How to prevent access tokens being added on particular addresses?

[taylorchasewhite]

BaseAddressAuthorizationMessageHandler looks like it requires AccessTokens on any address that is within the base address.

Forgive me if this is described within and I missed it, but I am looking for how best to support certain server API routes being accessed without being logged in. How is this done?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 9816eaee-5eff-c3c8-5d58-e2c02c760a00
• Version Independent ID: 60992d09-2a04-1d10-4c85-9642b20ff0e3
• Content: Secure an ASP.NET Core Blazor WebAssembly hosted app with Azure Active Directory
• Content Source: aspnetcore/security/blazor/webassembly/hosted-with-azure-active-directory.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @guardrex
• Microsoft Alias: riande

[guardrex]

support certain server API routes being accessed without being logged in

Configure a named HttpClient for it ...

https://docs.microsoft.com/en-us/aspnet/core/security/blazor/webassembly/additional-scenarios?view=aspnetcore-3.1#unauthenticated-or-unauthorized-web-api-requests-in-an-app-with-a-secure-default-client

[yv989c]

@taylorchasewhite You could also write your own AuthorizationMessageHandler, and be explicit on the urls that require authorization.

public sealed class CustomAuthorizationMessageHandler : AuthorizationMessageHandler
{
    public CustomAuthorizationMessageHandler(
        IAccessTokenProvider provider,
        NavigationManager navigation
        )
        : base(provider, navigation)
    {
        var authorizationRequiredUrls = new[]
        {
            getAbsoluteUrl("api/Product/"),
            getAbsoluteUrl("api/Account/")
        };

        ConfigureHandler(authorizationRequiredUrls);

        string getAbsoluteUrl(string relativeUrl)
        {
            return $"{navigation.BaseUri}{relativeUrl}";
        }
    }
}