From 48b93bdbda5c8b73186788343fcc4061cd187c03 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Thu, 25 Jun 2020 05:19:04 -0500 Subject: [PATCH] Enhance Blazor WASM unauth endpoint access (#18937) --- .../blazor/security/webassembly/additional-scenarios.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/aspnetcore/blazor/security/webassembly/additional-scenarios.md b/aspnetcore/blazor/security/webassembly/additional-scenarios.md index c443200399..c756de5253 100644 --- a/aspnetcore/blazor/security/webassembly/additional-scenarios.md +++ b/aspnetcore/blazor/security/webassembly/additional-scenarios.md @@ -5,7 +5,7 @@ description: Learn how to configure Blazor WebAssembly for additional security s monikerRange: '>= aspnetcore-3.1' ms.author: riande ms.custom: mvc -ms.date: 06/10/2020 +ms.date: 06/24/2020 no-loc: [Blazor, "Identity", "Let's Encrypt", Razor, SignalR] uid: blazor/security/webassembly/additional-scenarios --- @@ -244,7 +244,7 @@ builder.Services.AddHttpClient("ServerAPI.NoAuthenticationClient", The preceding registration is in addition to the existing secure default registration. -A component creates the from the ([`Microsoft.Extensions.Http`](https://www.nuget.org/packages/Microsoft.Extensions.Http/) package) to make unauthenticated or unauthorized requests: +A component creates the from the ([`Microsoft.Extensions.Http`](https://www.nuget.org/packages/Microsoft.Extensions.Http) package) to make unauthenticated or unauthorized requests: ```razor @inject IHttpClientFactory ClientFactory @@ -267,6 +267,10 @@ A component creates the from the [!NOTE] > The controller in the server API, `WeatherForecastNoAuthenticationController` for the preceding example, isn't marked with the [`[Authorize]`](xref:Microsoft.AspNetCore.Authorization.AuthorizeAttribute) attribute. +The decision whether to use a secure client or an insecure client as the default instance is up to the developer. One way to make this decision is to consider the number of authenticated versus unauthenticated endpoints that the app contacts. If the majority of the app's requests are to secure API endpoints, use the authenticated instance as the default. Otherwise, register the unauthenticated instance as the default. + +An alternative approach to using the is to create a [typed client](#typed-httpclient) for unauthenticated access to anonymous endpoints. + ## Request additional access tokens Access tokens can be manually obtained by calling `IAccessTokenProvider.RequestAccessToken`.