💃🕺🥳 Happy New Year! 🎈🎆🍾🥂🎉

Stand-by! ... A green dinosaur 🦖 will be along shortly to assist.

Hello @davisnw ... Let me get back to you on this, hopefully tomorrow morning (Thursday).

I'm back! Sorry for the delay.

Neither the page nor the linked github code example (BlazorWebAppCallWebApi) have any discussion of the ASP.NET Core endpoint authorization.

It's not covered here at the moment. Secure web APIs are covered by the main doc set articles, which apply to most Blazor scenarios (especially on the server-side), and the Blazor node Security and Identity articles.

I want to mention in passing that a goal for the Blazor sample apps was to include secure web API calls. Devs can follow the patterns for typical secure web API call scenarios. Here are the examples:

• Standalone Blazor WebAssembly with Identity: Includes two secure data processing endpoints, one of which has an auth policy applied. The article covers cross-domain/same-site concepts and antiforgery.
• BWA with Entra: Includes a secure weather forecast web API.
• BWA with OIDC: Includes a secure weather forecast API for both the non-BFF and BFF patterns.

I agree with you that this article and the sample apps for it should include basic security patterns. I'll schedule this issue for work, and I hope to reach it within the next couple of weeks.

Notes for updating the article and samples:

• Address your concern, namely that "some discussion of handling authorization when providing multiple implementations of a service for client-side vs server-side rendering seems to be warranted."
• "there is a tremendous amount of duplication in the minimal api spec and the ServerMovieService": Yes, I agree. I'll resolve this problem.
• Add basic web API security scenario coverage for typical apps into the text coverage.
• Add the scenarios described to the sample apps.
• Cross-link the examples in the existing Blazor samples.
• Cross-link the extended coverage in the Blazor Security and Identity node.
• Improve the organization of coverage.

On your last point, you wrote ...

So now there are actually 3 separate implementations of the movie related functionality.

I don't follow. There's the service for server-rendered components (SSR), and there are the endpoints for web API calls for CSR. The "Backend" app only manages Todo list examples. What's the third "implementation" that you're referring to for the movie examples?