Indiko.Hosting.BlazorServer 2.1.0

Indiko.Hosting.BlazorServer

Blazor Server application hosting implementation for building interactive web applications with the Indiko framework.

Overview

This package provides a complete hosting solution for Blazor Server applications, including OpenID Connect authentication, security headers, CORS configuration, and seamless integration with Indiko Blocks.

Features

• Blazor Server Hosting: Full Blazor Server support with SignalR hubs
• OpenID Connect Authentication: Built-in OIDC/OAuth2 authentication support
• Security Headers: CSP and other security headers for enhanced protection
• Cookie Authentication: Secure cookie-based session management
• Authorization Policies: Configurable authorization for pages and components
• PKCE Support: Proof Key for Code Exchange for enhanced security
• Static File Serving: wwwroot static file support
• HTTPS Support: Optional HTTPS redirection and HSTS
• Forwarded Headers: Support for reverse proxy scenarios
• Razor Pages: Full Razor Pages support alongside Blazor components

Installation

dotnet add package Indiko.Hosting.BlazorServer

Quick Start

Minimal Setup

using Indiko.Hosting.BlazorServer;

// Create your startup class
public class Startup : BlazorServerStartup
{
    public Startup(IConfiguration configuration, IWebHostEnvironment environment)
        : base(configuration, environment)
    {
    }

    protected override bool AddControllersWithViews => false;
    protected override bool EnableForwardedHeaderOptions => false;
    protected override bool ForceHttps => true;
    protected override bool AddSecurityHeaderSupport => true;
    protected override bool AddOpenIdConfiguration => true; // Enable auth
    protected override bool AddAuthentication => true;

    public override void ConfigureServices(IServiceCollection services)
    {
        base.ConfigureServices(services);
        
        // Add your services
        services.AddScoped<IMyService, MyService>();
    }
}

// Program.cs
class Program
{
    static async Task<int> Main(string[] args)
    {
        return await BlazorServerHostBootstrapper.Instance.RunAsync<Startup>(args);
    }
}

Configuration (appsettings.json)

{
  "OpenIDConnectSettings": {
    "Authority": "https://your-identity-server.com",
    "ClientId": "blazor-app",
    "ClientSecret": "your-client-secret"
  }
}

Key Components

BlazorServerHostBootstrapper

Singleton bootstrapper for Blazor Server applications.

await BlazorServerHostBootstrapper.Instance.RunAsync<Startup>(args);

BlazorServerStartup

Abstract base class with configurable Blazor Server features.

public class MyStartup : BlazorServerStartup
{
    protected override bool AddAuthentication => true;
    protected override bool AddOpenIdConfiguration => true;
    protected override bool AddSecurityHeaderSupport => true;
    protected override bool ForceHttps => true;
}

OpenIDConnectSettings

Configuration model for OpenID Connect authentication.

public class OpenIDConnectSettings
{
    public string Authority { get; set; }
    public string ClientId { get; set; }
    public string ClientSecret { get; set; }
}

Authentication & Authorization

OpenID Connect Setup

Enable authentication in your startup:

protected override bool AddAuthentication => true;
protected override bool AddOpenIdConfiguration => true;

Configure in appsettings.json:

{
  "OpenIDConnectSettings": {
    "Authority": "https://identity.example.com",
    "ClientId": "my-blazor-app",
    "ClientSecret": "secret",
    "Scopes": ["openid", "profile", "email"]
  }
}

Authorization in Components

@page "/"
@attribute [Authorize]

<h1>Hello, @context.User.Identity.Name!</h1>

<AuthorizeView>
    <Authorized>
        <p>You are logged in as @context.User.Identity.Name</p>
    </Authorized>
    <NotAuthorized>
        <p>You need to log in.</p>
    </NotAuthorized>
</AuthorizeView>

Require Authentication Globally

When authentication is enabled, all Razor Pages require authentication by default:

// This is configured automatically when AddAuthentication = true
services.AddRazorPages().AddMvcOptions(options =>
{
    var policy = new AuthorizationPolicyBuilder()
        .RequireAuthenticatedUser()
        .Build();
    options.Filters.Add(new AuthorizeFilter(policy));
});

Security Headers

Enable security headers for enhanced protection:

protected override bool AddSecurityHeaderSupport => true;

This configures:

• Content Security Policy (CSP)
• X-Frame-Options
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy

Headers are automatically adjusted based on:

• Environment (Development vs Production)
• OpenID Connect Authority (for CSP)

Features in Detail

Blazor Components

@page "/counter"

<h1>Counter</h1>

<p>Current count: @currentCount</p>

<button class="btn btn-primary" @onclick="IncrementCount">Click me</button>

@code {
    private int currentCount = 0;

    private void IncrementCount()
    {
        currentCount++;
    }
}

Service Injection

@inject IMyService MyService

<h1>@MyService.GetMessage()</h1>

SignalR Hub Configuration

Blazor Server uses SignalR. The hub is automatically configured:

// When authentication is enabled
endpoints.MapBlazorHub().RequireAuthorization();

// Without authentication
endpoints.MapBlazorHub();

Cookie Authentication

When OpenID Connect is enabled, cookie authentication is configured automatically:

options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;

Token Management

Tokens are automatically saved and can be accessed:

@inject IHttpContextAccessor HttpContextAccessor

@code {
    private async Task<string> GetAccessToken()
    {
        var context = HttpContextAccessor.HttpContext;
        return await context.GetTokenAsync("access_token");
    }
}

Project Structure

MyBlazorApp/
??? Pages/
?   ??? _Host.cshtml
?   ??? Index.razor
?   ??? Counter.razor
??? Shared/
?   ??? MainLayout.razor
?   ??? NavMenu.razor
??? wwwroot/
?   ??? css/
?   ??? js/
??? appsettings.json
??? Program.cs

CORS Configuration

Development Environment:

• Allows any origin, method, and header (permissive for testing)

Production Environment:

• CORS is not configured by default
• Add custom CORS configuration if needed

Environment-Specific Behavior

Development

• Developer exception page with detailed errors
• Permissive CORS
• Security headers (if enabled)
• Forwarded headers (if enabled)

Production

• HSTS enabled
• HTTPS redirection (if enabled)
• Security headers (if enabled)
• Forwarded headers (if enabled)

Advanced Configuration

Custom Authorization Policies

public override void ConfigureServices(IServiceCollection services)
{
    base.ConfigureServices(services);
    
    services.AddAuthorization(options =>
    {
        options.AddPolicy("AdminOnly", policy =>
            policy.RequireClaim("role", "admin"));
    });
}

Custom Security Headers

Override or extend security headers:

protected override bool AddSecurityHeaderSupport => true;

// Security headers are configured via SecurityHeadersDefinitions
// which integrates with NetEscapades.AspNetCore.SecurityHeaders

Target Framework

• .NET 10

Dependencies

• Indiko.Hosting.Abstractions
• Indiko.Blocks.Common.Abstractions
• Indiko.Blocks.Common.Management
• Microsoft.AspNetCore.App
• Microsoft.AspNetCore.Authentication.OpenIdConnect
• NetEscapades.AspNetCore.SecurityHeaders

License

See LICENSE file in the repository root.

Related Packages

• Indiko.Hosting.Abstractions - Core hosting abstractions
• Indiko.Hosting.Web - Web API hosting
• Indiko.Hosting.Mvc - MVC hosting
• Indiko.Blocks.Security.Authentication.ASPNetCore - Additional authentication features
• Indiko.Blocks.Security.AuthenticationProvider.Blazor - Blazor authentication providers