BlazorServerExample RevalidatingIdentityAuthenticationStateProvider

[michaelcsikos]

I'm migrating a solution from Blazor Wasm to Blazor Server due to extremely poor performance for some intense calculations (20x slower).

It's a bit disappointing that authentication on the server has to occur outside the Blazor framework, requiring old-school Razor Pages. I've been going through the BlazorServerExample and Using CSLA 5 Blazor and WebAssembly book. I'm not using ASP.NET Core Identity and it looks like the BlazorServerExample isn't really either. The authentication works fine with the following commented out:

builder.Services.AddScoped<IdentityUser>();
builder.Services.AddScoped<AuthenticationStateProvider, RevalidatingIdentityAuthenticationStateProvider<IdentityUser>>();

With those lines still included, when ValidateAuthenticationStateAsync triggers:

System.InvalidOperationException: No service for type Microsoft.AspNetCore.Identity.IdentityUser has been registered.

I suppose my question is, should I be implementing a RevalidatingServerAuthenticationStateProvider? However, I don't fully understand the purpose, or how to do it properly with a simple table in a database storing user names and password hashes.

[rockfordlhotka]

The Blazor 2019 book is pretty outdated due to changes to how Blazor works between then and now.

The BlazorServerExample in the CSLA samples should be current though, but very simplified, as it uses a hard-coded principal/identity.

I'd recommend using the Microsoft project template that is closest to the authentication model you want to use as a starting point. Their templates provide implementations for the "identity user" and "authentication state provider" types to meet the needs of oath, aad, or whatever.

The only thing CSLA 6 relies on at this point is a AuthenticationStateProvider service that's injected into the application context manager. It doesn't really care who implemented that provider, as long as it exists and manages the user identity properly.

[swegele]

I have also NOT implemented the RevalidatingServerAuthenticationStateProvider yet as I port my old WebForms CSLA 5 app to Blazor Server 6. I believe it is for expiring tokens etc. included with various standard auth mechanisms. We don't currently use those so I'm not worrying about it. But obviously could implement in future if we had some sort of (check if user is still auth mechanism).

Think in terms of an admin discovering that UserA access needs to be revoked. Does that only kick in when UserA logs off and then tries to log back in. Or does it happen sooner on some timed basis when system does a check "Is UserA still auth for using system?"

[rockfordlhotka]

When using a token, the token usually has an expiration built in, and so needs to be revalidated/recreated periodically.

If you aren't using expiring tokens, then I imagine logoff is the only condition where the identity becomes invalid?