Over 4 million readers rely on our 5-minute newsletter for a clear, fact-based view of the world. We sift through 100+ sources to bring you unbiased news on politics, global events, business, and culture. Free of charge and free of bias
Wow, Blazor has quite a few fans! And I think I now understand why.
Last week I announced that I would be switching the front-end included in my bootcamp from Blazor to React, and a few of you replied expressing your disappointment with this news.
So, just to be sure about this move, I sent a quick poll last Monday specifically to current bootcamp students, and this is what they told me:
This confirms React is still a top Web UI Framework choice.
However, it also tells me that a very significant proportion of students do want to stick to Blazor for their front-ends, which makes the decision not that simple.
So, at the end of this newsletter, I'll tell you what I'm going to do regarding the bootcamp front-end moving forward.
Now, let's dive into the topic of the day.
What is resource-based authorization?
To understand this, think about your Amazon shopping cart. Who should be allowed to manage that cart?
Of course, nobody other than you should be allowed to do that. Well, perhaps someone with very high powers at Amazon, an administrator, might also need this type of permission, just in case.
But, in essence, we can't let random people mess around with your particular shopping cart. There is an authorization policy there that establishes who can access that specific resource.
So, resource-based authorization is a way to control access to specific resources by evaluating the resource's properties or the user's relationship to it.
How to set up this kind of authorization policy in ASP.NET Core?
Implementing a resource-based handler
Before implementing a resource-based handler, you should understand two key ASP.NET Core security concepts:
Authorization requirement. A collection of data parameters that a policy can use to evaluate the current user principal.
Authorization handler. A class responsible for the evaluation of a requirement's properties.
In our shopping cart example, the requirement is that the shopping basket can only be accessed by the basket owner or by an administrator.
The corresponding authorization handler should verify that such a requirement is met given a specific shopping basket instance and the current user in the system.
A resource-based handler is an authorization handler that specifies both a requirement and a resource type.
So, let's first define our resource type, our shopping basket, where the ID is the ID of the user that owns it:
Then, let's define our requirement, which needs to implement IAuthorizationRequirement:
It's a pretty dumb class, but it's all we need for our purpose here.
With those two ready, we can now implement the resource-based handler:
The handler will first extract the ID of the current user, which is available in the sub claim.
Then it will check if that user ID matches the ID of the owner of the received basket, or if the current user has an Admin role.
If either of those is true, it marks the requirement as being successfully evaluated.
Otherwise, requirement evaluation fails.
Now you are ready to enforce this requirement in your endpoints.
Using a resource-based handler
First, you'll need to register your new handler with the service container:
Then you can use it in your endpoint:
Here we inject an instance of IAuthorizationService and we use it along with the current user, the requested shopping basket, and our requirement, to check if the user is allowed to access that basket.
Notice that this makes it very easy to reuse that authorization check in any other endpoint, without the endpoint having to know anything about the logic behind the check.
This is just one way to perform authorization checks in ASP.NET Core, along with role-based authorization, claims-based authorization, and policy-based authorization, which I cover in detail in the bootcamp.
All .NET web developers should understand how authorization works in ASP.NET Core. It unlocks so many scenarios and knowing this in-depth will save you from so much trouble later.
Why people are embracing Blazor
Here's what one student told me after my previous announcement:
The company I work for is a completely Microsoft-focused company from ASP.NET front-ends to Azure services, etc. We have no React devs and no plans to ever introduce React...
...A lot can still be learned about Blazor, it's component system, integrations with auth providers such as Microsoft Entra ID/ASP.NET Core Identity/Keycloak, various 3rd party integrations (i.e. Stripe), etc by seeing working solutions written by others and that was my hope.
And here's another reply:
There are tons of places to learn React and other front ends. There are far fewer places to thoroughly learn Blazor.
If the teachers focused on .net don't teach Blazor, who will? There are many places to start learning Blazor, but not many teachers working with a close to real-world app and development process.
Which is fascinating!
People are not necessarily jumping into Blazor because they have nothing better to learn, but because they belong to one of probably hundreds of Microsoft shops out there with a huge amount of years old ASP.NET code bases that are probably still using Razor pages, MVC, or even Web Forms.
And all that needs to get upgraded to the latest and greatest. And what is the latest and greatest next step for Razor pages, MVC, and Web Forms?
Blazor!
The Blazor front-end stays
Now that I understand this, here's what I'll do:
1. The Blazor front-end stays. All courses in the bootcamp will include the pre-built Blazor front-end as planned. No changes here.
2. A lesson explaining the Blazor front-end. Starting with the 3rd bootcamp course, ASP.NET Security, I'll include at least one lesson where I'll explain relevant topics regarding how the front-end powers the end-to-end experience.
3. A bonus React front-end. Since I already finished the React front-end for course 3, and several students prefer React, I'll include it as an exclusive bonus for all current students and anyone who joins during the launch week of Course 3.
However, just to be clear:
1. This bootcamp is not about the front-end. I spent 10+ years working on cloud backends, so that's the main thing I can and will teach for the foreseeable future.
2. I can't support 2 front-ends. The amount of content in this bootcamp is already massive, so working on 2 front-ends moving forward is too much. I'll provide the React front-end as a one-time bonus of Course 3, with a good README file, but that will be it. The next courses will include only the Blazor front-end.
Wrapping up
Course 3, ASP.NET Core Security, is now in full production!
I must admit I'm a bit behind schedule thanks to my fun adventure with React and a few technical issues I faced with my recording software, but hopefully, things will go much more smoothly from here on.
I'm actually amazed about the amount of concepts that need to be covered in this third course to fully grasp industry-standard security and authorization practices with ASP.NET Core.
Seems like it's going to be the longest course so far. And it will be the best ASP.NET Core Security course on the market. Or, at least, that's my hope.
Until next time!
Julio
Whenever you’re ready, there are 3 ways I can help you:
.NET Cloud Developer Bootcamp: Everything you need to build production-ready .NET applications for the Azure cloud at scale.
Ultimate C# Unit Testing Bundle: A complete beginner to advanced C# unit testing package to write high-quality C# code and ship real-world applications faster and with high confidence.
Fixing Claims the Right Way Read in your browser It's flu season in the US and after my 5yo went down with a cold, sure enough, one of my other kids followed and then it got me. So it's been a tough week, but hope to be recovering by the time you read this. On top of that, seems like it's time for a full Windows reinstall because this box has been giving me so much trouble lately. But before getting into that adventure, I thought it would be best to finish this newsletter, where I'll cover a...
Avoiding The DIY Authentication Trap Read in your browser With Course 3 of the bootcamp finally launched, I'm now switching gears to Course 4, which will be all about deploying .NET apps to the Azure cloud, one of the most exciting parts of the bootcamp. One key thing you need to master before doing any sort of cloud development is Docker, which I believe most developers are not using yet. That's why I spent most of this week working on tons of new Docker-specific content, learning a few new...
IsAuthenticated Is Not About The User Read in your browser A few days ago I finished the audiobook version of Nexus, the latest book by Yuval Noah Harari, and wow, it's such an impressive take on the impact of AI in our society and what could come next. One potential scenario mentioned in the book is the creation of AI-powered social credit systems, where governments or organizations score individuals based on their behaviors, decisions, and interactions. Governments today are already...