Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Template for Blazor WASM not Hosted #29

Open
Gareth064 opened this issue Jul 25, 2022 · 6 comments
Open

Template for Blazor WASM not Hosted #29

Gareth064 opened this issue Jul 25, 2022 · 6 comments

Comments

@Gareth064
Copy link

Hi @damienbod
Have you ever done this, or got it on the list of things to try for the future?
My app architecture is ASPNET BFF Server, and a standalone Blazor WASM app.
I have been trying to hack this template so it isn't intertwined with the WASM Hosted approach but I am struggling with it.
@hugh-maaskant
Copy link

hugh-maaskant commented Jul 26, 2022
edited
Loading

Hi @Gareth064,
As far as I understand it, the BFF solution only works because the Blazor WASM client app is hosted on the same domain as the BFF Server. But I am not a security expert, as may be seen from my own issue on this repo :-), which I have not been able to resolve yet, unfortunately.

It would be great to have a non-hosted solution, as then the Blazor app could e.g. be distributed through a content delivery network. So I'll keep an eye out for any responses.

Cheers, Hugh

@Gareth064
Copy link
Author

When we say the same site, if my WASM app is www.app.mysite.com and my API was www.mysite.com, would that not qualify as same site?

@hugh-maaskant
Copy link

Yes, I think it would: see https://web.dev/same-site-same-origin/

@damienbod
Copy link
Owner

damienbod commented Jul 29, 2022
edited
Loading

If you use a standalone Blazor WASM standalone, then you would require two auth flows for the APPS, one for the WASM and one for the API. A public client, OpenID Connect code flow with PKCE is used then for the SPA part and the API is protected using OAUTH with either access tokens or reference tokens and introspection.

By hosting the WASM in the backend, only a single auth flow is required and the security is moved to the trusted backend.

Greetings Damien

@Gareth064
Copy link
Author

Hi Damien

I'm a little confused about the needing two auth flows if you have a standalone client (by the way, this is what I have now and want to move away from). From everything I have been reading and watching regarding BFF, one of the biggest advantages is that the Auth always and only happens on the server.

Is having to use Blazor WASM Hosted, to achieve this, a limitation of Blazor WASM itself?

When it comes to the JS based client-side apps that use BFF, do those JS apps have to be hosted from the same Backend Server where the auth is happening as well?

@damienbod
Copy link
Owner

With BFF, when you host the UI part on the same domain, then you can do the auth on the server with a confidential client. Any js apps hosted on different domains cannot use BFF with cookies protection and server auth.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@damienbod @hugh-maaskant @Gareth064