Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Blazor Server Side AADB2C AllowAnonymous Not working in latest template

See original GitHub issue

Is there an existing issue for this?

I have searched the existing issues

Describe the bug

In the latest template for Blazor Server Side with Microsoft Identity platform. program.cs has:

builder.Services.AddAuthorization(options =>
{
// By default, all incoming requests will be authorized according to the default policy
options.FallbackPolicy = options.DefaultPolicy;
});

So now all pages will direct to login. However, if I want to define a landing page that doesn’t require login with

@Attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous], it doesn’t work. Page still gets redirected to login.

Maybe this is related to https://github.com/dotnet/aspnetcore/issues/37064 and dotnet/aspnetcore#23157

cc: @guardrex per https://github.com/dotnet/AspNetCore.Docs/issues/24473

Expected Behavior

Pages marked with Attribute AllowAnonymous should not be redirected to login if not logged in

Steps To Reproduce

-Start a project with Blazor Server Side with Microsoft Identity Platform. -Fill in all the required AADB2C configs -Launch the site to see if AADB2C is setup correctly. clean up (logout) -go to index.razor or fetchData.razor and add @Attribute [Microsoft.AspNetCore.Authorization.AllowAnonymous] -Launch site. It still requires AADB2C login on index,razor or fetchData.razor

Exceptions (if any)

No response

.NET Version

6.0.100

Anything else?

No response

Issue Analytics

State:
Created 2 years ago
Reactions:5
Comments:26 (4 by maintainers)

Top GitHub Comments

6reactions

brianpursleycommented, Oct 12, 2022

It is easier to declare the things that require authorization than add authorization for everything and then poke holes.

I guess it depends on your application, but it’s not easier if 99% of your app needs to be secured, and only a single page needs to allow anonymous.

2reactions

dgiagiocommented, Mar 2, 2023

Unfortunately my company had to skip Blazor because of this issue. As a CTO, I cannot afford to rely on “authorize everything + deny specific pages only” if you take security seriously.

Previously I’ve also offered help to fix this for .NET in general, but as you can see on the conversation history, it didn’t go well.

We’re looking forward to Blazor authentication story improvements. Until then, we’ll use other technologies.

Top Results From Across the Web

attribute [AllowAnonymous] in Blazor server-side ...

I am now trying to allow anonymous access to Index.razor component by placing [AllowAnonymous] at the top of the file. This however, does...

Blazor Server- AD B2C - Public, User and Admin sections ...

how to redirect someone if they reach a location they need authorization for but don't have it (currently just says "not authorized"). HUGE ......

About allowanonymous : r/Blazor

Hi everyone im leaning about blazor server. Created new app and using authentication but i want use some pages not require login.

How do I allow anonymous users on a specific Blazor page?

To make a Blazor page accessible by all users, use [AllowAnonymous] with @attribute code in the _Imports.razor file in your app. [_Imports.razor] @attribute...

How to Authenticate with SAML in ASP.NET Core and C# | ...

I do not know why it does not work. I feel that the Saml2 (Okta) now cannot connect to the web app after...