Blazor Auth: Replace history entry on navigating to IdP login/register endpoints to avoid navigation cycle

[yugabe]

Is there an existing issue for this?

• I have searched the existing issues

Is your feature request related to a problem? Please describe the problem.

I set up my Hosted Blazor WASM application to use Azure B2C following the official guidelines and using a sign up or sign in user flow.

When a user navigates to the authentication/login endpoint (for example, by clicking a link), the history entry for the source URL will be replaced. As the B2C UI doesn't show a link back to the application and the history entry essentially gets rewritten, there is no way to get back to the app without the user either completing a log in OR by typing in a URL in the browser address bar.

Describe the solution you'd like

When a user navigates to the authentication/login or authentication/register endpoints (or triggers these action another way), the source URL of where they navigated from should be stored in the browser's history stack, so that they can go back to the page they came from if they don't wish to complete the sign in/sign up user flow.

Additional context

When a user goes from / to authentication/login, they get redirected to the IdP login page. Pushing the browser's "back" button gets them to authentication/login, which once more redirects them to the IdP login page. The browser's history for this tab at this point will be empty and there will be no way to navigate back to the app without completing the log in flow unless the user types an URL in the address bar.

If the originating URL would be stored in history instead of the page that is redirecting to the IdP, the user would be able to go back to the / page of the application.

[javiercn]

@yugabe thanks for contacting us.

We replace the history entry because the way this works is: From / we always navigate you to authentication/login which automatically starts the login process, which can end in two outcomes:

• Succeeds: You get redirected back to / or where you came from.
• Fails before redirect: You are sent to authentication/login-failed.
• Fails after redirect, when you hit the back button, you want to end up in / or where you were, not in /authentication/login. Otherwise, you end up in an infinite redirect loop.

[yugabe]

Thanks @javiercn for the timely reply.

It might have been unclear, but this is not exactly how it plays out. The success and failure branches are okay.

From the IdP, when you press the back button, you get redirected to authentication/login, which in turn redirects you back to the IdP and replaces the previous history entry. Thus, you are unable to navigate back to / using the back button even if you wanted to, because that entry is overwritten. If this is not working as designed, this may rather be a bug than a feature request.

I think when navigating from /wherever-in-app to /authorization/login, which in turn redirects to the IdP, the user should be able to press the back button to go back to /wherever-in-app. Currently, it navigates back to /authorization/login, which is undesirable and if I understand right, incorrect.

[javiercn]

@yugabe I think if I remember correctly, we didn't have the choice to do the redirect in msal at the time. I believe the option is there now, so we'll likely be updating that to make sure we replace the history entry.

Ok, so the behavior is that today for AAD and B2C we don't replace the history entry, and we SHOULD replace it, so that you do not end up in /authentication/login when you press the back button.

[yugabe]

Ok, so the behavior is that today for AAD and B2C we don't replace the history entry, and we SHOULD replace it, so that you do not end up in /authentication/login when you press the back button.

That is correct -- as per my experiments at least, that's what I'm experiencing.

[javiercn]

#43954