From 356eba4a07f2a63d4ff452dcc329f4ed02c6fefe Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Tue, 6 Jun 2023 17:06:44 -0400 Subject: [PATCH 1/4] Provide example of recommendation --- aspnetcore/blazor/security/server/index.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 67a34605031a..109aa049a7d8 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -534,7 +534,11 @@ For more information, see the guidance on to support prerendering, disable prerendering, maintain the current behavior, or authenticate the user on the server before the app starts. +To avoid showing unauthorized content during prerendering, implement to support prerendering, disable prerendering, or authenticate the user on the server before the app starts. + +For an example implementation of , see the Blazor framework's implementation in [`ServerAuthenticationStateProvider.cs` (reference source)](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/ServerAuthenticationStateProvider.cs). + +[!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)] ## User state management From 68dfd9784bbc8c8a9ddb7addd1fb429b93eb8f3a Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Tue, 6 Jun 2023 17:25:27 -0400 Subject: [PATCH 2/4] Updates --- aspnetcore/blazor/security/server/index.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 109aa049a7d8..ac869f56b3fa 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -534,11 +534,19 @@ For more information, see the guidance on to support prerendering, disable prerendering, or authenticate the user on the server before the app starts. +To avoid showing unauthorized content during prerendering, adopt ***one*** of the following approaches: -For an example implementation of , see the Blazor framework's implementation in [`ServerAuthenticationStateProvider.cs` (reference source)](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/ServerAuthenticationStateProvider.cs). +* Implement to support prerendering: For an example implementation of , see the Blazor framework's implementation in [`ServerAuthenticationStateProvider.cs` (reference source)](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/ServerAuthenticationStateProvider.cs). -[!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)] + [!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)] + +* Disable prerendering: Open the `Pages/_Host.cshtml` file and change the `render-mode` attribute of the [Component Tag Helper](xref:mvc/views/tag-helpers/builtin-th/component-tag-helper) to : + + ```cshtml + + ``` + +* Authenticate the user on the server before the app starts: To adopt this approach, the app must respond to a user's initial request with the Identity-based sign-in page or view and prevent any requests to Blazor endpoints until they're authenticated. For more information, see . After authentication, unauthorized content in Razor components is only shown when the user is truly unauthorized to view the content. ## User state management From 67da1563cee1bea7930f000afdcec9669efba63a Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Wed, 7 Jun 2023 08:25:18 -0400 Subject: [PATCH 3/4] Updates --- aspnetcore/blazor/security/server/index.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index ac869f56b3fa..6ff4da018ef9 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -532,11 +532,11 @@ In the following `InjectAuthStateProvider` component: For more information, see the guidance on in . -## Unauthorized content display during prerendering +## Unauthorized content display while prerendering with a custom `AuthenticationStateProvider` -To avoid showing unauthorized content during prerendering, adopt ***one*** of the following approaches: +To avoid showing unauthorized content while prerendering with a [custom `AuthenticationStateProvider`](#implement-a-custom-authenticationstateprovider), adopt ***one*** of the following approaches: -* Implement to support prerendering: For an example implementation of , see the Blazor framework's implementation in [`ServerAuthenticationStateProvider.cs` (reference source)](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/ServerAuthenticationStateProvider.cs). +* Implement for the custom to support prerendering: For an example implementation of , see the Blazor framework's implementation in [`ServerAuthenticationStateProvider.cs` (reference source)](https://github.com/dotnet/aspnetcore/blob/main/src/Components/Server/src/Circuits/ServerAuthenticationStateProvider.cs). [!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)] @@ -546,7 +546,7 @@ To avoid showing unauthorized content during prerendering, adopt ***one*** of th ``` -* Authenticate the user on the server before the app starts: To adopt this approach, the app must respond to a user's initial request with the Identity-based sign-in page or view and prevent any requests to Blazor endpoints until they're authenticated. For more information, see . After authentication, unauthorized content in Razor components is only shown when the user is truly unauthorized to view the content. +* Authenticate the user on the server before the app starts: To adopt this approach, the app must respond to a user's initial request with the Identity-based sign-in page or view and prevent any requests to Blazor endpoints until they're authenticated. For more information, see . After authentication, unauthorized content prerendered Razor components is only shown when the user is truly unauthorized to view the content. ## User state management From 7111dd777579900c7f972d702d950e6de59271b0 Mon Sep 17 00:00:00 2001 From: Luke Latham <1622880+guardrex@users.noreply.github.com> Date: Wed, 7 Jun 2023 11:41:48 -0400 Subject: [PATCH 4/4] Update index.md --- aspnetcore/blazor/security/server/index.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/aspnetcore/blazor/security/server/index.md b/aspnetcore/blazor/security/server/index.md index 6ff4da018ef9..dfe1090f525b 100644 --- a/aspnetcore/blazor/security/server/index.md +++ b/aspnetcore/blazor/security/server/index.md @@ -532,6 +532,8 @@ In the following `InjectAuthStateProvider` component: For more information, see the guidance on in . + ## User state management