How to force all Blazor pages to be authorized witouth defining Authorize attribute on each page?

[474D]

Hi, is there any way to force all blazor pages to be authorized witouth defining Authorize attribute on each page?

Edit: I'm not talking about Server (API) side. The main goal is to avoid defining Authorize attribute on each razor component containing @page.

Currently, the only solution I found was to import @Attribute [Authorize] into _Imports.razor file, but i'm not sure if that does not break any of the functionality.

[davidfowl]

cc @pranavkm @Tratcher @HaoK

[HaoK]

FallbackPolicy should do the trick... https://scottsauber.com/2020/01/20/globally-require-authenticated-users-by-default-using-fallback-policies-in-asp-net-core/

[HaoK]

@guardrex @Rick-Anderson we should probably try to leverage this article and add it to https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-3.1 maybe?

[guardrex]

I'll take care of it in the Blazor auth doc (after testing to confirm working). I think we have an open issue to address it.

[Rick-Anderson]

@HaoK I have it in Require authenticated users
Set the default authentication policy to require users to be authenticated:

public void ConfigureServices(IServiceCollection services)
{

    services.AddDbContext<ApplicationDbContext>(options =>
        options.UseSqlServer(
            Configuration.GetConnectionString("DefaultConnection")));
    services.AddDefaultIdentity<IdentityUser>(
        options => options.SignIn.RequireConfirmedAccount = true)
        .AddRoles<IdentityRole>()
        .AddEntityFrameworkStores<ApplicationDbContext>();

    services.AddRazorPages();

    services.AddControllers(config =>
    {
        // using Microsoft.AspNetCore.Mvc.Authorization;
        // using Microsoft.AspNetCore.Authorization;
        var policy = new AuthorizationPolicyBuilder()
                         .RequireAuthenticatedUser()
                         .Build();
        config.Filters.Add(new AuthorizeFilter(policy));
    });

But I'll plaster links to that around.

[HaoK]

Yeah that's MVC, FallbackPolicy is the mechanism for endpoint routing

[474D]

I have updated description to be more proper, solution provided is only for Server side, not Client side, so its still kinda unanswered.

[Rick-Anderson]

@HaoK I'll update my sample to use FallbackPolicy then point to that. Will that work?

[474D]

I'm talking about razor components containing @page.
For Server (API) side I do use services.AddMvc(o => o.Filters.Add(new AuthorizeFilter())) which works perfectly.
But what about client side?

[guardrex]

In that case @Naxaliav, this is a duplicate (only for Blazor) of dotnet/AspNetCore.Docs#18181.

Since @Rick-Anderson is addressing this for the broad subject in the general docs, I'll continue with the Blazor issue for Blazor docs when I get to it. Feel free to continue the discussion here because these issues are cross-linked now. Whatever discussion happens here that pertains to the Blazor WASM scenario, I'll see it later.

[javiercn]

I filed an issue for this #23157 since it is not trivial to do for wasm given that we don't support allowanonymous

[Rick-Anderson]

Since @Rick-Anderson is addressing this for the broad subject in the general docs,

In dotnet/AspNetCore.Docs#18825