Security in Blazor with Azure AD B2C

Azure AD B2C is a service within the vast and complex world of Azure that can prove extremely useful and quick in securing a web application developed in Blazor.

In this series of articles we will see how to implement this integration.

A reference standard

In the world of web system security, the OAuth 2 (Open Authorization protocol) and OpenID standards have been in place for several years.

The working principle of OAuth 2 is relatively simple:

  1. the application requests an access permission from an access service provider
  2. the application receives a token that guarantees the validity of the credentials provided by the user
  3. the application accesses the authorized resources through the permissions provided by the token

The complexity is to ensure the high security standards associated with each individual step.
For this reason, several specific software libraries (SDK) have been created over time.
These libraries allow programmers to develop programs that are compatible and certifiable with these processes.

To ensure a unified access through a single provider to multiple services, the concept of federation was born.
OpenID was born precisely from this need: through a single provider, chosen by the user, federate access to multiple services.

The road defined by .net

Managing access to restricted areas of an application or website remains one of the most requested activities.
Blazor, through the templates integrated in .net, allows the creation of applications with authentication.
The applications include the user database and the relative masks for access, registration of new users, password recovery and so on.

The template that offers greater security guarantees is the one based on the integration with Identity Server 4 (https://duendesoftware.com/products/identityserver).
Identity Server 4 (ID4 as it is often shortened) meets the security requirements of OAuth 2 and OpenID standards.

Getting into the details of these security protocols is not easy.
Many times the very good basic template is used without any special arrangements.
The basic template creates an ID4 server and an MVC application to provide login, reset, registration, etc. pages.

Complexity, security and costs

One of the issues that is created, in my opinion, is the real ability of many developers to get into the technical merits of authentication and authorization protocols.
Personally after years of work and study sometimes I still need to review some concepts.

Complexity is a non-negligible aspect, because sometimes it tends to bring a “lowering” of defenses in the face of the need to achieve a goal.

Moreover, in a few months, November 2021, ID4 will no longer be a “free” project, it will remain open source, but licensed for a fee (see https://duendesoftware.com/products/identityserver#pricing).
If the use within a project will be large enough, the cost will rise to tens of thousands of euros per year very quickly.

Which alternatives exist?
Certainly OpenIDDict (https://github.com/openiddict) is one of them and it is included in the list of projects mentioned by Microsoft itself (https://docs.microsoft.com/en-us/aspnet/core/security/authentication/community?view=aspnetcore-5.0).

However to implement a project of medium complexity with OpenIDDict is not simple and the documentation is quite scarce.

Alternatives

A quick, effective and enterprise-ready alternative can be found at Microsoft, in the Azure Active Directory world.
In particular, the Azure AD B2C service (https://docs.microsoft.com/en-us/azure/active-directory-b2c/) offers an excellent basis for developing SPA (Single Page Application) applications, i.e. the web applications that currently everyone tends to develop.

Azure AD B2C offers complete protection for both the front-end as well as the back-end part, typically realized via Rest API.

Cloud and expandability

Thanks to an extremely permissive policy on the part of Microsoft, it is possible to use Azure AD B2C free of charge up to 50 thousand accesses per month (https://azure.microsoft.com/it-it/pricing/details/active-directory/external-identities/#pricing).
To date, no other enterprise platform on the market offers the same level of integration, security and elasticity in the .net environment.

With Azure AD B2C it is possible to develop Blazor Client (WASM), Server or hybrid applications, as well as integrate Desktop or Mobile applications. Everything remains at a low to medium level of complexity thanks to the excellent integration work done by Microsoft.

The availability of a totally cloud service is extremely higher than what could be offered by an on-premise service.
Moreover, scalability is natively guaranteed and exploitable simply by using the Azure portal control panel.

In the next few articles, I will address the development methods offered by Azure AD B2C within a Blazor project.

You may also like

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.