Blazor AuthStateProvider - OK to synchronize Role Claims?
Hey.
I have a .net 8 blazor app using the "new" project style. I'm using static SSR as well as WASM.
By default, the
PersistingRevalidationAuthenticationStateProvider
and PersistentAuthenticationStateProvider
only sync userId and email claims. I've added a small amount into this as a proof of concept sort of thing, but it was non sensitive data (getting users real name).
I've reached the point where I am adding roles, however. I have a page which renders some additional content when the logged in user has the Admin role (using AuthorizeView
).
When the page loads initially, this is visible (to the correct user) due to it rendering through static SSR. When it gets passed over to WASM however, the role claim is missing and the content disappears.
I could sync the role claims across using the Auth state providers above, and am about to do so... My question is, are there any security concerns in doing this? And if so what should be my solution for achieving this instead?0 Replies