Let's talk a little about protection of Blazor WebAssembly applications and its implementation based on Open ID Connect (OIDC).

The protection of Blazor WebAssembly applications is similar to that of single-page applications (SPA). There are several approaches to user authentication in single-page applications, but the most common and complex is using an implementation based on the OAuth 2.0 protocol, such as Open ID Connect (OIDC).

Authentication library

Blazor WebAssembly supports authentication and authorization of applications using OIDC and the Microsoft.AspNetCore.Components.WebAssembly.Authentication library. The library by type provides a set of primitives for simple authentication on server components of ASP.NET Core. The library includes ASP.NET Core Identity with support for server-based API authorization. The library can be used to authenticate any third-party Identity (IP) provider that supports OIDC (they are called OpenID (OP) vendors).

Authentication in Blazor WebAssembly is realised by means of library oidc-client.js which is used for management of data on the base authentication protocol.

In addition, other single-page application authentication options are available, such as using SameSite cookies. However, the Blazor WebAssembly technical project is based on OAuth and OIDC and represents the best option for authentication in Blazor WebAssembly applications. For security and functional reasons, JSON Web Tokens (JWT) based authentication was chosen instead of cookie-based authentication.

Using a token-based protocol reduces the contact zone of attacks, as tokens are not sent in all requests.  

Like the giant google.com.

Server endpoints do not need to be protected against Cross-site Request Forgery (CSRF) because tokens are sent explicitly. This allows Blazor WebAssembly applications to be placed alongside MVC or Razor Pages. 

The permissions of tokens are narrower than those of cookies. For example, tokens cannot be used to manage user accounts or change user passwords unless such features are explicitly implemented.

Tokens have a short lifetime (one hour by default), which limits the spread of the attack. Tokens can be revoked at any time.

JWT standalone tokens ensure that the proper authentication process is performed on the client and server. For example, the client has the means to detect and verify the validity of the tokens received, as well as to confirm their release as part of this authentication process. If a third party tries to change a token during the authentication process, the client can detect the changed token and not use it.

Tokens with OAuth and OIDC ensure application security regardless of user agent behavior.

Token-based protocols such as OAuth and OIDC allow for authentication and authorization of hosted and standalone applications with the same set of security features.

OIDC authentication process

The Microsoft.AspNetCore.Components.WebAssembly.Authentication library offers several primitives for implementing OIDC authentication and authorization. In general, authentication works as follows. 

When an anonymous user clicks the login button or requests a page with the [Authorize] attribute applied, it is redirected to the application login page (/authentication/login).

The login page prepares the authentication library to be redirected to the authorization endpoint. The authentication endpoint is outside the Blazor WebAssembly application and can be located in a separate source. The endpoint determines whether the user has passed the authentication and issues one or more tokens in response. The authentication library provides a login callback to get an authentication response. 

If the user is not authenticated, it is redirected to the base authentication system. Usually it is ASP.NET Core Identity. 

If the user is already authenticated, the authentication endpoint creates the appropriate tokens and redirects the browser back to the login callback endpoint (/authentication/login-callback).

When the Blazor WebAssembly application loads the endpoint of the login callback (/authentication/login-callback) the authentication response is processed. 

If the authentication process completes successfully, the user is authenticated and redirected to the requested source secure URL, if necessary.

If authentication fails for any reason, the user is directed to the login error page.