Blazor security updates (#28922)
Luke Latham
GitHub
parent
f8c16fb676
commit
d21551836b
|
|
@ -0,0 +1 @@
|
|||
The Microsoft Authentication Library (<xref:Microsoft.Authentication.WebAssembly.Msal>, [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C custom policies](/azure/active-directory-b2c/user-flow-overview) by default.
|
||||
|
|
@ -1 +0,0 @@
|
|||
The Microsoft Authentication Library (<xref:Microsoft.Authentication.WebAssembly.Msal>, [NuGet package](https://www.nuget.org/packages/Microsoft.Authentication.WebAssembly.Msal/)) doesn't support [AAD B2C user flows](/azure/active-directory-b2c/user-flow-overview) by default. Create custom user flows in developer code. For more information on how to build a challenge for a custom user flow, see [User flows in Azure Active Directory B2C](/azure/active-directory-b2c/user-flow-overview).
|
||||
|
|
@ -14,6 +14,8 @@ uid: blazor/security/webassembly/hosted-with-azure-active-directory-b2c
|
|||
|
||||
This article explains how to create a [hosted Blazor WebAssembly solution](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication.
|
||||
|
||||
For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
|
||||
|
||||
## Walkthrough
|
||||
|
||||
The subsections of the walkthrough explain how to:
|
||||
|
|
@ -36,7 +38,7 @@ Register an AAD B2C app for the *Server API app*:
|
|||
1. Navigate to **Azure AD B2C** in the Azure portal. Select **App registrations** in the sidebar. Select the **New registration** button.
|
||||
1. Provide a **Name** for the app (for example, **Blazor Server AAD B2C**).
|
||||
1. For **Supported account types**, select the multi-tenant option: **Accounts in any identity provider or organizational directory (for authenticating users with user flows)**
|
||||
1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so skip the **Redirect URI** setting don't enter a redirect URI.
|
||||
1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so leave the **Select a platform** dropdown list unselected and don't enter a redirect URI.
|
||||
1. If you're using an [unverified publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain), confirm that **Permissions** > **Grant admin consent to openid and offline_access permissions** is selected. If the publisher domain is verified, this checkbox isn't present.
|
||||
1. Select **Register**.
|
||||
|
||||
|
|
@ -152,9 +154,9 @@ If the scope is incorrect, update the value now.
|
|||
|
||||
[!INCLUDE[](~/blazor/security/includes/run-the-app.md)]
|
||||
|
||||
## Custom user flows
|
||||
## Custom policies
|
||||
|
||||
[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-userflows.md)]
|
||||
[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-custom-policies.md)]
|
||||
|
||||
## Configure `User.Identity.Name`
|
||||
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@ This article explains how to create a [hosted Blazor WebAssembly solution](xref:
|
|||
|
||||
This article doesn't cover a *multi-tenant Azure Active Directory registration*. For more information, see [Making your application multi-tenant](/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant).
|
||||
|
||||
For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
|
||||
|
||||
## Walkthrough
|
||||
|
||||
The subsections of the walkthrough explain how to:
|
||||
|
|
@ -39,7 +41,7 @@ Register an AAD app for the *Server API app*:
|
|||
1. Navigate to **Azure Active Directory** in the Azure portal. Select **App registrations** in the sidebar. Select the **New registration** button.
|
||||
1. Provide a **Name** for the app (for example, **Blazor Server AAD**).
|
||||
1. Choose a **Supported account types**. You may select **Accounts in this organizational directory only** (single tenant) for this experience.
|
||||
1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so leave the dropdown list set to **Web** and don't enter a redirect URI.
|
||||
1. The *Server API app* doesn't require a **Redirect URI** in this scenario, so leave the **Select a platform** dropdown list unselected and don't enter a redirect URI.
|
||||
1. If you're using an [unverified publisher domain](/azure/active-directory/develop/howto-configure-publisher-domain), clear the **Permissions** > **Grant admin consent to openid and offline_access permissions** checkbox. If the publisher domain is verified, this checkbox isn't present.
|
||||
1. Select **Register**.
|
||||
|
||||
|
|
|
|||
|
|
@ -24,6 +24,8 @@ This article explains how to create a [hosted Blazor WebAssembly solution](xref:
|
|||
> [!NOTE]
|
||||
> To configure a standalone or hosted Blazor WebAssembly app to use an existing, external Identity Server instance, follow the guidance in <xref:blazor/security/webassembly/standalone-with-authentication-library>.
|
||||
|
||||
For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
|
||||
|
||||
## Walkthrough
|
||||
|
||||
The subsections of the walkthrough explain how to:
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@ uid: blazor/security/webassembly/index
|
|||
|
||||
Blazor WebAssembly apps are secured in the same manner as single-page applications (SPAs). There are several approaches for authenticating users to SPAs, but the most common and comprehensive approach is to use an implementation based on the [OAuth 2.0 protocol](https://oauth.net/), such as [OpenID Connect (OIDC)](https://openid.net/connect/).
|
||||
|
||||
The Blazor WebAssembly security documentation primarily focuses on how to accomplish user authentication and authorization tasks. For OAuth 2.0/OIDC general concept coverage, see the resources in the [main overview article's *Additional resources* section](xref:blazor/security/index#additional-resources).
|
||||
|
||||
## Authentication library
|
||||
|
||||
Blazor WebAssembly supports authenticating and authorizing apps using OIDC via the [`Microsoft.AspNetCore.Components.WebAssembly.Authentication`](https://www.nuget.org/packages/Microsoft.AspNetCore.Components.WebAssembly.Authentication) library. The library provides a set of primitives for seamlessly authenticating against ASP.NET Core backends. The library integrates ASP.NET Core Identity with API authorization support built on top of [Duende Identity Server](https://docs.duendesoftware.com). The library can authenticate against any third-party Identity Provider (IP) that supports OIDC, which are called OpenID Providers (OP).
|
||||
|
|
|
|||
|
|
@ -16,6 +16,8 @@ This article explains how to secure an ASP.NET Core Blazor WebAssembly standalon
|
|||
|
||||
*For Azure Active Directory (AAD) and Azure Active Directory B2C (AAD B2C) guidance, don't follow the guidance in this topic. See <xref:blazor/security/webassembly/standalone-with-azure-active-directory> or <xref:blazor/security/webassembly/standalone-with-azure-active-directory-b2c>.*
|
||||
|
||||
For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
|
||||
|
||||
## Walkthrough
|
||||
|
||||
The subsections of the walkthrough explain how to:
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@ uid: blazor/security/webassembly/standalone-with-azure-active-directory-b2c
|
|||
|
||||
This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD) B2C](/azure/active-directory-b2c/overview) for authentication.
|
||||
|
||||
For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
|
||||
|
||||
## Walkthrough
|
||||
|
||||
The subsections of the walkthrough explain how to:
|
||||
|
|
@ -205,9 +207,9 @@ For more information, see the following sections of the *Additional scenarios* a
|
|||
|
||||
[!INCLUDE[](~/blazor/security/includes/authentication-component.md)]
|
||||
|
||||
### Custom user flows
|
||||
### Custom policies
|
||||
|
||||
[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-userflows.md)]
|
||||
[!INCLUDE[](~/blazor/security/includes/wasm-aad-b2c-custom-policies.md)]
|
||||
|
||||
## Troubleshoot
|
||||
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@ uid: blazor/security/webassembly/standalone-with-azure-active-directory
|
|||
|
||||
This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Azure Active Directory (AAD)](https://azure.microsoft.com/services/active-directory/) for authentication.
|
||||
|
||||
For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
|
||||
|
||||
## Walkthrough
|
||||
|
||||
The subsections of the walkthrough explain how to:
|
||||
|
|
|
|||
|
|
@ -14,6 +14,8 @@ uid: blazor/security/webassembly/standalone-with-microsoft-accounts
|
|||
|
||||
This article explains how to create a [standalone Blazor WebAssembly app](xref:blazor/hosting-models#blazor-webassembly) that uses [Microsoft Accounts with Azure Active Directory (AAD)](/azure/active-directory/develop/quickstart-register-app#register-a-new-application-using-the-azure-portal) for authentication.
|
||||
|
||||
For additional security scenario coverage after reading this article, see <xref:blazor/security/webassembly/additional-scenarios>.
|
||||
|
||||
## Walkthrough
|
||||
|
||||
The subsections of the walkthrough explain how to:
|
||||
|
|
|
|||
Loading…
Reference in New Issue