Authentication Handler response 303 and blazor httpclient

[dazinator]

Background context here: https://github.com/dotnet/aspnetcore/issues/23800#issuecomment-656070773

I am developing a blazor wasm (SPA) application, with an asp.net core backend, and have this SAML2 auth handler working nicely (thank you contributors, for your hard work) The issue I have found is, suppose you want submit a POST request that causes the SAML2 auth handler to be `Challenged' on the back end.

if you do this with an ordinary html form submit, the saml2 handler responds with a 302 redirect, the browser navigates the user to the IDP and all works great.

I was using blazor though, and using a HttpClient to submit the POST request to the server in response to a button click. The issue is, is that when a 303 response is received, the mono http handler used under the hood by HttpClient, follows up on that by automatically sending a GET request usign the browsers fetch API - which results in a CORS policy violation, as that's a cross origin request to the IDP. Unfortunately, there doesn't seem to be a way to "turn off" this automatic GET request behaviour to follow redirects, (atleast, there is an option, but it is PlatformNotSupported on Blazor.)

Do you think it would be viable to allow the SAML2 handler to be configured to respond in a different mannor (i.e no redirect status code) - i.e perhaps an OK status code, with the content? Or would this be a security risk? I am thinking it would enable my SPA to receive the response atleast, including the Location to be redirected to, and then it could trigger a proper browser navigation to that URL to redirect the user.

[AndersAbel]

You can intercept and alter the http response in the SignInCommandResultCreated notification.

If you start altering that, make sure that the correlation cookie is properly stored in the browser and present when the response from the Idp is posted back.