Blazor Web Assembly and Windows Authentication

According to this link, https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-7.0#windows-authentication, Windows Authentication is not recommended for use in Blazor Web Assmebly. However, at work I have a blazor WASM static web site that passes windows authentication credentials to a backend web API just fine. This is implemented by using the AddHttpMessageHandler to create a client (see code below). Neither the WASM nor the API are exposed on the internet; this is all internal. Browser client simply prompts user for windows authentication, and API authentication is satisfied

// In Program.cs
builder.Services.AddHttpClient<IClient, Client>()
    .AddHttpMessageHandler<CredentialsMessageHandler>();

// In CredentialsMessageHandler.cs
public class CredentialsMessageHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
        return base.SendAsync(request, cancellationToken);
    }
}

// In Program.cs
builder.Services.AddHttpClient<IClient, Client>()
    .AddHttpMessageHandler<CredentialsMessageHandler>();

// In CredentialsMessageHandler.cs
public class CredentialsMessageHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
        return base.SendAsync(request, cancellationToken);
    }
}

So even though this all works, is this still a security risk?

Secure ASP.NET Core Blazor WebAssembly

Learn how to secure Blazor WebAssembly apps as single-page applications (SPAs).

Blazor Web Assembly and Windows Authentication

// In Program.cs
builder.Services.AddHttpClient<IClient, Client>()
    .AddHttpMessageHandler<CredentialsMessageHandler>();

// In CredentialsMessageHandler.cs
public class CredentialsMessageHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
        return base.SendAsync(request, cancellationToken);
    }
}

// In Program.cs
builder.Services.AddHttpClient<IClient, Client>()
    .AddHttpMessageHandler<CredentialsMessageHandler>();

// In CredentialsMessageHandler.cs
public class CredentialsMessageHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
        return base.SendAsync(request, cancellationToken);
    }
}

So even though this all works, is this still a security risk?

Secure ASP.NET Core Blazor WebAssembly

Learn how to secure Blazor WebAssembly apps as single-page applications (SPAs).

Blazor Web Assembly and Windows Authentication

Similar Threads

Blazor Web Assembly and Windows Authentication

Similar Threads

Similar Threads

Similar Threads