Clarify auth plan for Blazor web project template

[SteveSandersonMS]

In recent discussions, it was unclear what is committed for delivery here. Will the new Blazor web project template have auth options? If so, which ones?

Is any other integration needed between Blazor fullstack with ASP.NET Core auth? Is there an IAuthenticationStateProvider in place that just works? Is this meant to have any integration with interactive server/WebAssembly components?

[JeremyLikness]

Tagging @javiercn and @halter73 who have been working on planning for this. The goal is to have auth options. I believe Stephen will be looking at this after he completes some template and API changes.

We need to design what makes sense for the new project given the flexibility for server and client-side rendering. Here's what we currently propose:

• Server

  • Individual accounts -> ASP.NET Core Identity, implement Blazor UI server rendered only, client rendered is stretch goal
  • Microsoft identity -> Azure AD / MSAL (no change)
  • Windows auth (no change)

• WebAssembly (no change)

  • Individual accounts -> OIDC client
  • Microsoft identity -> MSAL

I'll post updates here as we design the right solution for the new template.

[JeremyLikness]

This is our current server-scaffolded Identity UI for reference.

graph LR

A[Register] --> B[Login]
B --> C[Confirm Email]
C --> D[Forgot Password]
D --> E[Reset Password]
B --> F[External Login]
F --> G[External Provider]
G --> B
B --> H[Two-Factor Authentication]
H --> I[Recovery Code]
I --> J[Verify Phone]
H --> K[Setup Authenticator]
K --> L[QR Code]
K --> M[Manual Entry]
H --> N[Reset Authenticator]
N --> O[New Authenticator]
O --> K
B --> P[Lockout]
P --> Q[Unlock Account]
B --> R[Remember Me]
B --> S[Logout]
S --> T[Post Logout]
T --> B

Loading

• Register: The page where new users can create an account by providing their details.
• Login: The page where users can enter their credentials to authenticate and log in.
• Confirm Email: This page allows users to confirm their email address by clicking on a verification link sent to their registered email.
• Forgot Password: Users can enter their email address on this page to receive a password reset link via email.
• Reset Password: After clicking the password reset link, users land on this page to enter a new password.
• External Login: This page provides options for users to log in using external providers (e.g., Google, Facebook).
• External Provider: Represents the external provider (e.g., Google, Facebook) that handles the authentication process.
• Two-Factor Authentication: This page enables users to set up and manage two-factor authentication for their account.
• Recovery Code: Users can generate and manage recovery codes on this page for two-factor authentication.
• Verify Phone: This page allows users to verify their phone number for two-factor authentication.
• Setup Authenticator: Users can set up an authenticator app (e.g., Google Authenticator) for two-factor authentication.
• QR Code: This page displays a QR code that users can scan using an authenticator app for setup.
• Manual Entry: Users can manually enter a code from the authenticator app for setup.
• Reset Authenticator: This page allows users to reset their authenticator app and set up a new one.
• New Authenticator: Users can set up a new authenticator app after resetting the previous one.
• Lockout: If there are failed login attempts, this page displays a lockout message to the user.
• Unlock Account: This page allows users to unlock their account if it has been locked due to excessive failed login attempts.
• Remember Me: Users can choose to have their login session persisted by selecting the "Remember Me" option.
• Logout: Clicking on the logout button directs users to log out from the application.
• Post Logout: This page is shown after successful logout, indicating that the user has been logged out.

[danroth27]

When you have a Blazor Web App and you're using WebAssembly hosted components, we need some way to flow the authentication state to the browser. We could either, 1. Use the new Identity endpoints, or 2. Persist the authentication state into the page so that it can be extracted. @halter73 @javiercn What are your thoughts on this?

[danroth27]

We also want to have tooling support for scaffolding a default identity UI based on Blazor into an app and to setup authentication with the Microsoft Identity Platform via Add Connected Services. We should work with @vijayrkn and @sayedihashimi on this.

[danroth27]

We should consider renaming the "Individual user accounts" option on the Blazor WebAssembly (standalone) template as it won't be related to ASP.NET Core identity at all. Maybe "External identity provider"?