Security is a layered concern in Blazor Server applications. The framework provides multiple protection mechanisms that must be configured correctly.
Layer 1: ASP.NET Core Identity
Identity provides user management, password hashing, role management, and cookie-based authentication. For Blazor Server, the default cookie authentication is sufficient for internal page access.
Layer 2: JWT for API Endpoints
When your Blazor app also exposes a REST API, cookies aren't appropriate. JWT bearer tokens provide stateless authentication. Indotalent products configure both authentication schemes simultaneously: cookies for Razor components, JWT for Minimal API endpoints.
Layer 3: Policy-Based Authorization
Role-based authorization works for simple cases, but policy-based authorization provides finer control. Define policies like "CanApproveOrders" or "CanViewFinancialReports" and apply them declaratively.
Layer 4: Secure SignalR
SignalR hubs handle real-time UI updates. Ensure hubs are protected with the [Authorize] attribute. Never transmit sensitive data through hub methods without encryption.
Key Takeaways
- Identity + JWT dual authentication for Razor components and API endpoints
- Policy-based authorization for fine-grained access control
- SignalR hubs must be protected with [Authorize]
- All Indotalent products come with pre-configured security layers