Can this be used by server-side app alone?

[franky1017]

I have an app that is .net 8 server-side alone, not the interactive auto where there are both a server-side app and a client-side app.

My question is can I use your auth component just in my server-side app alone? Are there any changes needed for the implementation? Your documentation (https://bitzart.github.io/Blazor.Auth/04.use-cases/03.interactive-server.html) indicates "Interactive Server" is not supported, so I would like to double-check.

Thanks!

[YuriyDurov]

Hello @franky1017, I believe that you can use it in a purely serverside app, just follow those parts of the documentation that are related to server-side code. I just did not try doing that but I don't see why you would not be able to.

We have already updated our documentation according with our plans for 1.*. Sign-in, sign-up, and sign-out functionality will no longer be supported for "Interactive server" since the package version 1.* and for some time until we figure out how to make it work with the other updates in that version. Currently it is supported, so you can use it while you are using the 0.* version.

Or you can just implement your sign-in, sign-up and sign-out functionality with Static SSR render mode (e.g. via form submission). This render mode should continue working just as it does now.

[luis-fss]

Hello, I am using Blazor.Auth in my application which is pure Blazor Interactive Server (only one project) in conjunction with Microsoft Identity. It works great so far.

I am very grateful for the effort and implementation in version 0.* as it was the best way I found to solve all the complexity related to authorization and authentication.

@YuriyDurov Could you please clarify why this will no longer be supported in version 1.*? I was unable to find said documentation. Is it something related to security? Is there no possibility of reconsidering this decision?

SSR, despite being a viable option, has unwanted side effects, mainly because my interface is built with MudBlazor and completely dependent on interactivity.

[YuriyDurov]

Hello @luis-fss

We are planning on removing the ability of client-side code to access authentication cookies in any way by making those cookies HttpOnly so that only the server part of the app would have access to it.

This is necessary in order to prevent the possibility for XSS attacks.

HttpOnly cookies are only available in the context of an Http request, like in Static SSR where pages are fetched and forms are submitted via http requests.

Interactive server-side code currently uses JS interop to access or set the user's authentication cookies, which will no longer work with HttpOnly cookies.

We will still need to implement a way for interactive server to access those cookies. We already have a plan of how we can implement the AuthenticationState provider for this render mode. You can see the planned sequence diagram in the documentation.

Something similar will need to be done for IUserService, which will take time, so we are planning on not supporting this functionality for this render mode for some time until we are able to resolve this.

[franky1017]

@YuriyDurov

We are planning on removing the ability of client-side code to access authentication cookies in any way by making those cookies HttpOnly so that only the server part of the app would have access to it.

Without the ability for the client-side app to access the authentication cookie, which contains the "AccessToken", how does it make api calls? It needs to attach this jwt token to its header to make all api calls.

[YuriyDurov]

@franky1017

This is a very fair question! The discussion on this topic is happening here: #11

[luis-fss]

@YuriyDurov I understand. It's sad because, as I said, Blazor.Auth solved my problems with server authorization and authentication, I really wouldn't want to go back to that nightmare, so I'm going to stay on version 0.* and hope that you find a solution to better suit Interactive Server mode. Thank you very much for the clarification and I wish you and your team the best of luck.

[YuriyDurov]

@luis-fss Sure, you can stay on 0.* for some time until we figure everything out with the interactive server, if this render mode is important for your auth pages. Keep an eye on the updates! :) We will try to implement the support for this as soon as possible.