Skip to content

Commit

Permalink
ROPC for Blazor (#33524)
Browse files Browse the repository at this point in the history
  • Loading branch information
guardrex authored Sep 4, 2024
1 parent d65268a commit 6ebc89a
Show file tree
Hide file tree
Showing 4 changed files with 64 additions and 0 deletions.
12 changes: 12 additions & 0 deletions aspnetcore/blazor/blazor-ef-core.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,17 @@ This guidance applies to the **`Server`** project of a hosted Blazor WebAssembly

:::moniker-end

## Secure authentication flow required for production apps

This article uses a local database that doesn't require user authentication. Production apps should use the most secure authentication flow available. For more information on authentication for deployed test and production Blazor apps, see the articles in the [Blazor *Security and Identity* node](xref:blazor/security/index).

For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:

* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
* Azure services documentation
* [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)

## Sample app

The sample app was built as a reference for server-side Blazor apps that use EF Core. The sample app includes a grid with sorting and filtering, delete, add, and update operations. The sample demonstrates use of EF Core to handle optimistic concurrency.
Expand Down Expand Up @@ -347,3 +358,4 @@ We recommend only enabling <xref:Microsoft.EntityFrameworkCore.DbContextOptionsB

* [EF Core documentation](/ef/)
* [Blazor samples GitHub repository (`dotnet/blazor-samples`)](https://github.com/dotnet/blazor-samples)
* [Blazor *Security and Identity* node articles](xref:blazor/security/index)
9 changes: 9 additions & 0 deletions aspnetcore/blazor/security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,15 @@ ASP.NET Core abstractions, such as <xref:Microsoft.AspNetCore.Identity.SignInMan
> [!NOTE]
> The code examples in this article adopt [nullable reference types (NRTs) and .NET compiler null-state static analysis](xref:migration/50-to-60#nullable-reference-types-nrts-and-net-compiler-null-state-static-analysis), which are supported in ASP.NET Core in .NET 6 or later. When targeting ASP.NET Core 5.0 or earlier, remove the null type designation (`?`) from examples in this article.
## Managed identities for Microsoft Azure services

For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:

* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
* Azure services documentation
* [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)

:::moniker range=">= aspnetcore-8.0"

## Antiforgery support
Expand Down
18 changes: 18 additions & 0 deletions aspnetcore/blazor/tutorials/movie-database-app/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,24 @@ Parts of this series include:

At the end of the tutorial, you'll have a Blazor Web App that can display and manage movies in a movie database.

## Secure authentication flow required for production apps

<!-- UPDATE 9.0 If we get a BWA + MS Identity Web app+article,
add it to the list. -->

This tutorial uses a local database that doesn't require user authentication. Production apps should use the most secure authentication flow available. For more information on authentication for deployed test and production Blazor Web Apps, see the following resources:

* <xref:blazor/security/index>
* <xref:blazor/security/server/index> and the following articles in the *Server* security node
* <xref:blazor/security/blazor-web-app-oidc>

For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:

* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
* Azure services documentation
* [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)

## Sample app

If you don't intend to create the demonstration app while reading the article, you can refer to the completed sample app in the [Blazor samples GitHub repository (`dotnet/blazor-samples`)](https://github.com/dotnet/blazor-samples). Select the latest version folder in the repository. The sample folder for this tutorial's project is named `BlazorWebAppMovies`.
Expand Down
25 changes: 25 additions & 0 deletions aspnetcore/blazor/tutorials/movie-database-app/part-4.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,24 @@ This article is the fourth part of the Blazor movie database app tutorial that t

This part of the tutorial series focuses on the database context and directly working with the database's schema and data. Seeding the database with data is also covered.

## Secure authentication flow required for production apps

<!-- UPDATE 9.0 If we get a BWA + MS Identity Web app+article,
add it to the list. -->

This tutorial uses a local database that doesn't require user authentication. Production apps should use the most secure authentication flow available. For more information on authentication for deployed test and production Blazor Web Apps, see the following resources:

* <xref:blazor/security/index>
* <xref:blazor/security/server/index> and the following articles in the *Server* security node
* <xref:blazor/security/blazor-web-app-oidc>

For Microsoft Azure services, we recommend using *managed identities*. Managed identities securely authenticate to Azure services without storing credentials in app code. For more information, see the following resources:

* [What are managed identities for Azure resources? (Microsoft Entra documentation)](/entra/identity/managed-identities-azure-resources/overview)
* Azure services documentation
* [Managed identities in Microsoft Entra for Azure SQL](/azure/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity)
* [How to use managed identities for App Service and Azure Functions](/azure/app-service/overview-managed-identity)

## Database context

The database context, `BlazorWebAppMoviesContext`, connects to the database and maps model objects to database records. The database context was created in the second part of this series. The scaffolded database context code appears in the `Program` file:
Expand Down Expand Up @@ -335,6 +353,9 @@ If the app is running, shut the app down by closing the browser's window and pre

## Additional resources

<!-- UPDATE 9.0 If we get a BWA + MS Identity Web app+article,
add it to the list. -->

* Configuration articles:
* <xref:fundamentals/configuration/index> (ASP.NET Core Configuration system)
* <xref:blazor/fundamentals/configuration> (Blazor documentation)
Expand All @@ -345,6 +366,10 @@ If the app is running, shut the app down by closing the browser's window and pre
* [SQLite EF Core Database Provider Limitations](/ef/core/providers/sqlite/limitations)
* [Customize migration code](/ef/core/managing-schemas/migrations/#customize-migration-code)
* [SQLite ALTER TABLE statement (SQLite documentation)](https://sqlite.org/lang_altertable.html)
* Blazor Web App security
* <xref:blazor/security/index>
* <xref:blazor/security/server/index> and the following articles in the *Server* security node
* <xref:blazor/security/blazor-web-app-oidc>

## Legal

Expand Down

0 comments on commit 6ebc89a

Please sign in to comment.