C
C#4d ago
Camster

Blazor Web Assembly and Windows Authentication

According to this link, https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/?view=aspnetcore-7.0#windows-authentication, Windows Authentication is not recommended for use in Blazor Web Assmebly. However, at work I have a blazor WASM static web site that passes windows authentication credentials to a backend web API just fine. This is implemented by using the AddHttpMessageHandler to create a client (see code below). Neither the WASM nor the API are exposed on the internet; this is all internal. Browser client simply prompts user for windows authentication, and API authentication is satisfied 
// In Program.cs
builder.Services.AddHttpClient<IClient, Client>()
    .AddHttpMessageHandler<CredentialsMessageHandler>();

// In CredentialsMessageHandler.cs
public class CredentialsMessageHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
        return base.SendAsync(request, cancellationToken);
    }
}
// In Program.cs
builder.Services.AddHttpClient<IClient, Client>()
    .AddHttpMessageHandler<CredentialsMessageHandler>();

// In CredentialsMessageHandler.cs
public class CredentialsMessageHandler : DelegatingHandler
{
    protected override Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken)
    {
        request.SetBrowserRequestCredentials(BrowserRequestCredentials.Include);
        return base.SendAsync(request, cancellationToken);
    }
}
So even though this all works, is this still a security risk?
Secure ASP.NET Core Blazor WebAssembly
Learn how to secure Blazor WebAssembly apps as single-page applications (SPAs).
2 Replies
tavanuka
tavanuka2d ago
Ideally, you would have set-up anti forgery measures and CORS policies to prevent any malicious copies to hijack your process if its internal and it does not leave the LAN, then you can even make the thing http (don't!!!!!!!) If you need to use it, well you have to. Only thing that you can do is secure the backend enough - as no matter how secure you make the client - its stil a client and residing within the user's browser and can be modified in any shape of form.
Camster
CamsterOP20h ago
Thank you! The API is fully secured, I just wanted to make sure blazor wasm is fine to use on top of that

Did you find this page helpful?