.AddBlazorWebAssembly() stomps all over my permissions!

[lwmorris067]

I've been having trouble updating an 'old' blazor app to Blazor 9. To make this as simple as possible, I've downloaded the BlazorWebAppOidc sample (https://github.com/dotnet/blazor-samples.git), and configured the project to work with an oidc provider.

I can add the following to the client's program.cs and the application will work without issue.

builder.Services.AddCsla(o => o
.DataPortal(o => o
.ClientSideDataPortal(o => o
.UseLocalProxy())));

The moment I add in .AddBlazorWebAssembly(), I start having security issues when it transitions from Server or Static to WebAssembly. Actually, I just changed the rendermode to new InteractiveWebAssemblyRenderMode(prerender: false) and it appears I loose all my permissions right after login.

Any suggestions as to what I may have missed?

[joshhanson314]

This happens because the AddBlazorWebAssembly() call is injecting policy authorization handlers for CSLA policies. I had a similar thing happen to me early on. I needed to register my own policy handler that cascades from my policies to the CSLA policies so I could get it running with both. I am going off of my memory, so my terminology might be a bit of when referring to things like the policy handler. The point is there is a DI, order dependent, authorization stuff happening that is getting in the way of your expected behavior.

[rockfordlhotka]

Also, if you are doing any server-side hosting, make sure to call AddAspNetCore as well (and before the blazor call). It is important to set up the chain of context managers so the correct one is used for server-interactive, server-static, and data portal hosting scenarios.

[lwmorris067]

It appears that if I remove @Attribute [Authorize] from the webassembly's _imports and add the following to program.cs in the server project. Then everything seems to work.

builder.Services.AddAuthorization(options =>
{
options.FallbackPolicy = new AuthorizationPolicyBuilder()
.RequireAuthenticatedUser()
.Build();
});

[rockfordlhotka]

It never occurred to me that you could authorize the imports. Why would you do that?

[lwmorris067]

In this case it was a way to secure the application by default.