You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: aspnetcore/blazor/call-web-api.md
-8Lines changed: 0 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -132,14 +132,6 @@ The solution includes a demonstration of obtaining weather data securely via a w
132
132
133
133
A Blazor Web App with global Auto interactivity that uses [Microsoft identity platform](/entra/identity-platform/)/[Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra). The solution includes a demonstration of obtaining weather data securely via a web API when a component that adopts Interactive Auto rendering is rendered on the client.
134
134
135
-
<!--
136
-
137
-
### `BlazorWebAppEntraServer`
138
-
139
-
A Blazor Web App with global Interactive Server interactivity that uses Microsoft Identity Web with Microsoft Entra-specific packages. The sample demonstrates how to [pass an access token](xref:blazor/security/additional-scenarios#pass-tokens-to-a-server-side-blazor-app) to call a secure web API.
140
-
141
-
-->
142
-
143
135
### `BlazorWebAppEntraBff`
144
136
145
137
A Blazor Web App with global Auto interactivity that uses:
Copy file name to clipboardExpand all lines: aspnetcore/blazor/security/additional-scenarios.md
+12-1Lines changed: 12 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,6 +25,10 @@ This article explains how to configure server-side Blazor for additional securit
25
25
26
26
Tokens available outside of the Razor components in a Blazor Web App can be passed to interactive components with the approaches described in this section. The examples in this section focus on passing access tokens, but the approach is valid for other HTTP context state provided by <xref:Microsoft.AspNetCore.Http.HttpContext>.
27
27
28
+
For a demonstration of the guidance in this section, see the following sample apps in the [Blazor samples]() repository:
29
+
30
+
31
+
28
32
> [!NOTE]
29
33
> Passing the [anti-request forgery (CSRF/XSRF) token](xref:security/anti-request-forgery) to Razor components is useful in scenarios where components POST to Identity or other endpoints that require validation. However, don't follow the guidance in this section for processing form POST requests or web API requests with XSRF support. The Blazor framework provides built-in antiforgery support for forms and calling web APIs. For more information, see the following resources:
30
34
>
@@ -34,7 +38,10 @@ Tokens available outside of the Razor components in a Blazor Web App can be pass
34
38
35
39
Reading tokens from the <xref:Microsoft.AspNetCore.Http.HttpContext> using <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> is a reasonable approach for obtaining tokens during interactive server rendering. However, tokens aren't updated if the user authenticates after the circuit is established, since the <xref:Microsoft.AspNetCore.Http.HttpContext> is captured at the start of the SignalR connection. Also, the use of <xref:System.Threading.AsyncLocal%601> by <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> means that you must be careful not to lose the execution context before reading the <xref:Microsoft.AspNetCore.Http.HttpContext>.
36
40
37
-
### Blazor Web App that adopts global Interactive Server rendering
41
+
The following approach is aimed at attaching a user's access token to outgoing requests, specifically to make web API calls to separate web API apps. The approach is shown for a Blazor Web App that adopts global Interactive Server rendering, but the same general approach applies to Blazor Web Apps that adopt the global Interactive Auto render mode. The critical concern is that any attempt to access the <xref:Microsoft.AspNetCore.Http.HttpContext> using <xref:Microsoft.AspNetCore.Http.IHttpContextAccessor> is only performed during static SSR.
42
+
43
+
> [!NOTE]
44
+
> [Microsoft identity platform](/entra/identity-platform/)/[Microsoft Identity Web packages](/entra/msal/dotnet/microsoft-identity-web/) for [Microsoft Entra ID](https://www.microsoft.com/security/business/microsoft-entra) provides a simple API to call web APIs from Blazor Web Apps. For more information, see <xref:blazor/security/blazor-web-app-entra> and the `BlazorWebAppEntra` sample app in the [Blazor samples GitHub repository](https://github.com/dotnet/blazor-samples) for .NET 9 or later (`9.0` sample folder or later in the repository).
38
45
39
46
Subclass <xref:System.Net.Http.DelegatingHandler> to attach a user's access token to outgoing requests. The token handler only executes during static server-side rendering (static SSR), so using <xref:Microsoft.AspNetCore.Http.HttpContext> is safe in this scenario.
40
47
@@ -88,6 +95,10 @@ var client = ClientFactory.CreateClient("{HTTP CLIENT NAME}");
88
95
varresponse=awaitclient.SendAsync(request);
89
96
```
90
97
98
+
### Blazor Web App that adopts global Interactive Auto rendering
99
+
100
+
101
+
91
102
Additional features are planned for Blazor, which is tracked by [Access `AuthenticationStateProvider` in outgoing request middleware (`dotnet/aspnetcore`#52379)](https://github.com/dotnet/aspnetcore/issues/52379), which will probably be addressed for .NET 11 (late 2026). [Problem providing Access Token to HttpClient in Interactive Server mode (`dotnet/aspnetcore`#52390)](https://github.com/dotnet/aspnetcore/issues/52390) is a closed issue that contains helpful discussion and potential workaround strategies for advanced use cases.
0 commit comments