Blazorade ID is an authentication library for Blazor applications that acquires and manages access tokens and identity tokens using the OAuth 2.0 and OpenID Connect protocols. It applies a consistent programming model across Blazor application types so authentication logic can be shared without special handling for each hosting model.

Blazorade ID is not a replacement for Microsoft’s authentication stacks. It is an alternative approach for Blazor applications that want a consistent, transparent, and identity-provider-agnostic way to handle OAuth 2.0 and OpenID Connect.

Microsoft provides hosting-model-specific authentication integrations. Blazorade ID provides a single authentication architecture that works across Blazor Server, Blazor WebAssembly, and .NET MAUI Blazor Hybrid.

Blazorade ID is built on the following core principles:

• On-demand token acquisition: Tokens are obtained only when needed for a specific purpose, ensuring minimal consent prompts and scopes that match the task being performed.
• Unified programming model: The same authentication APIs work across Blazor Server, Blazor WebAssembly and .NET MAUI Blazor Hybrid without platform-specific branching.

When an application needs a token for a particular task, Blazorade ID checks whether a valid cached token already is stored in the token store. If it does, the token is returned immediately. If not, or if no token exists, Blazorade ID automatically initiates the authorization flow and acquires a token containing exactly the scopes requested.

The on-demand approach supports fine-grained, task-specific authorization. Applications can offer functionality that not all users are allowed to perform without blocking those users from signing in or using other features. Instead of requiring broad consent up front, Blazorade ID requests only the permissions (scopes) needed for each task at the moment they are needed, allowing a wider audience to use the application while still respecting the authorization boundaries enforced by the identity provider.

On the other hand, if you want to build a more traditional application where users first log in and consent to all scopes needed by the application, you can do that too - Just add a login button with a click handler that acquires tokens with all the permissions (scopes) you need.

The unified programming model ensures that the same authentication APIs, interface contracts and usage patterns are used across Blazor Server, Blazor WebAssembly and .NET MAUI Blazor Hybrid. Blazor applications interact with Blazorade ID in the same way regardless of hosting model.

This does not mean that all hosting models behave identically. Different Blazor hosting models have different runtime characteristics, security boundaries and storage options, and Blazorade ID accounts for these differences through a pluggable service architecture. Token acquisition, token storage, UI interaction and failure handling can be customized with hosting-model-specific service implementations where appropriate.

The key point is that these differences are handled behind stable, shared APIs. Application code does not need separate authentication logic for each hosting model, even though the underlying implementations may differ. Blazorade ID includes default service implementations and configuration options that are appropriate for different hosting models, for example different token storage options for browser-based and server-based applications. At the same time, all core behaviors are defined behind replaceable service interfaces, so applications can customize or replace individual parts of Blazorade ID without changing how the rest of the application interacts with authentication. The result is a consistent developer experience combined with the flexibility to adapt Blazorade ID to the realities of each Blazor environment.

Use Blazorade ID when you want authentication in Blazor to be clear, consistent, and under your control, without being locked to a specific identity provider or hosting model.

Blazorade ID is a good fit when:

• You are building a Blazor-first application where authorization decisions are made in the Blazor component model
• You want the same authentication APIs in Blazor Server, Blazor WebAssembly, and .NET MAUI Blazor Hybrid
• You want to use <AuthorizeView>, [Authorize], and related Blazor authorization features driven by AuthenticationStateProvider
• You want OAuth 2.0 and OpenID Connect with Entra ID or other compliant identity providers
• You want on-demand, task-specific token acquisition instead of broad up-front consent
• You want authentication behavior to be explicit and inspectable rather than hidden in templates or middleware

When your application needs to call server endpoints or external services, Blazorade ID is designed to acquire access tokens that can be used to call properly protected REST APIs using bearer token authentication.

Blazorade ID is intentionally scoped to Blazor applications and the Blazor component authorization model. It does not integrate with ASP.NET Core authentication middleware and does not populate HttpContext.User.

Consider other options when:

• You need end-to-end ASP.NET Core authentication middleware integration, such as cookie-based sessions shared automatically with MVC, Razor Pages, or minimal APIs
• Your application relies primarily on request-pipeline authorization rather than Blazor component authorization
• You expect server endpoints to automatically share authentication state with the Blazor UI without explicit bearer token validation
• You want authentication to be fully handled by framework infrastructure and templates
• You are building a traditional MVC or Razor Pages application rather than a Blazor-first application

If your application exposes server endpoints, the recommended approach when using Blazorade ID is to protect those endpoints with standard bearer token validation and call them using access tokens acquired by Blazorade ID. Blazorade ID does not issue authentication cookies and does not act as a server-side authentication system.