I am developing a Blazor Server application that requires role and permission-based access control. My authentication uses a custom provider (not relying on HttpContext), and I need to enforce authorization rules both on the UI (hiding components, buttons, menus) and server-side (restricting access to sensitive methods).
Since Blazor uses SignalR for client-server communication, traditional [Authorize] attributes or policies tied to HttpContext are not viable. I want to use roles to make the user unauthorized to reach certain pages that require a specific role, while I want to use permissions to be tied to most components on each page. My roles and permissions are stored in the database where the permissions are tied to roles. I would like to avoid using policies for the permissions.
Notes:
- Permissions are stored in a database table and assigned to roles, and each user can have multiple roles
- Permissions are placed in a "context" during authentication which I can grab as long as the user is authenticated (I do not want to clutter the claims with potentially big number of permissions)
- Permissions are named after the action that they are assigned to, for example
AddUser,EditProduct,ViewEmployeeGrid
Requirements:
- Ability to attribute the Blazor pages with something similar to the Authorize attribute such as
@attribute [Authorize(Roles = "SuperAdmin, Auditor, Operator")] - Ability to use Permission keyword in a custom
AuthorizeViewwrapped on each component, button, etc.
<CustomAuthorizeView Permission="AddUser"><div class="radzen-filter"><RadzenStack Orientation="Orientation.Horizontal" AlignItems="AlignItems.Center" Gap="0.5rem" Style="margin-bottom: 1rem;"><RadzenButton Click="@CreateUser" Text="Add User" Icon="add" ButtonStyle="ButtonStyle.Primary" /></RadzenStack></div></CustomAuthorizeView>This is my example solution, but I can't seem to get it to work, any ideas are welcome - thank you.