Content displayed during asynchronous authentication in ASP.NET Blazor

        <h1>Hello, @context.User.Identity.Name!</h1>
        <p>You can only see this content if you're authenticated.</p>
        <h1>Authentication in progress</h1>
        <p>You can only see this content while authentication is in progress.</p>

This approach isn’t normally applicable to Blazor Server apps. Blazor Server apps know the authentication state as soon as the state is established. Authorizing content can be provided in a Blazor Server app’s AuthorizeView component, but the content is never displayed.


Role-based and policy-based authorization in ASP.NET Blazor

The AuthorizeView component supports role-based or policy-based authorization.

For role-based authorization, use the Roles parameter:

<AuthorizeView Roles="admin, superuser">
    <p>You can only see this if you're an admin or superuser.</p>

For policy-based authorization, use the Policy parameter:

<AuthorizeView Policy="content-editor">
    <p>You can only see this if you satisfy the "content-editor" policy.</p>


AuthorizeView component in ASP.NET Blazor

The AuthorizeView component selectively displays UI content depending on whether the user is authorized. This approach is useful when you only need to display data for the user and don’t need to use the user’s identity in procedural logic.

The component exposes a context variable of type AuthenticationState, which you can use to access information about the signed-in user:

You can also supply different content for display if the user isn’t authorized:

        <button @onclick="SecureMethod">Authorized Only Button</button>
        <h1>Authentication Failure!</h1>
        <p>You're not signed in.</p>

@code {
    private void SecureMethod() { ... }


Expose the authentication state as a cascading parameter in ASP.NET Blazor

@page "/"

<button @onclick="LogUsername">Log username</button>


@code {
    private Task<AuthenticationState> authenticationStateTask { get; set; }

    private string authMessage;

    private async Task LogUsername()
        var authState = await authenticationStateTask;
        var user = authState.User;

        if (user.Identity.IsAuthenticated)
            authMessage = $"{user.Identity.Name} is authenticated.";
            authMessage = "The user is NOT authenticated.";

Set up the Task<AuthenticationState> cascading parameter using the AuthorizeRouteView and CascadingAuthenticationState components in the App component (App.razor):

    <Router AppAssembly="@typeof(Program).Assembly">
        <Found Context="routeData">
            <AuthorizeRouteView RouteData="@routeData" 
                DefaultLayout="@typeof(MainLayout)" />
            <LayoutView Layout="@typeof(MainLayout)">
                <p>Sorry, there's nothing at this address.</p>

In a Blazor WebAssembly App, add services for options and authorization to Program.cs:


In a Blazor Server app, services for options and authorization are already present, so no further action is required.


Custom AuthenticationStateProvider in ASP.NET Blazor

public class CustomAuthenticationStateProvider : AuthenticationStateProvider
    public override async Task<AuthenticationState> GetAuthenticationStateAsync()
        // user is anonymous
        // ClaimsIdentity claimsIdentity = new ClaimsIdentity();
        // user is authenticated
        ClaimsIdentity claimsIdentity = new ClaimsIdentity("test");
        claimsIdentity.AddClaim(new Claim("AccessUserPages","true"));

        ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentity);
        AuthenticationState authenticationState = new AuthenticationState(claimsPrincipal);
        return await Task.FromResult(authenticationState);


builder.Services.AddScoped<AuthenticationStateProvider, CustomAuthenticationStateProvider>();


@page "/"
@using System.Security.Claims
@inject AuthenticationStateProvider AuthenticationStateProvider

    Authentication : @authMessage

    @if (claims.Any())
            @foreach (var claim in claims)
                <li>@claim.Type : @claim.Value</li>

    private string authMessage;
    private IEnumerable<Claim> claims = Enumerable.Empty<Claim>();

    protected override async Task OnInitializedAsync()
        var authState = await AuthenticationStateProvider.GetAuthenticationStateAsync();
        var user = authState.User;

        if (user.Identity.IsAuthenticated)
            authMessage = "user is authenticated";
            claims = user.Claims;
            authMessage = "user is not authenticated";


Configure ASP.NET Core Data Protection to Persist Keys To DbContext


dotnet add package Microsoft.AspNetCore.DataProtection.EntityFrameworkCore

Add using Microsoft.AspNetCore.DataProtection; to Startup.cs


The preceding code stores the keys in the configured database. The database context being used must implement IDataProtectionKeyContextIDataProtectionKeyContext exposes the property DataProtectionKeys

public DbSet<DataProtectionKey> DataProtectionKeys { get; set; } = null!;


Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core

Antiforgery middleware is added to the Dependency injection container when one of the following APIs is called in Program.cs:

The FormTagHelper injects antiforgery tokens into HTML form elements. The following markup in a Razor file automatically generates antiforgery tokens:

<form method="post">
    <!-- ... -->

Explicitly add an antiforgery token to a <form> element without using Tag Helpers with the HTML helper @Html.AntiForgeryToken:

<form asp-action="Index" asp-controller="Home" method="post">

    <!-- ... -->

In each of the preceding cases, ASP.NET Core adds a hidden form field similar to the following example:

<input name="__RequestVerificationToken" type="hidden" value="CfDJ8NrAkS ... s2-m9Yw">

Configure antiforgery with AntiforgeryOptions

Customize AntiforgeryOptions in Program.cs:

builder.Services.AddAntiforgery(options =>
    // Set Cookie properties using CookieBuilder properties†.
    options.FormFieldName = "AntiforgeryFieldname";
    options.HeaderName = "X-CSRF-TOKEN-HEADERNAME";
    options.SuppressXFrameOptionsHeader = false;


Configure Many-to-Many Relationships using Fluent API in Entity Framework Core

public class Student
    public int StudentId { get; set; }
    public string Name { get; set; }

public class Course
    public int CourseId { get; set; }
    public string CourseName { get; set; }
    public string Description { get; set; }
public class StudentCourse
    public int StudentId { get; set; }
    public Student Student { get; set; }

    public int CourseId { get; set; }
    public Course Course { get; set; }

public class Course
    public int CourseId { get; set; }
    public string CourseName { get; set; }
    public string Description { get; set; }

    public IList<StudentCourse> StudentCourses { get; set; }
public class SchoolContext : DbContext
    protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)

    protected override void OnModelCreating(ModelBuilder modelBuilder)
        modelBuilder.Entity<StudentCourse>().HasKey(sc => new { sc.StudentId, sc.CourseId });
    public DbSet<Student> Students { get; set; }
    public DbSet<Course> Courses { get; set; }
    public DbSet<StudentCourse> StudentCourses { get; set; }


Configure One-to-One Relationships using Fluent API in Entity Framework Core

using Microsoft.EntityFrameworkCore;

namespace BlazorApp1;

public class AppDbContext : DbContext
    public AppDbContext(DbContextOptions<AppDbContext> options)
        : base(options)

    protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)

    protected override void OnModelCreating(ModelBuilder modelBuilder)
            .HasOne<StudentAddress>(s => s.Address)
            .WithOne(ad => ad.Student)
            .HasForeignKey<StudentAddress>(ad => ad.AddressOfStudentId);

    public DbSet<Student> Students { get; set; }
    public DbSet<StudentAddress> StudentAddresses { get; set; }

public class StudentAddress
    public int StudentAddressId { get; set; }
    public string Address { get; set; }
    public string City { get; set; }
    public string State { get; set; }
    public string Country { get; set; }

    public int AddressOfStudentId { get; set; }
    public Student Student { get; set; }


Configure One-to-Many Relationships using Fluent API in Entity Framework Core


using Microsoft.EntityFrameworkCore;

namespace BlazorApp1;

public class AppDbContext : DbContext
    public AppDbContext(DbContextOptions<AppDbContext> options)
        : base(options)

    protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)

    protected override void OnModelCreating(ModelBuilder modelBuilder)
            .HasOne<Grade>(s => s.Grade)
            .WithMany(g => g.Students)
            .HasForeignKey(s => s.CurrentGradeId);

    public DbSet<Student> Students { get; set; }
    public DbSet<Grade> Grades { get; set; }

public class Student
    public int Id { get; set; }
    public string Name { get; set; }

    public int CurrentGradeId { get; set; }
    public Grade Grade { get; set; }

public class Grade
    public int GradeId { get; set; }
    public string GradeName { get; set; }
    public string Section { get; set; }

    public ICollection<Student> Students { get; set; }
