Issue with conflicting authorization behavior for client-side components and server-side component routes

[marinasundstrom]

Here is a description of a problem that I recently bumped into, but found a workaround for:

I have a Blazor app that is roughly equivalent to the old hosted app template - with Client and Server projects. I have set the RenderMode to InteractiveWebAssembly, which would make the frontend WebAssembly. Good, so far.

The problem was shown when I recently added authentication. Everything was working fine when browsing on the client-side, but doing hard refreshes on pages with @attribute [Authorize] yielded exceptions. I won't go into all of those.

Finally, when setting up auth on server side, I got401 Unauthorized. Meaning that the components routes themselves have auth by default.

I figured out that in order to bypass this auth issue I had set the routes as allowing anonymous.

app.MapRazorComponents<App>()
    .AddAdditionalAssemblies(typeof(YourBrand.Client.Pages.Counter).Assembly)
    .AddInteractiveWebAssemblyRenderMode()
    .AddInteractiveServerRenderMode()
    .AllowAnonymous();

This auth will still kick in on the client side.

When understanding how it works, this is logical: There are component routes being registered on the server and they will get auth.

But is this really a great developer experience? No. It is not. Developers have to throw away all their previous assumptions from previous hosted model.

Especially when you have an all-clienside experience.

[wasabii]

I stumbled onto this today. Same problem. I agree, not great. The server-side behavior is unexpected.