Blazor Standalone Webassembly - Unable to configure multiple IdP with Azure AD

[apsthisdev]

Is there an existing issue for this?

• [X] I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I have a Standalone Client side Blazor Web Assembly hosed in the Azure Static Web App.

Currently its configured to authenticate with Azure AD using MSAL.

       // Add Msal
        builder.Services.AddMsalAuthentication<RemoteAuthenticationState, PiRemoteUserAccount>(options =>
        {
            builder.Configuration.Bind("LoginAd", options.ProviderOptions.Authentication);

            // For linux apps specify issues expliclity
            // - https://github.com/dotnet/AspNetCore.Docs/issues/21228
            // - https://github.com/dotnet/aspnetcore/issues/25430 <PropertyGroup>
            // !--https://github.com/dotnet/aspnetcore/issues/38082 --> < PublishTrimmed > false </ PublishTrimmed >
            // </PropertyGroup >
            options.ProviderOptions.Authentication.Authority = "https://login.microsoftonline.com/common";

            options.ProviderOptions.LoginMode = "redirect";

            options.ProviderOptions.DefaultAccessTokenScopes.Add("openid");
            options.ProviderOptions.DefaultAccessTokenScopes.Add("offline_access");
            options.ProviderOptions.DefaultAccessTokenScopes.Add("profile");
            options.ProviderOptions.DefaultAccessTokenScopes.Add("email");

       }).AddAccountClaimsPrincipalFactory<RemoteAuthenticationState, PiRemoteUserAccount, ConsumerAccountFactory>();

This enables me to authenticate any Microsoft work, school and personal account using standard auth routes.

authentication/login authentication/logout

I need to add additional identity providers.

uilder.Services.AddAuthentication().AddOpenIdConnect( { idp1

uilder.Services.AddAuthentication().AddOpenIdConnect( { idp2

uilder.Services.AddAuthentication().AddOpenIdConnect( { idp3

I can add these services in the Program.cs but, how to tell the Blazor engine to initiate authentication with a specific IDP ?

Example: authentication/login/idp1

Describe the solution you'd like

The DI services enables adding multiple OpenId Connect IdPs, I want to pass certain hint so that the Blazor WASM engine authentication\login can initiate the authentication for a specific IdP.

Additional context

Visual Studio 2022 .NET 603 Standalone Blazor Web Assembly Azure Static Web App

[javiercn]

@ameyasubhedar thanks for contacting us.

This is not a feature that our current integration package supports. You'll have to create your own package/authentication workflow for this.

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[apsthisdev]

@javiercn, to narrow the scope I think at a minimum the Blazor Web Assembly authentication must support

• Azure Active Directory
• Azure B2C Tenant Directory

e.g. authentication\login\aad authentication\login\ab2c

[javiercn]

@ameyasubhedar unfortunately that doesn't narrow the scope. Supporting 2 different authentication schemes/systems is the same as supporting 10. The design would need to be updated to support more than one IdP and that is where the cost is.

As I mentioned, this is not something we currently plan to support out of the box, if we see more requests for it, we might change our view, but for now, it is something that you'll have to build yourself.

[apsthisdev]

@javiercn, thanks for the explanation. I was digging around more on this topic and found the Microsoft documentation on authentication and authorization for Blazor Webassembly deployed on Azure Static Web App.

For paid tier it looks like the Blazor Webassembly authentication does support what I am looking for:

Few questions for you ?

• Is this the recommended way of authenticating and authorizing Blazor WebAssembly on Azure Static Web App the users now ?
• How does apps migrate from authentication/login to /.auth/login
• Are there any limitation in terms of authorization and OIDC scopes
• Can I use the /.auth/login to make protected API calls to my external APIs including Azure API Management ?

[lebar94]

Hello!

@apspi did you resolve the issue with multiple auth providers? Do you have any tips how to resolve it?

@javiercn you mentioned about "own package/authentication workflow" can you elabore more on this? Do you have any tips how to implement that?

I have similar issue, I need to implement the support for MS, Google, FB and Apple accounts. Will this support be added in the near future?

[ameyasubhedarats]

@lebar94 : Try this https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-authorization?tabs=invitations

[lebar94]

@ameyasubhedarats thanks! This would resolve my problem if I would be able to use Azure. Besides that, I need to add also identity providers for Google, FB and Apple accounts, and from what I saw, it is not supported right now.

[lebar94]

Please, could you help me? Any tips how to code it? Samples? Can be even from the source code of current support for only one identity provider ;).

[ghost]

We've moved this issue to the Backlog milestone. This means that it is not going to be worked on for the coming release. We will reassess the backlog following the current release and consider this item at that time. To learn more about our issue management process and to have better expectation regarding different types of issues you can read our Triage Process.

[snathanail]

Support for multiple logins by various providers (Facebook, Twitter, Google, Microsoft, ... ) is a core feature of a web framework; lack of it will discourage a lot of people from adopting Blazor WebAssembly.

Building our own authentication provider, while certainly possible, is not something that every dev will be able or willing to do.

I would humbly suggest you re-evaluate the priority of this feature, as in my opinion this is quite a big hurdle to overcome. If Microsoft wants to take on the likes of React and Angular, Blazor should support out-of-the-box some basic features, and this is one of them.

Just my 2¢.