Description
Summary
.NET 7 improved Blazor WASM's authentication back history behavior in pull #43954. The underlying issue was described in issue #43063 @javiercn
However, after testing the new implementation, I'm still not getting the desirable behavior: back button returns to previous page that does not require authentication.
Motivation and goals
Consider the following typical scenario:
- User is currently on contoso.com, an unprotected Blazor home page.
- User clicks a link on the page, contoso.com/protected, which is a protected Blazor page via
@attribute [Authorize] - The
app.razorsees that this is a protected route, and redirects user to contoso.com/Authentication/login via theRedirectToLoginBlazor component. - The authentication component in turn redirects the user to a 3rd party IDP login page, such as AAD B2C's contoso.b2clogin.com.
- Now user realizes this is a protected area, but decides not to sign up or login, and presses the back button, with the intent to go back to the unprotected contoso.com home page.
However, in reality, the back button brings the user to contoso.com/protected, which then redirects the user to /Authentication/login and finally the IDP login page again, still resulting in a loop.
I believe this is a bit better than the previous version, where the back button would bring the user to /Authentication/login which would trigger a failure message.
But I think it would be a much better experience if the new history state manager can store the URL the user was on before the protected page was requested that triggered authentication, and bring the user to that page accordingly when back button is clicked.