the standard authentication works as follows. assume the blazor app has anonymous index pages and authenticated pages.
- the app hosting page uses javascript to open a signal/r connection to the server, passing any existing authentication cookie. if the cookie is found, the identity user is passed to the circuit state to be used for injection.
- the app navigates (internal) to a component that requires authentication. if the user identidy is not defined, the app uses javascript to close the connection and navigate to the the actual login page.
- the login page preform authentication, and sets the authentication cookie and redirects back to the page hosting the blazor app
- the blazor host page reads the cookie and uses javascript to restart the blazor app. note, that unless persisted the previous state is lost.
as the cookie is only needed for a short amount of time, from the login page to the blazer startup, you can make it short duration (30 - 60 seconds). this will limit the reuse in new tabs.
any fancier will require custom code. you could create a one time use ticket, passed n the cookie, and used in verification.