The Authentication Service defines the entry point for signing users in and out in Blazorade ID.

The service focuses on:

• Producing a ClaimsPrincipal for the current user by acquiring and parsing an OpenID Connect identity token.
• Clearing local authentication state during sign-out.
• Notifying Blazor’s authentication infrastructure when the current user changes.

• Acquire an identity token (ID token) via the configured Token Service.
• Build a ClaimsPrincipal from the ID token’s claims.
• Publish authentication state changes via Authentication State Notifier so that Blazor components and authorization features react.
• Perform local sign-out by clearing tokens from the configured Token Store.
• Optionally perform a federated sign-out at the identity provider by navigating to the end-session endpoint.

• SignInAsync

  • Creates a ClaimsPrincipal from the current user’s identity token.
  • Returns null if an identity token is not available and cannot be acquired.

• SignOutAsync

  • Signs the user out.

Blazorade ID provides default implementations so applications can use the service without writing custom code, while still being able to replace implementations where needed.

AuthenticationService is the default, hosting-model-agnostic implementation.

Behavior:

• SignInAsync

  • Uses Token Service to acquire an identity token. to acquire an identity token.
  • If an identity token is returned, creates a ClaimsPrincipal with a single ClaimsIdentity created from the token’s claims.
  • Calls Authentication State Notifier to notify Blazor that authentication state has changed..

• SignOutAsync

  • Clears all stored tokens using Token Store..
  • Calls Authentication State Notifier to notify Blazor that authentication state has changed..

Important note:

• SignInAsync notifies authentication state changes even if no identity token could be acquired and the method returns null. This is intentional in the default implementation and can be overridden if you want notifications only on successful sign-in.

BlazorAuthenticationService extends AuthenticationService with Blazor-specific sign-out behavior by integrating:

• NavigationManager for client navigation.
• Endpoint Service to construct an end-session (logout) URL.
• AuthorityOptions for IdP-related configuration (for example ClientId).

Behavior differences:

• SignOutAsync

  • Chooses a post-logout redirect URI:

    • Uses options.RedirectUri when provided.
    • Otherwise, when UseDefaultRedirectUri is enabled (default in this implementation), uses NavigationManager.BaseUri.

  • Fetches the current identity token from Token Store to send as an id_token_hint.

  • Clears local tokens and notifies authentication state change.

  • Unless SkipEndIdpSession is set, navigates the browser to the IdP end-session endpoint, including:

    • id_token_hint (when available)
    • client_id
    • post_logout_redirect_uri

This implements the common OpenID Connect RP-initiated logout pattern.

Blazor’s authorization features depend on an AuthenticationStateProvider and its change notifications. When the current user changes, Blazor needs an explicit notification so that components, AuthorizeView, and [Authorize] react immediately.

Blazorade ID uses Authentication State Notifier as the abstraction for emitting these change notifications. A default notifier can internally map to AuthenticationStateProvider notification mechanisms.

Relevant framework concepts:

• AuthenticationStateProvider and authentication state change notifications.
• ClaimsPrincipal and ClaimsIdentity as the standard .NET representation of an authenticated user.

• ClaimsPrincipal creation:

  • The default implementation builds a principal directly from the ID token’s claims (new ClaimsPrincipal(new ClaimsIdentity(idToken.Claims))).
  • If your authorization depends on authentication type, name claim type, role claim type, or multiple identities, consider overriding and enriching principal creation.

• Sign-out ordering:

  • The Blazor-specific implementation clears local tokens before navigating to the IdP end-session endpoint.
  • This is usually desirable for local correctness, but it also means you cannot retry end-session navigation using locally stored tokens if navigation is interrupted.

• Extensibility:

  • Replace the Authentication Service to change sign-in and sign-out semantics.
  • Replace Authentication State Notifier to customize how UI and Blazor auth state changes are propagated.
  • Replace Endpoint Service to support IdPs with non-standard logout endpoints or parameters.

• ASP.NET Core Blazor security overview: https://learn.microsoft.com/aspnet/core/blazor/security/
• ASP.NET Core Blazor authentication state: https://learn.microsoft.com/aspnet/core/blazor/security/authentication-state
• .NET ClaimsPrincipal: https://learn.microsoft.com/dotnet/api/system.security.claims.claimsprincipal
• .NET ClaimsIdentity: https://learn.microsoft.com/dotnet/api/system.security.claims.claimsidentity
• OpenID Connect RP-Initiated Logout 1.0: https://openid.net/specs/openid-connect-rpinitiated-1_0.html
• OAuth 2.0 Authorization Framework (RFC 6749): https://www.rfc-editor.org/rfc/rfc6749