Implementing Role/Permission-Based Authorization in Blazor

0

I am developing a Blazor Server application that requires role and permission-based access control. My authentication uses a custom provider (not relying on HTTP Context), and I need to enforce authorization rules both on the UI (hiding components, buttons, menus) and server-side (restricting access to sensitive methods).

Since Blazor uses SignalR for client-server communication, traditional [Authorize] attributes or policies tied to HTTP Context are not viable. I want to use Roles to make the user unauthorized to reach certain pages that require a specific role, while I want to use Permissions to be tied to most components on each page. My Roles and Permissions are stored in the Db where the Permissions are tied to Roles. I would like to avoid using Policies for the Permissions.

Notes:

  • Permissions are stored in a database table and assigned to Roles, and each User can have multiple roles
  • Permissions are placed in a "context" during authentication which I can grab as long as the user is authenticated (I do not want to clutter the claims with potentially big number of permissions)
  • Permissions are named after the action that they are assigned to, for example "AddUser", "EditProduct", "ViewEmployeeGrid"

Requirements:

  • Ability to attribute the Blazor pages with something similar to the Authorize attribute such as @attribute [Authorize(Roles = "SuperAdmin, Auditor, Operator")]
  • Ability to use Permission keyword in a custom "AuthorizeView" wrapped on each component, button, etc.
<CustomAuthorizeView Permission="AddUser">
        <div class="radzen-filter">
            <RadzenStack Orientation="Orientation.Horizontal" AlignItems="AlignItems.Center" Gap="0.5rem" Style="margin-bottom: 1rem;">
                <RadzenButton Click="@CreateUser" Text="Add User" Icon="add" ButtonStyle="ButtonStyle.Primary" />
            </RadzenStack>
        </div>
    </CustomAuthorizeView>

I know that this is more of a general Blazor question rather than a Radzen one, but any help would be appreciated.

Role based security is a built-in feature of Radzen Studio, Radzen Blazor Studio and Radzen Blazor for Visual Studio. Check our documentation for reference.

1 Like