that... see? everybody is saying "use this and that" but there's not a real explanation on why things should be done... The documentation has failed in this case because it explains how to implement a custom AuthenticationStateProvider but not on how to create and call a method to change this user and call NotifyAuthenticationStateChanged, I was braking my head around that...

I hope this can help and lead to better techniques to explain clearly how to secure blazor-server pages... if you can provide clearly the steps to others will be fine, I can provide what I have also, is that ok?

[SteveSandersonMS]

@sipi41 Were you able to try starting from the "new project" template with the auth options enabled? This will give you a preconfigured site that has auth.

Also to clarify, AuthenticationStateProvider isn't something you can store state inside. It's something that tells your application what the authentication state of the user is (i.e., whether they are logged in, and who they are logged in as).

Another thing to note is that, for Blazor Server, the authentication is really the same as regular ASP.NET Core authentication. It's the same system and holds the same state. So you can follow any docs or tutorials for ASP.NET Core and it will take effect for the Blazor Server parts of your application.

I hope this helps you move forwards. Please let us know if not. And in that case, please give more details of what specifically you're trying to do and which part of it doesn't work.

Hi @sipi41. We have added the "Needs: Author Feedback" label to this issue, which indicates that we have an open question for you before we can take further action. This issue will be closed automatically in 7 days if we do not hear back from you by then - please feel free to re-open it if you come back to this issue after that time.

[sipi41]

@SteveSandersonMS thank you for your reply. I would like to clarify something:

1. Yes, most of the tutorials show how to create a new blazor site with auth enabled, but what this basically do is create a bunch of .cshtml pages that in the majority of cases are not needed, for example, not all websites are like facebook, we don't invite people to join, and this does not resolve one important question: why do we have to implement partially .cshtml pages in our single page application?

2. Yes its true, as you said: "AuthenticationStateProvider isn't something you can store state inside" but the use of NotifyAuthenticationStateChanged is not shown on any of the documentation examples, in other words, in the vague examples provided in the official MS docs, a fake user is created at the beginning when implementing GetAuthenticationStateAsync for the first time, then what? missing pieces all over...

3. You said: "for Blazor Server, the authentication is really the same as regular ASP.NET Core authentication" and this is not true (at least in old versions of .net core). In previous mvc core projects, I had to use app.UseAuthentication and app.UseAuthorization, not in this project... I never had to use AuthenticationStateProvider, state was also saved automatically on a cookie...

I'm about to finish the approach with the help of the tutorial mentioned in the original post, maybe this could help somebody else. PLEASE fix the docs, I repeat, there's a lot of confusion regarding this, if you don't believe me check the tutorials and videos offered on the internet, everybody have their own ideas... and that is not because they are dumb or not experienced but because the docs are so confusing.

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.