DuendeSoftware
diff --git a/‎BFF/v3/docs/content/fundamentals/blazor/_index.md‎
Lines changed: 4 additions & 6 deletions b/‎BFF/v3/docs/content/fundamentals/blazor/_index.md‎
Lines changed: 4 additions & 6 deletions
diff --git a/‎BFF/v3/docs/content/fundamentals/blazor/rendering-modes.md‎
Lines changed: 104 additions & 0 deletions b/‎BFF/v3/docs/content/fundamentals/blazor/rendering-modes.md‎
Lines changed: 104 additions & 0 deletions
diff --git a/‎BFF/v3/docs/content/fundamentals/options.md‎
Lines changed: 0 additions & 5 deletions b/‎BFF/v3/docs/content/fundamentals/options.md‎
Lines changed: 0 additions & 5 deletions
@@ -29,14 +29,12 @@ Blazor is very flexible in how it renders applications (and even individual comp
 
 These rendering modes are very powerful, but also add additional complexity when it comes to authentication and authorization. Any code that executes on the server can directly access local resources, such has a database, but code that executes on the client needs to through a local http endpoint (that requires authentication). Accessing external API's is also different between server and client, where the client needs to go through a proxy which performs a token exchange. 
 
+For more information on this, see [rendering-modes]({{< ref "/fundamentals/blazor/rendering-modes" >}})
 
-### Authentication State Providers
+### Authentication State
+The **AuthenticationState ** is contains information about the currently logged in user. This is partly populated from information from the user, but is also enriched with several management claims, such as the Logout URL. 
 
-Blazor uses AuthenticationStateProviders to make authentication state available to components. Depending on if a component is currently executing on the server or on the client, the implementation needs to be different. For this reason, the Duende BFF Security Framework contains two state providers: **BffServerAuthenticationStateProvider** and **BffClientAuthenticationStateProvider**. 
-
-On the server, the authentication state is already mostly managed by the framework. On the client, that's not the case. The **BffClientAuthenticationStateProvider** will poll the server to update the client on the latest authentication state, such as the user's claims. This also notifies the front-end if the session is terminated on the server. 
-
-Lastly, the authentications state providers also add the [management]({{< ref "/samples/bff" >}}) to the user's claims. 
+Blazor uses AuthenticationStateProviders to make authentication state available to components. On the server, the authentication state is already mostly managed by the authentication framework. However, the BFF will add the Logout url to the claims using the **AddServerManagementClaimsTransform**.  On the client, there are some other claims that might be useful. The **BffClientAuthenticationStateProvider** will poll the server to update the client on the latest authentication state, such as the user's claims. This also notifies the front-end if the session is terminated on the server. 
 
 ### Server Side Token Store
 
 
@@ -0,0 +1,104 @@
+---
+title: "Blazor Rendering modes"
+date: 2020-09-10T08:22:12+02:00
+weight: 10
+---
+
+Blazor supports [several rendering](https://learn.microsoft.com/en-us/aspnet/core/blazor/components/render-modes?view=aspnetcore-9.0#render-modes) modes:
+* **Static Server** - Static server-side rendering (static SSR)	
+* **Interactive Server** - Interactive server-side rendering (interactive SSR) using Blazor Server.	
+* **Interactive WebAssembly** - Client-side rendering (CSR) using Blazor WebAssembly.	
+* **Interactive Auto** - Interactive SSR using Blazor Server initially and then CSR on subsequent visits after the Blazor bundle is downloaded.	
+
+While these options give a lot of flexibility on how sites and components are rendered, it also provides some complexity. 
+
+It's important to understand that, if you use a rendering mode that uses WebAssembly (so InteractiveWebAssembly or Auto), that you're effectively building two applications. One is a server process that renders HTML, the other is a WASM application that runs in the browser. 
+
+If you have a component that's rendered both on the server AND on the client, then you effectively need to make sure that all the services it requires are available both on the server AND on the client. 
+
+## Fetching data from local APIs
+
+If your BFF application can directly access data (for example from a database), then you have to decide where this information is rendered. 
+
+For server side rendering, you'll typically abstract your data access logic into a separate class (such as a repository or a query object) and inject this into your component for rendering. 
+
+For web assembly rendering, you'll need to make the data available via a web service on the server. Then on the client, you'll need a configured HTTP client that accesses this information securely. 
+
+When using auto-rendering mode, you'll need to make sure that the component get's a different 'data access' component for server rendering vs client rendering. Consider the following diagram:
+
+![local api's](../../../images/bff_blazor_local_api.svg)
+
+In this diagram, you'll see the example **IDataAccessor** that has two implementations. One that accesses the data via a HTTP client (for use in WASM) and one that directly accesses the data. 
+
+The data is also exposed (and secured by the BFF) via a local api. 
+
+Below is an example of registering an abstraction 
+
+``` csharp
+// Setup on the server
+
+// Register the server implementation for accessing some data
+builder.Services.AddSingleton<IDataAccessor, ServerDataAccessor>();
+
+// Register an api that will access the data
+        app.MapGet("/some_data", async (IDataAccessor dataAccessor) => await dataAccessor.GetData())
+            .RequireAuthorization()
+            .AsBffApiEndpoint();
+
+// Create a class that would actually get the data from the database
+internal class ServerWeatherClient() : IDataAccessor
+{
+    public Task<Data[]> GetData()
+    {
+        // get the actual data from the database
+    }
+}
+
+```
+
+``` csharp
+// setup on the client
+
+// Register a http client that can access the data via a local api. 
+builder.Services.AddLocalApiHttpClient<DataAccessHttpClient>();
+
+// Register an adapter that would abstract between the data accessor and the http client. 
+builder.Services.AddSingleton<IDataAccessor>(sp => sp.GetRequiredService<HttpClientDataAccessor>());
+
+internal class HttpClientDataAccessor(HttpClient client) : IDataAccessor
+{
+    public async Task<Data[]> GetSomeData() => await client.GetFromJsonAsync<Data[]>("/some_data")
+                                                                  ?? throw new JsonException("Failed to deserialize");
+}
+
+``` 
+
+## Fetching data from remote APIs
+
+If your BFF needs to secure access to remote api's, then your components can both directly use a (typed) **HttpClient**. How this HttpClient is configured is quite different on the client vs the server though. 
+
+
+* On the **Client**, the http client needs to be secured with the authentication cookie and CORS protection headers. This 
+then calls the http endpoint on the server. 
+
+* On the **Server**, you'd need to expose the proxied http endpoint. This then uses a http client that's configured to send access tokens. These may or may not contain a user token. 
+
+This diagram shows this in more detail:
+
+![remote api's](../../../images/bff_blazor_remote_api.svg)
+
+``` csharp
+// setup on the server
+
+app.MapRemoteBffApiEndpoint("/remote-apis/user-token", "https://localhost:5010")
+
+builder.Services.AddUserAccessTokenHttpClient("callApi",
+    configureClient: client => client.BaseAddress = new Uri("https://localhost:5010/"));
+
+
+```
+
+``` csharp
+// setup on the client
+builder.services.AddRemoteApiHttpClient("callApi");
+```
@@ -168,9 +168,4 @@ builder.Services.AddBffBlazorClient(opt =>
 * ***WebAssemblyStateProviderPollingInterval*** 
     The delay, in milliseconds, between polling requests by the
     BffClientAuthenticationStateProvider to the /bff/user endpoint. Defaults to 5000
-    ms.
-
-* ***ServerStateProviderPollingInterval*** 
-    The delay, in milliseconds, between polling requests by the
-    BffServerAuthenticationStateProvider to the /bff/user endpoint. Defaults to 5000
     ms.