Securing a Blazor Web App - Why?

The answer to the "Why?" question is simple.

For any application beyond a static website, the data being entered is almost always specific to the user providing it. In such cases, it's essential to keep that data hidden from other users. Therefore, we need a mechanism that allows each user to log in to the application and ensures that they can access only the data they "own."

Authentication is the process of identifying and verifying a user. This is typically achieved through a login form, which requires the user to provide credentials—commonly an identifier such as an email address and a secret such as a password.

Once a user has gained access to the application, they may be restricted to certain menu options depending on who they are or what role they hold. This is known as Authorisation

How

There are a number of ways of adding security to a Blazor application. The most obvious is to write one's own security layer - but I am going to dismiss this immediately. The reason for this being that it would entail recording users' logins and passwords. Ensuring this data is not exposed to any 'leaks' adds a responsibility I am not prepared to take.

Fortunately there are a number of third-party security applications that we can hook into from a Blazor application.  All these have the advantage that the provider bears the responsibility for data security.

From some brief research the following third party security providers rose to the top.

  • Microsoft Entra External ID
  • Amazon Cognito
  • Google Firebase Authentication

When searching for security providers, my criteria included that the service should be free for up to 50,000 MAU (Monthly User Accesses). I believe the three listed above fulfil this criterion, though this may be open to interpretation.

It is also probably no coincidence that the three providers also happen to be amongst the largest IT companies. To a certain extent I take some comfort from this - hopefully they can be trusted to safeguard users' credentials.

I am going to investigate all three providers and report my findings. My principal focus will be on how simple it is to integrate these security providers with a basic Blazor server web application.

At this stage I am aware that I have have unknown unknowns and this is a journey into the unknown!

Updated on:
Powered by Publii