markus41/blazor-auth-security
plugins/dotnet-blazor/skills/blazor-auth-security/SKILL.md
Authentication and authorization in Blazor with ASP.NET Core Identity, Entra ID, JWT, and policy-based auth
$ install --global
skillsauthnpx skillsauth add markus41/claude blazor-auth-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 7, 2026, 2:37 AM32.4s1 file scanned
SKILL.md
- name:
- blazor-auth-security
- description:
- Authentication and authorization in Blazor with ASP.NET Core Identity, Entra ID, JWT, and policy-based auth
Blazor Authentication and Authorization
ASP.NET Core Identity Setup
// Program.cs
builder.Services.AddAuthentication(IdentityConstants.ApplicationScheme)
.AddIdentityCookies();
builder.Services.AddAuthorizationBuilder()
.AddPolicy("AdminOnly", policy => policy.RequireRole("Admin"))
.AddPolicy("PremiumUser", policy => policy.RequireClaim("subscription", "premium"));
builder.Services.AddIdentityCore<ApplicationUser>(options =>
{
options.Password.RequireDigit = true;
options.Password.RequiredLength = 8;
options.SignIn.RequireConfirmedEmail = true;
})
.AddRoles<IdentityRole>()
.AddEntityFrameworkStores<AppDbContext>()
.AddSignInManager()
.AddDefaultTokenProviders();
Microsoft Entra ID (Azure AD)
builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
builder.Services.AddControllersWithViews()
.AddMicrosoftIdentityUI();
// appsettings.json
{
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"TenantId": "your-tenant-id",
"ClientId": "your-client-id",
"CallbackPath": "/signin-oidc"
}
}
Blazor Authorization Components
@* Require authentication for a page *@
@page "/admin"
@attribute [Authorize(Roles = "Admin")]
@* Conditional rendering based on auth state *@
<AuthorizeView>
<Authorized>
<p>Welcome, @context.User.Identity?.Name!</p>
</Authorized>
<NotAuthorized>
<p>Please <a href="/login">log in</a>.</p>
</NotAuthorized>
</AuthorizeView>
@* Role-based content *@
<AuthorizeView Roles="Admin,Manager">
<Authorized>
<button @onclick="DeleteAll">Delete All</button>
</Authorized>
</AuthorizeView>
@* Policy-based content *@
<AuthorizeView Policy="PremiumUser">
<Authorized>
<PremiumDashboard />
</Authorized>
</AuthorizeView>
Programmatic Auth Check
@inject AuthenticationStateProvider AuthStateProvider
@code {
private async Task CheckAuth()
{
var authState = await AuthStateProvider.GetAuthenticationStateAsync();
var user = authState.User;
if (user.Identity?.IsAuthenticated == true)
{
var name = user.Identity.Name;
var isAdmin = user.IsInRole("Admin");
var email = user.FindFirst(ClaimTypes.Email)?.Value;
}
}
}
JWT Bearer for APIs
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = builder.Configuration["Jwt:Issuer"],
ValidAudience = builder.Configuration["Jwt:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]!))
};
});
Security Best Practices
- Store secrets in User Secrets (dev) or Azure Key Vault (prod)
- Use HTTPS everywhere (
app.UseHsts()) - Enable antiforgery tokens for forms (
<AntiforgeryToken />) - Use
[Authorize]on pages/endpoints, not just UI hiding - Implement CORS properly for API projects
- Use Data Protection API for encrypting sensitive data
- Rate limit authentication endpoints
- Log authentication events for audit trails
Related Skills
markus41/writing-plans-enhanced
development
VerifiedTrustedCommunity
Enhanced plan-authoring skill with Pre-Writing context gathering, task metadata, non-TDD templates, Red Flags, telemetry, and an automated plan linter. Use when you have a spec or requirements for a multi-step task, before touching code.
13SKILL.mdUpdated Apr 25, 2026
markus41/plugins/scrapin-aint-easy
tools
VerifiedTrustedCommunity
Documentation intelligence engine with graph-based API docs, algorithm library, and drift detection
13SKILL.mdUpdated Apr 17, 2026
markus41/ultraplan
tools
VerifiedTrustedCommunity
Ultraplan cloud planning — kick off a plan in the cloud from your terminal, review and revise in the browser, then execute remotely or send back to CLI
13SKILL.mdUpdated Apr 17, 2026
markus41/plugins/claude-code-expert/skills/mcp
tools
VerifiedTrustedCommunity
--- name: mcp description: Configure MCP servers for Claude Code — stdio vs HTTP, authentication, Tools/Resources/Prompts distinction, channels (CI webhook, mobile relay, Discord bridge, fakechat), and cost of always-loaded tools. Use this skill whenever adding an MCP server, debugging connection issues, choosing between MCP Tools vs Prompts vs Resources, installing channel servers, or managing .mcp.json. Triggers on: "MCP server", "mcp config", "add Obsidian MCP", "install context7", "channels"
13SKILL.mdUpdated Apr 17, 2026