Blazor server single tab authentication with Microsoft.identity.web

Immutabl ltd 0 Reputation points
2023-04-08T12:42:13.8833333+00:00

I have a blazor server app with working authentication using microsoft.identity.web. When authenticated the app will automatically log in on multiple tabs in the browser, on multiple seperate browser instances and also after reopening the browser after it has been closed. I want authentication to be limited to the current browser tab only and not bleed across to other tabs or browser instances.

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,411 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,767 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Bruce (SqlWork.com) 57,641 Reputation points
    2023-04-08T19:13:35.5266667+00:00

    the standard authentication works as follows. assume the blazor app has anonymous index pages and authenticated pages.

    1. the app hosting page uses javascript to open a signal/r connection to the server, passing any existing authentication cookie. if the cookie is found, the identity user is passed to the circuit state to be used for injection.
    2. the app navigates (internal) to a component that requires authentication. if the user identidy is not defined, the app uses javascript to close the connection and navigate to the the actual login page.
    3. the login page preform authentication, and sets the authentication cookie and redirects back to the page hosting the blazor app
    4. the blazor host page reads the cookie and uses javascript to restart the blazor app. note, that unless persisted the previous state is lost.

    as the cookie is only needed for a short amount of time, from the login page to the blazer startup, you can make it short duration (30 - 60 seconds). this will limit the reuse in new tabs.

    any fancier will require custom code. you could create a one time use ticket, passed n the cookie, and used in verification.

    0 comments No comments