Blazor Server .NET 8 authorization Dependency Injection User Settings

Question

Blazor Server .NET 8 authorization Dependency Injection User Settings

Dennis Vossen 1

I have a IUserSettings interface to use between Blazor and a Desktop. I have a task in the interface called Task GetUserSettingsAsync(AuthenticationStateProvider authenticationStateProvider). Once the website comes back from Microsoft Entra, I want to populate user settings. I have a UserSettingService class inheriting from IUserSettings to execute GetUserSettingsAsync. I want to execute a query in GetUserSettingsAsync to get the users ID from the database. Then I can inject IUserSettings into other classes and have their user ID. What I tried isn't working. IUserSettings doesn't have the user ID.

When I debug to GetUnitsOnHandQuery.cs,_userSettings.FacilityIds is null.

Sample Code:

public class UserSettingService : IUserSettings
{
    private readonly IMediator? _mediator;

    public UserSettingService(IMediator mediator)
    {
        _mediator = mediator;
    }

    public int DefaultFacilityId { get; set; }
    public int[] FacilityIds { get; set; }
    public string FullName { get; set; }
    public bool IsAdministrator { get; set; }
    public string[] LockCodes { get; set; }
    public bool RequiresPasswordChange { get; set; }
    public int UserId { get; set; }
    public string UserName { get; set; }

    public AccessLevel GetAccessLevel(string lockCodePrefix)
    {
        throw new NotImplementedException();
    }
    public bool HasPermission(string lockCode)
    {
        throw new NotImplementedException();
    }

    public async Task GetUserSettingsAsync(AuthenticationStateProvider authenticationStateProvider)
    {
        CancellationTokenSource cancellationTokenSource = new();

        var authState = await authenticationStateProvider.GetAuthenticationStateAsync();
        var user = authState?.User;

        if (user?.Identity?.IsAuthenticated == true)
        {
            var userId = await _mediator.Send(new GetUserIdQuery(user.Identity.Name), cancellationTokenSource.Token);

            await SetUserSettingsAsync(userId);
            return;
        }

        throw new UnauthorizedAccessException("User is not authenticated");
    }

    private async Task SetUserSettingsAsync(string userId)
    {
        var claims = await _mediator.Send(new GetUserClaimsQuery(userId)).ConfigureAwait(false);

        var identity = new ClaimsIdentity("Custom");
        identity.AddClaims(claims);

        var userIdClaim = (identity.FindFirst("UserId")?.Value) ?? throw new InvalidOperationException("UserId claim is missing");

        UserId = int.Parse(userIdClaim);
        UserName = userId;
        DefaultFacilityId = int.Parse(identity.FindFirst("DefaultFacility")!.Value);
        FacilityIds = identity.FindAll("Facility")
            .Select(x => x.Value)
            .Select(x => int.TryParse(x, out var value) ? value : 0)
            .ToArray();
        FullName = identity.FindFirst(ClaimTypes.GivenName)?.Value ?? string.Empty;
        IsAdministrator = identity.FindFirst("IsAdministrator")?.Value == bool.TrueString;
        LockCodes = identity.FindAll(ClaimTypes.Sid)
            .Select(x => x.Value)
            .ToArray();
        RequiresPasswordChange = identity.FindFirst("RequiresPasswordChange")?.Value == bool.TrueString;
    }
I have a IUserSettings interface to use between Blazor and a Desktop. I have a task in the interface called Task GetUserSettingsAsync(AuthenticationStateProvider authenticationStateProvider). Once the website comes back from Microsoft Entra, I want to populate user settings. I have a UserSettingService class inheriting from IUserSettings to execute GetUserSettingsAsync. I want to execute a query in GetUserSettingsAsync to get the users ID from the database. Then I can inject IUserSettings into other classes and have their user ID. What I tried isn't working. IUserSettings doesn't have the user ID.

ServiceConfiguration.cs

.AddScoped<IUserSettings, UserSettingService>()

Onhandinventory.cs

await UserSettings.GetUserSettingsAsync(AuthenticationStateProvider);

Inventories = await Mediator.Send(new GetUnitsOnHandQuery(_selectedProductId, _selectedLocationId), _cancellationTokenSource.Token);

GetUnitsOnHandQuery.cs

internal class Handler : IRequestHandler<GetFacilitiesForCurrentUserQuery, `List<FacilityDto>>
{
    private readonly IMediator _mediator;
    private readonly IUserSettings _userSettings;

    public Handler(IMediator mediator, IUserSettings userSettings)
    {
         _mediator = mediator;
         _userSettings = userSettings;
     }

     public async Task<List<FacilityDto>> Handle(GetFacilitiesForCurrentUserQuery request, CancellationToken cancellationToken = default) =>
         await _mediator.Send(new GetFacilitiesQuery(_userSettings.FacilityIds), cancellationToken);
 }

Tiny Wang-MSFT 3,161 Reputation points Microsoft External Staff

2025-04-04T01:38:31.59+00:00

Hi Dennis, you mentioned Once the website comes back from Microsoft Entra in your question, may I know why you also tried to get user profile information from database? If users signed in with Microsoft account, user information shall come from the cloud. May I know your auth scheme in your application?
Dennis Vossen 1 Reputation point

2025-04-07T17:40:10.41+00:00

Employee ID does not exist in Microsoft Entra. You cannot add it. I need ID to find user roles in the database. All I get back is the user's email address in user.Identity.Name.

2 answers

Your answer

Tiny Wang-MSFT 3,161 Reputation points Microsoft External Staff

2025-04-04T01:38:31.59+00:00

Hi Dennis, you mentioned Once the website comes back from Microsoft Entra in your question, may I know why you also tried to get user profile information from database? If users signed in with Microsoft account, user information shall come from the cloud. May I know your auth scheme in your application?
Dennis Vossen 1 Reputation point

2025-04-07T17:40:10.41+00:00

Employee ID does not exist in Microsoft Entra. You cannot add it. I need ID to find user roles in the database. All I get back is the user's email address in user.Identity.Name.

Answer 1

Pradeep M 7,620 Microsoft External Staff

Hi Dennis Vossen,

Thank you for reaching out to Microsoft Q & A forum.

The issue you're experiencing likely stems from how IUserSettings is being populated. Since it's registered as a scoped service, calling GetUserSettingsAsync manually in a component doesn't ensure the data is available when the same service is injected elsewhere such as in your query handler.

To ensure user settings are initialized consistently, move the logic for populating IUserSettings into a custom AuthenticationStateProvider. For example, by extending RevalidatingServerAuthenticationStateProvider, you can trigger the GetUserSettingsAsync call automatically after the user is authenticated:

protected override async Task<bool> ValidateAuthenticationStateAsync(AuthenticationState state, CancellationToken ct)
{
    if (state.User.Identity?.IsAuthenticated == true)
    {
        using var scope = _provider.CreateScope();
        var userSettings = scope.ServiceProvider.GetRequiredService<IUserSettings>();
        await userSettings.GetUserSettingsAsync(this);
    }
    return true;
}

This ensures IUserSettings is fully populated early in the pipeline and available wherever it's injected across your application.

If you have found the answer provided to be helpful, please click on the "Accept answer/Upvote" button so that it is useful for other members in the Microsoft Q&A community.

Dennis Vossen 1

So like this? But RevalidatingServerAuthenticationStateProvider is part of Microsoft.AspNetCore.Components.Server which gives me no package found in Manage NuGet Packages.

using System.Security.Claims;

using Microsoft.AspNetCore.Components.Authorization;

using Microsoft.Extensions.Logging;

using SharedKernel.Interfaces;

public class CustomAuthenticationStateProvider : RevalidatingServerAuthenticationStateProvider

{

private readonly IServiceProvider _serviceProvider;

public CustomAuthenticationStateProvider(ILoggerFactory loggerFactory, IServiceProvider serviceProvider)

    : base(loggerFactory)

{

    _serviceProvider = serviceProvider;

}

protected override TimeSpan RevalidationInterval => TimeSpan.FromMinutes(30);

protected override async Task<bool> ValidateAuthenticationStateAsync(AuthenticationState state, CancellationToken ct)

{

    if (state.User.Identity?.IsAuthenticated == true)

    {

        using var scope = _serviceProvider.CreateScope();

        var userSettings = scope.ServiceProvider.GetRequiredService<IUserSettings>();

        await userSettings.GetUserSettingsAsync(this);

    }

    return true;

}

private Task<bool> CheckUserSessionAsync(ClaimsPrincipal user)

{

    // Implement your session validation logic here

    return Task.FromResult(true);

}

Pradeep M 7,620 Reputation points Microsoft External Staff

2025-04-08T06:57:24.4066667+00:00

Hi Dennis Vossen,

You're on the right track with implementing a custom AuthenticationStateProvider. The reason you're not seeing the Employee ID from Microsoft Entra is that, by default, Entra only provides standard claims such as the user's email or UPN.

The recommended approach in this scenario is to use the email address (user.Identity.Name) as a unique identifier to query your internal database. From there, you can retrieve the user's internal ID, roles, and other relevant settings. This is a common and effective pattern for integrating external identity providers with internal systems.

Your current implementation using GetUserIdQuery to resolve the internal user ID is correct and aligns with best practices. While it is technically possible to configure Entra to return custom claims like Employee ID, doing so requires additional setup in Azure AD and is generally unnecessary if your database already holds this mapping.

In summary, continue using the email to fetch internal user details from your database this is the preferred and reliable method in such integrations.
Dennis Vossen 1 Reputation point

2025-04-08T14:27:27.11+00:00

What? I need a technical solution. I am using the email to get the user's ID. It is Blazor that is causing me the issue with IUserSettings. How do you set up IUserSettings? I already explained why RevalidatingServerAuthenticationStateProvider is not working. So what is your technical suggestion to setting up IUserSettings?

Answer 2

Bruce (SqlWork.com) 74,451

in Blazor authentication information is stored in Blazor AuthenticationStateProvider (for compatibility with WASM). The default AuthenticationStateProvider() is build on app load, and just looks at the principal defined in the HttpContext. You make a custom AuthenticationStateProvider if you want to change the behavior. Typically the custom provider just creates the user and claims.

the RevalidatingServerAuthenticationStateProvider is part of individual identity for for Blazor. it uses the IdentityUser api to access user info. it named revalidating, because it periodically checks the database to see if user claims are up to date. You can create a Blazor server with individual accounts, then scaffold identity to get a default source.

when you create a custom provider, you can add additional methods/interfaces you code can call by casting the injected provider. your provider can expose

you issue seems to be the design of the UserSettingService. it should get the AuthenticationStateProvider in its constructor, or all calls to it should pass the injected AuthenticationStateProvider.

note: when using Entra for authentication, authentication is done outside the Blazor app via razor pages. as app load the HttpContext is used to get the user principal that the Entra Identity created. Blazor is a single request, so the context is the request from the Blazor client js code to open the signal/r socket. This request includes the cookie created by the razor page authorization.

Dennis Vossen 1

I made this update. Still have the same issue.

using System.Security.Claims;

using Microsoft.AspNetCore.Components.Authorization;

using NBi.AppShared.Features.Authentication;

using NBi.AppShared.Queries;

using SharedKernel;

using SharedKernel.Interfaces;

namespace NBi.App.Utilities

{

public class UserSettingService : IUserSettings

{

    private readonly IMediator _mediator;

    private readonly AuthenticationStateProvider _authenticationStateProvider;

    public UserSettingService(IMediator mediator, AuthenticationStateProvider authenticationStateProvider)

    {

        _mediator = mediator;

        _authenticationStateProvider = authenticationStateProvider;

    }

    public int DefaultFacilityId { get; set; }

    public int[] FacilityIds { get; set; }

    public string FullName { get; set; }

    public bool IsAdministrator { get; set; }

    public string[] LockCodes { get; set; }

    public bool RequiresPasswordChange { get; set; }

    public int UserId { get; set; }

    public string UserName { get; set; }

    public AccessLevel GetAccessLevel(string lockCodePrefix)

    {

        throw new NotImplementedException();

    }

    public bool HasPermission(string lockCode)

    {

        throw new NotImplementedException();

    }

    public async Task GetUserSettingsAsync()

    {

        CancellationTokenSource cancellationTokenSource = new();

        var authState = await _authenticationStateProvider.GetAuthenticationStateAsync();

        var user = authState?.User;

        if (user?.Identity?.IsAuthenticated == true)

        {

            var userId = await _mediator.Send(new GetUserIdQuery(user.Identity.Name), cancellationTokenSource.Token);

            await SetUserSettingsAsync(userId);

            return;

        }

        throw new UnauthorizedAccessException("User is not authenticated");

    }

    private async Task SetUserSettingsAsync(string userId)

    {

        var claims = await _mediator.Send(new GetUserClaimsQuery(userId)).ConfigureAwait(false);

        var identity = new ClaimsIdentity("Custom");

        identity.AddClaims(claims);

        var userIdClaim = (identity.FindFirst("UserId")?.Value) ?? throw new InvalidOperationException("UserId claim is missing");

        UserId = int.Parse(userIdClaim);

        UserName = userId;

        DefaultFacilityId = int.Parse(identity.FindFirst("DefaultFacility")!.Value);

        FacilityIds = identity.FindAll("Facility")

            .Select(x => x.Value)

            .Select(x => int.TryParse(x, out var value) ? value : 0)

            .ToArray();

        FullName = identity.FindFirst(ClaimTypes.GivenName)?.Value ?? string.Empty;

        IsAdministrator = identity.FindFirst("IsAdministrator")?.Value == bool.TrueString;

        LockCodes = identity.FindAll(ClaimTypes.Sid)

            .Select(x => x.Value)

            .ToArray();

        RequiresPasswordChange = identity.FindFirst("RequiresPasswordChange")?.Value == bool.TrueString;

    }

    public async Task InitializeAsync()

    {

        //await GetUserSettingsAsync();

    }

}

}

Bruce (SqlWork.com) 74,451 Reputation points

2025-04-19T15:50:04.5166667+00:00

Until your blazor app has redirected to entra to login, the user is not authenticated, but you throw an error for this valid state. Also as the Blazor app is a single request, for the life of the app it will be either authenticated or not authenticated. The unauthorized version should redirect to the login server on the first access to an unauthorized component.

Share via

Blazor Server .NET 8 authorization Dependency Injection User Settings

2 answers

Your answer