Auth0 blazor auth and API client in one project

[chrissmithptml]

Hey there,

I have a Blazor server app which requires standard web application authentication (so user logs in, can use the app, etc.), but on top of this, my Blazor server app also houses a number of API controllers which my blazor server code calls via HttpClients to perform app operations. Clearly, I'd like to secure both the blazor server app AND the API endpoints housed in the same solution. So when the user is authenticated with the web app, I can also then ensure that as they perform actions on the screens, an access token is made available to my http client which allows my blazor server code to call the secured internally-hosted API endpoints.

I was unclear from the docs / samples if this is possible using this library. I have tried using the stock standard Auth0 .NET tools to do so, but so far no luck.

If this is possible, can you give me some sense of how this is done. I'm happy to have a play with the samples to try and work it out, but any advice or details you can provide would be great.

Cheers

[Hawxy]

Although you could do this in theory, I would argue this is an architectural problem rather than an implementation issue. If the API and SSR blazor are in the same project, then you should just be doing direct function calls or abstracting via mediator (if you need direct access as well as exposing an API) rather than wasting CPU cycles deserializing/serializing a payload and losing the net benefit of a server-side framework.

[chrissmithptml]

Hmm,

That didn't answer my question.

There are valid reasons behind why we need the Blazor server app calling these APIs as actual API endpoints rather than implementing any of the patterns you've described.

I will carry on looking for answers elsewhere.

Cheers.

[Hawxy]

I don't appreciate your attitude, this is github discussions, where you can engage in a discussion that can span further than an instantly gratified reply. I've encountered beginners in the past that will absolutely start building API controllers for a server-side framework just because they don't know any better. Given I have no idea of your background, skill level or experience, I always like to discuss the architecture of the solution before giving someone a potential footgun that will create further support work for myself in the future.

The answer to your question is to use authorization code grant flow which will allow you to request an access token to use with downstream APIs: https://github.com/auth0/auth0-aspnetcore-authentication/blob/main/EXAMPLES.md#calling-an-api